Configuring FIDO2 Security Keys for Passwordless Windows Sign-In

Vincent Keung Koh 0 Reputation points
2026-07-02T04:51:09.41+00:00

Hi, I want to move to a completely passwordless login flow where users simply insert their physical YubiKey into their laptop usB port, type a key PIN, and touch the flashing sensor to log into Windows.

What settings must be enabled in Entra ID and Windows to allow FIDO2 security keys at the login screen?

Tqsm

Windows for business | Windows 365 Business
0 comments No comments

1 answer

Sort by: Most helpful
  1. HLBui 8,450 Reputation points Independent Advisor
    2026-07-02T05:36:39.3633333+00:00

    Hi Vincent

    To get a true passwordless login with YubiKeys, you’ll need to enable FIDO2 security keys in your Entra ID tenant first. In the Entra portal, go to Security > Authentication methods and turn on FIDO2 security keys for the users or groups you want. Make sure you configure the “Allow self‑service setup” option so users can register their YubiKeys themselves. On the Windows side, you’ll need to enable Windows Hello for Business in Intune or Group Policy, and set it to allow FIDO2 keys at the login screen. Once that’s in place, users can insert their YubiKey, type their PIN, and tap the sensor to sign in no password required.

    Best practice is to pilot this with a small group first, confirm the login flow works smoothly, and then expand to the rest of your organization. Also, make sure your devices are Azure AD joined or hybrid joined, since FIDO2 login requires that trust relationship.

    If this explanation helps you move forward with setting up passwordless login, please hit accept answer

    Was this answer helpful?

    0 comments No comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.