I see that we could enable Windows Hello for Business for company-owned, Hybrid AD Joined Windows 10 devices with would allow users to log into their PC with PIN, face or fingerprint and then get SSO into Office 365 apps as well as local AD resources (network shared drives, printers etc..).

However, what about contractors (with  hybrid  AD user accounts in our domain and Office 365 tenant) using their own laptops both on the corporate office network and remotely?  These laptops will be managed by their employer, so we cannot manage them with Intune or any other MDM since their employer is already managing them.

We will provide them with third party MFA such as Duo Security for the Hybrid AD tenant using ADFS.  So, we want these users to be able to access the resources using MFA and some kind of passwordless authentication rather than type in their AD password.

Since they can't use Windows Hello For Business with our resources, what passwordless authentication options are available for them to access Office 365 apps from our Office 365 tenant (Exchange Online OWA, using the Outlook 365 desktop app or Outlook 2016 desktop app, Teams, Skype For Business Online, SharePoint Online, One Drive For Business etc,)?  

What about passwordless authentication to on prem AD resources such as shared network drives and network printers?

Also, mobile apps for iOS and Android such as Exchange Active Sync email and Office mobile apps (Outlook for iOS and Android, Skype For Business, OneDrive For Business, SharePoint, Teams etc,)?

Will certificate based authentication work with all these options?  What about using FIDO keys?

Which passwordless options will work best when the devices can't be managed via MDM?