- Microsoft is promoting passwordless and phishing-resistant authentication methods to reduce the risk of credential theft and improve the login experience.
- The Microsoft Authenticator app allows you to sign in to Microsoft Entra and Microsoft 365 accounts using phone sign-in, notifications, verification number, and biometrics without typing passwords.
- Administrators must enable Authenticator and other passwordless methods from the authentication methods and conditional access policies in Microsoft Entra ID, coordinating security, support, and communications teams.
- The passwordless model has some known limitations and problems, but when well planned it allows most users to stop using passwords in their daily lives with greater security.
La Passwordless authentication for Microsoft accounts It's no longer futuristic or exclusive to highly advanced environments. Today, anyone can log in to Microsoft 365, Entra ID (formerly Azure AD), or their personal Microsoft account using their mobile phone, biometrics, or security keys, without typing a single password. Besides being more convenient, it's a key measure for reducing credential theft and phishing attacks.
In this article we will look, in considerable detail, How passwordless login works with Microsoft Authenticator and PasskeysWe'll cover what your organization needs to implement it, how to enable it as an administrator in Microsoft Entra ID, what end users can do, and what limitations or known issues exist. We'll also see why Microsoft is so insistent on abandoning the traditional password and how this all fits into a Zero Trust security strategy.
Why Microsoft wants to eliminate passwords
Passwords have become the primary attack vector in corporate and personal environmentsThey are reused, leaked in data breaches, guessed, stolen with phishing or malware, and at the slightest opportunity, an attacker gains full access to email accounts, documents, and critical applications.
Classical security models based on "username + password" plus a second basic factor (for example, an SMS) are better than a password alone, but they still have quite a few weaknesses: text messages can be intercepted, users still fall for phishing websites, and large-scale credential theft continues.
To reduce all this risk, Microsoft recommends switching to passwordless authentication methods resistant to spoofingThese methods rely on credentials linked to a physical device (mobile, laptop, key, etc.) and require something you have (the device) and something you know or are (PIN, fingerprint, face), fulfilling MFA in an integrated way, without forcing the user to remember anything.
Furthermore, logins using passkeys or FIDO2 credentials are much faster. According to internal Microsoft data, Password authentication can take around 24 secondsWhereas a typical access key is validated in about 8 seconds, and even less (around 3 seconds) if it is a passkey synchronized in managers such as Google Password Manager or iCloud Keychain.
This combination of More safety and less friction For the end user, this is the reason why Microsoft is pushing its passwordless platform so hard in Microsoft Sign In ID and throughout the Microsoft 365 and Windows ecosystem.
Passwordless authentication options in Microsoft Sign In ID
Microsoft Entra ID offers several ways to Log in without entering passwordsdesigned for both personal and corporate devices, and for different types of users and scenarios. The main categories it currently includes are:
First of all, there are the passkeys (FIDO2 / passkeys)These are credentials based on FIDO2 standards that are stored on a device (for example, a security key or a platform passkey). They can be keys synchronized through managers like Google Password Manager or iCloud, or keys based on physical hardware such as YubiKey and similar devices.
Secondly, Microsoft includes Windows Hello for businessThis technology creates a credential linked to the Windows computer, protected by a PIN or biometrics (fingerprint or facial recognition). It is the basis for passwordless logins to the Windows desktop when the device is joined to a Microsoft Login ID or properly managed.
Another option is the Microsoft login keys. Log in to Windows. (in preliminary version) and the platform credentials for macOS (also in preview). Both enable the operating system to manage passwordless credentials directly integrated with Entra ID, simplifying secure login in modern environments.
Within the mobile world, the following stand out: access keys in the Microsoft Authenticator applicationThis is where passwordless phone login comes in: the user approves a notification in the app, enters the number displayed on the screen, and confirms with a PIN or device biometrics, without typing the account password.
Finally, Microsoft continues to support smart cards and certificate-based authenticationwhich can be considered passwordless credentials in many business environments and also withstand phishing attempts well when properly implemented.
How Microsoft Authenticator works to log in without a password
Application Microsoft Authenticator It's a key component of Microsoft's passwordless strategy. Available for iOS and Android, it supports both classic multi-factor authentication (MFA with push notifications or codes) and dial-in login without a password.
