Combine (enforce) password AND WebAuthN

Copper Contributor



at the moment our security policy enforces the use of passwort and a 2nd factor (MS-authenticator). We had successfully managed passwordless logins with a FIDO2 device. the downside is, that it would be the only factor if we enable it companywide. we would like to combine (strong) passwords and the security ("easyness") and costs of the FIDO2 token.


I know that you can use it together with a password, but you can also skip your password login and switch straight to passwordless-login aswell in the first login dialoge. 


So is there a technical way to enforce a password and make it impossible to switch to passwordless-login?

The reasons:
- The PIN on a FIDO2-token may be weak (user uses "1234"). Such tokens may be lost on the parking lot. Happy h4cking

- MS-authenticator app is fine, but for some users we just enroll really expensive phones as a second factor. they don't have any other needs to this phone.

- simple paperwork. CISO policy calls for MFA. passwordless would go back to one factor. => less security (?)

if somebody knows a answer, it would be a happy monday for me.





0 Replies