Forum Discussion

FabianUni's avatar
FabianUni
Copper Contributor
Apr 15, 2026

MFA Options for Employees without Phones

Hello everbody, we're currently trying to implement MFA in our company, but approximately 1/10 of our employees have a workphone and are not allowed to use their personal phone. Since we also recen...
Conditional Access
MFA
microsoft entra
Lucaraheller's avatar
Lucaraheller
MCT
Apr 20, 2026

Windows Hello for Business (WHfB) is not designed to replace the initial proof-up step for MFA enrollment. Microsoft treats WHfB as a strong authentication method, but users usually need to register an MFA/security method first (depending on your tenant policies and registration campaigns). So yes — what you saw is expected in many environments.

Short answer

No, you generally shouldn’t try to “circumvent” MFA requirements for WHfB. Instead, use alternative authentication methods for employees who cannot use phones.

Best options for users without phones

1. FIDO2 Security Keys (Best fit)

Highly recommended for desk workers / frontline staff without phones.

Examples:

  • YubiKey
  • Feitian
  • Token2

Benefits:

  • No personal phone required
  • Strong phishing-resistant MFA
  • Works with Microsoft Entra ID
  • Can also support passwordless sign-in

Use cases:

  • Shared PCs
  • Factory / warehouse / kiosk users
  • Users prohibited from personal device use

2. Temporary Access Pass (TAP) for onboarding

Use Temporary Access Pass in Microsoft Entra ID to bootstrap registration.

Flow:

  1. Admin creates TAP
  2. User signs in with TAP
  3. Registers WHfB or FIDO2 key
  4. Continues with strong auth after that

This is one of the best ways to deploy WHfB without mobile dependency.

3. Smart Cards / Certificate-based auth

If your organization already has PKI/smartcards, this can work well, but more complex.

4. Hardware OATH Tokens

Less ideal than FIDO2, but possible.

About Windows Hello for Business

WHfB uses:

  • PIN bound to device
  • Biometrics
  • TPM-backed credentials

It is strong auth, but enrollment often still needs an existing secure method or TAP.

Recommended Modern Approach (Your Scenario)

Since you already introduced Intune:

For office users:

  • WHfB + TAP bootstrap

For no-phone workers:

  • FIDO2 keys

For privileged admins:

  • FIDO2 + Conditional Access

Important Note

If users are “not allowed to use personal phones,” avoid forcing Microsoft Authenticator on private devices. That often creates HR/privacy friction.

My Architect Recommendation

For 10% without phones:

  • Buy FIDO2 keys for those users only
  • Enable TAP for onboarding
  • Roll out WHfB for managed Windows devices
  • Use Authentication Methods Policy in Entra ID

If you tell me:

  1. Microsoft 365 licensing (Business Premium / E3 / E5?)
  2. Hybrid AD or cloud only?
  3. Shared PCs or dedicated laptops?

…I can design the best real-world MFA architecture for your company.

FabianUni's avatar
FabianUni
Copper Contributor
Apr 20, 2026

Hello Luca,

thanks for the thorough answer. Just to clarify again. Theres 10-20% people who HAVE a work phone. So most employees are without it.

I've tried using TAP to enroll into Windows Hello, which worked fine, but then i couldn't login with the specified pin. It showed me an error such as:

To get it to work, i had to login into the account via password and then change the pin manually in the windows hello settings, which is obviously less than ideal.

If possible we would like to avoid using any hardware tokens or a fido2 key.

1. Right now, we have around 30% Business Premium and the rest on Business Standard, with the plan to shift everyone to Business Premium.

2. Were in a Hybrid AD setup

3. Every user has their own device.