Forum Discussion
MFA Options for Employees without Phones
Hello everbody,
we're currently trying to implement MFA in our company, but approximately 1/10 of our employees have a workphone and are not allowed to use their personal phone.
Since we also recently introduced Intune, the idea was to just use Windows Hello for Business, but when trying to provision it, we realized that you need to have MFA active for an account to be able to even activate it? Which kinda defeats the purpose.
So my question is, is there some way to circumvent the MFA requirement for WHfB? Or what other options do we realistically have?
Thanks in Advance!
2 Replies
Windows Hello for Business (WHfB) is not designed to replace the initial proof-up step for MFA enrollment. Microsoft treats WHfB as a strong authentication method, but users usually need to register an MFA/security method first (depending on your tenant policies and registration campaigns). So yes — what you saw is expected in many environments.
Short answer
No, you generally shouldn’t try to “circumvent” MFA requirements for WHfB. Instead, use alternative authentication methods for employees who cannot use phones.
Best options for users without phones
1. FIDO2 Security Keys (Best fit)
Highly recommended for desk workers / frontline staff without phones.
Examples:
- YubiKey
- Feitian
- Token2
Benefits:
- No personal phone required
- Strong phishing-resistant MFA
- Works with Microsoft Entra ID
- Can also support passwordless sign-in
Use cases:
- Shared PCs
- Factory / warehouse / kiosk users
- Users prohibited from personal device use
2. Temporary Access Pass (TAP) for onboarding
Use Temporary Access Pass in Microsoft Entra ID to bootstrap registration.
Flow:
- Admin creates TAP
- User signs in with TAP
- Registers WHfB or FIDO2 key
- Continues with strong auth after that
This is one of the best ways to deploy WHfB without mobile dependency.
3. Smart Cards / Certificate-based auth
If your organization already has PKI/smartcards, this can work well, but more complex.
4. Hardware OATH Tokens
Less ideal than FIDO2, but possible.
About Windows Hello for Business
WHfB uses:
- PIN bound to device
- Biometrics
- TPM-backed credentials
It is strong auth, but enrollment often still needs an existing secure method or TAP.
Recommended Modern Approach (Your Scenario)
Since you already introduced Intune:
For office users:
- WHfB + TAP bootstrap
For no-phone workers:
- FIDO2 keys
For privileged admins:
- FIDO2 + Conditional Access
Important Note
If users are “not allowed to use personal phones,” avoid forcing Microsoft Authenticator on private devices. That often creates HR/privacy friction.
My Architect Recommendation
For 10% without phones:
- Buy FIDO2 keys for those users only
- Enable TAP for onboarding
- Roll out WHfB for managed Windows devices
- Use Authentication Methods Policy in Entra ID
If you tell me:
- Microsoft 365 licensing (Business Premium / E3 / E5?)
- Hybrid AD or cloud only?
- Shared PCs or dedicated laptops?
…I can design the best real-world MFA architecture for your company.
Hello Luca,
thanks for the thorough answer. Just to clarify again. Theres 10-20% people who HAVE a work phone. So most employees are without it.
I've tried using TAP to enroll into Windows Hello, which worked fine, but then i couldn't login with the specified pin. It showed me an error such as:To get it to work, i had to login into the account via password and then change the pin manually in the windows hello settings, which is obviously less than ideal.
If possible we would like to avoid using any hardware tokens or a fido2 key.
1. Right now, we have around 30% Business Premium and the rest on Business Standard, with the plan to shift everyone to Business Premium.
2. Were in a Hybrid AD setup
3. Every user has their own device.
