The future is passwordless. Microsoft has an ongoing commitment with other industry leaders to enable a world without passwords. Today, we are excited to announce an improved Windows passwordless experience to organizations starting with the September 2023 update for Windows 11, version 22H2.
Passwords are inherently insecure, inconvenient, and a prime target for attacks. In 2022, Microsoft tracked 1,287 password attacks every second. In the last 12 months, we saw an average of more than 4,000 password attacks per second[1].
Microsoft paved the way for Microsoft Accounts (MSA) in the consumer space with fully passwordless accounts so you no longer need a password in the MSA identity directory. We are now laying the groundwork for more passwordless phish-resistant credentials for commercial organizations.
Phish-resistant credentials like Windows Hello for Business or FIDO2 security keys are both passwordless solutions and can protect user identities by removing the need to use passwords from day one. Commercial organizations can now set the EnablePasswordlessExperience MDM policy from Intune or another MDM to enable a fully passwordless user experience on Microsoft Entra ID joined machines.
Once the policy is set, it removes passwords from the user experience, both for device sign-in as well as in-session auth scenarios like password managers in a web browser, “Run as” admin scenarios, and User Account Control (UAC). Users will need to use Windows Hello for authentication in place of a password. If the user fails to sign in, recovery mechanisms such as PIN reset or Web sign-in can be used to help the user recover their credentials without IT helpdesk engagement.
Enable a Windows passwordless experience with Intune:
To configure devices using Microsoft Intune, create a Settings catalog policy and use the following settings:
- Category: Authentication
- Setting name: Enable Passwordless Experience
- Value: Enabled
Alternatively, you can configure devices using a custom policy with the Policy CSP.
- OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Authentication/EnablePasswordlessExperience
- Data type: int
- Value: 1
Lock screen experience
When the EnablePasswordlessExperience is turned on, the user will not see a password option on the Windows lock screen.
Windows lock screen with the passwordless experience turned off. The sign-in options displayed include password, security key, pin, Windows Hello, and fingerprint.
Screenshot of the Windows lock screen with the passwordless experience turned on. The sign-in options displayed include security key, pin, Windows Hello, and fingerprint.
A password option will also not be visible on the Accounts settings under Sign-in options.
Screenshot of the Sign-in options available for a Windows user named Amanda Brady. Facial recognition, fingerprint recognition, PIN, and security key are shown. The password option is hidden.
We are also pleased to share that we released a new web sign-in experience with the September 2023 update for Windows 11, version 22H2. The new experience is more secure, reliable, and performant—and is now available for all Microsoft Entra ID authentication methods. For more information, see Web sign-in for Windows.
This will help organizations and users gradually move away from passwords in the future. Ready to explore this new Windows passwordless experience? Have more questions? See our documentation on the Windows passwordless experience on Microsoft Learn.
To provide feedback on the Windows passwordless experience, open Feedback Hub and use the category Security and Privacy > Passwordless experience.
Continue the conversation. Find best practices. Bookmark the Windows Tech Community ,then follow us @MSWindowsITPro on X/Twitter. Looking for support? Visit Windows on Microsoft Q&A.
[1] Source: Microsoft Entra ID authentication methods
Microsoft