Behind Authenticator there is a key-based authenticationBasically, a credential is generated for the user and linked to a specific device. To use that credential, the device requires a local authentication factor such as a PIN, fingerprint, or facial recognition. Windows Hello for Business uses a very similar technology, but it's focused on the Windows computer itself.
The typical usage flow of phone login It's very simple. On the Microsoft 365 sign-in screen or any app integrated with Entra ID, the user only enters their username (work or school email). Then, instead of typing their password, they select the option to approve a request in the Authenticator app.
At that moment a number on the login screenThe mobile device displays an Authenticator notification requesting access confirmation. The user must select the correct account and enter the number displayed on the website into the app. This cross-verification prevents someone from accidentally approving a notification that doesn't belong to them.
Once the number is entered, the device will ask PIN or biometrics to verify that the person approving is indeed the owner of the mobile device. Only then is the login completed and access to the account granted without the password ever having been entered.
An important detail is that Multiple Microsoft Sign-In ID accounts can be configured In the same Authenticator app, enable passwordless phone login on all accounts, provided the device is registered with the corresponding tenant. However, guest accounts are not supported for the multi-account model on the same device.
Prerequisites for using passwordless phone login
Before you rush to activate passwordless login for everyone, you need to make sure that some conditions are met. minimum technical and organizational requirementsMicrosoft recommends reviewing these points to avoid future problems.
On the one hand, it is highly advisable to have Microsoft Enters Multi-Factor Authentication (MFA) Configured within the organization, this allows the use of push notifications as a verification method. These notifications help block unauthorized access and fraudulent transactions, and the Authenticator app also automatically generates codes to provide a backup method if the device loses its connection.
Furthermore, it is mandatory that the The device where the Authenticator will be used must be registered with each Entra ID tenant. where you want to enable phone login. For example, if a person works with accounts like balas@contoso.com and balas@wingtiptoys.com, the mobile phone must be registered with both tenants (Contoso and Wingtip Toys) to allow passwordless access with all those identities.
For the administration section, it's best to activate the call first. combined registration experience in Microsoft Sign In ID. This experience unifies the registration of security methods (MFA, password reset, etc.) and simplifies the onboarding of Authenticator as a passwordless method.
From a licensing perspective, the mere fact of Register and log in using passwordless methods It does not require a specific license. Even so, Microsoft recommends having at least a Microsoft Entra ID P1 license to take full advantage of the feature set: conditional access to enforce phishing-resistant credentials, authentication method usage reports, etc.
Finally, it is critical to identify the work teams that will be involved in the projectIdentity and access management, security architecture, security operations, audit team, technical support, and end-user communications. If these groups are not aligned, the implementation may be incomplete or generate too many incidents.
How to enable Microsoft Authenticator without a password as an administrator
From the Microsoft Entra ID management console, administrators have the ability to define which authentication methods are allowed for the organization. This is where Microsoft Authenticator is enabled for both traditional MFA and passwordless mode.
The starting point is to access the Microsoft admin center Sign in with an account that has, at a minimum, the Authentication Policy Administrator role. Once logged in, go to the Login ID section and from there to Authentication Methods and Policies, where the usage rules for each method are managed.
Within the method configuration, you can Activate Microsoft Authenticator and decide whether to allow classic MFA insertion (push notification for password confirmation) and/or passwordless phone login. Each user group can be configured to use either mode or to restrict it according to security needs.
By default, groups are usually configured to use "any way" with AuthenticatorThis means that your members can log in either by approving a standard push notification or by using passwordless phone login, if they have successfully registered it in your app.
A very common question among administrators is whether it is possible absolutely force the use without a passwordThis prevents the user from re-authenticating with their password even after configuring everything. The reality is that, while you can strongly promote a passwordless model through conditional access policies and restrictions on allowed methods, Microsoft still maintains the option to use a password in specific scenarios, such as for recovery or compatibility with certain legacy applications.
Even so, using the combination of policy on authentication methods and conditional accessIt can get quite close to a scenario where new users, after registering Authenticator and completing their first login, almost always use the phone or other passwordless methods, reducing password use to exceptional circumstances.
User registration in the Authenticator application
Once Microsoft Authenticator is enabled as a method in the organization, it's time to address the end user registrationwhich can be done in two main ways: through guided registration from the Security Information page or by using a temporary access pass provided by the administrator.
In the standard guided registration, the user accesses the page in a browser Your account security informationLog in with your current credentials and select the Add Method option. From there, choose "Authenticator app" and follow the instructions to install it on your device and link your account using a QR code or similar procedure.
When that process is complete, Authenticator is registered at least as MFA methodIn the Account Security Information section, a Microsoft Authenticator type method will appear, which may be "no password" or "MFA insert" depending on what is allowed and registered.
If the organization wants the user to not even have to use a password at the beginning, it can opt for the Direct registration with temporary access passIn that case, the administrator first generates a temporary access pass (TAP) for the user, which acts as a secure temporary credential for the initial setup.
With this temporary access pass, the user installs Microsoft Authenticator on their mobile device, opens the app, selects Add account, chooses a work or school account, and authenticates using the tap button instead of a password. Then, they complete the steps indicated by the application to activate passwordless phone sign-in.
In environments where the password reset self-serviceThe TAP can also be used for the user to register Authenticator as a login method without ever needing to know or use a traditional password, reinforcing the completely passwordless approach from day one.
Enable phone login in the Authenticator app
Registering the application is not enough: the user must explicitly enable passwordless phone login for each account you want to use that way. This step often goes unnoticed, but it's essential.
To activate it, the user opens the Microsoft Authenticator app on their mobile device and selects the previously registered professional or educational accountAmong the available options, you will see something similar to "Configure passwordless login requests" or "Enable phone login."
By pressing that option, the application initiates a brief setup process that may require confirm user identity This involves logging in through a browser, approving a notification, or validating some additional information. After completing these steps, the account is marked as eligible for passwordless phone logins.
From that moment on, when the user tries to sign in to Microsoft 365, Entra ID, or any integrated application, upon entering their username they will be able to choose the option to "Approve a request in my Authenticator app"The website will display a number, and the app will ask the user to select that number and confirm with a PIN or biometrics.
Once the user has started logging in this way, the system usually maintain this method as preferredalways showing the option to approve the request on the phone, although there is still the possibility of choosing another alternative method if necessary.
For organizations that want to actively guide their users, internal documentation can be provided indicating that, after registering Authenticator, they should access the app and expressly activate telephone loginso that it is clear what they should do and the number of support incidents is reduced.
Passwordless login experience for the user
Once all the elements are configured (tenant enabled, Authenticator registered, and phone login activated), the user experience changes significantly. Instead of relying on a password, the user almost always uses their mobile device and biometrics.
In the first typical attempt, the person writes their username in the login panel from Microsoft 365 or the app in question and tap Next. If it doesn't appear by default, you can tap Other ways to sign in to select the option to Approve a request in my Authenticator app.
The screen will display a random numberAlmost simultaneously, the user's mobile device will receive a notification from Authenticator alerting them to an attempted login. Upon opening the notification, the app will prompt the user to select the correct number displayed on their PC or browser, helping to prevent blind or fraudulent approvals.
In the final step, the system will ask the user to Unlock your device with your PIN, fingerprint, or faceThis combination of something you have (the mobile phone) and something you are or know (PIN or biometrics) makes the authentication count as robust MFA, without relying on codes sent by SMS or emails, which are more vulnerable.
After several login attempts using this method, most users end up forgetting your password on a daily basisbecause the Authenticator workflow becomes their natural way of logging into Office, Teams, OneDrive, or any other application linked to the organization.
In case another method is needed for some reason (for example, because the mobile phone has been lost or is out of battery), there is always the option of resorting to other authentication factors If the administrator has allowed them: passkeys, FIDO2 security keys, Windows Hello, smart card, or other configured mechanisms.
Management, control and teams involved in the project without password
The most recommended way to manage Microsoft Authenticator and the various authentication methods is to use the Microsoft Authentication Methods Policy LoginFrom there, administrators can enable or disable Authenticator, as well as include or exclude specific users and groups.
Within that directive, parameters can be defined to provide more context in login requestsFor example, adding the approximate location or the name of the application requesting access, so that the user has more information before tapping Approve or Reject on their mobile device.
From an organizational standpoint, it is key that the team of Identity and Access Management (IAM) The day-to-day configuration is handled by the Security Architecture team, while the Security Architecture team designs the passwordless strategy within the overall security framework. Security Operations, for its part, monitors authentication events, investigates potential threats, and implements corrective measures when anomalies are detected.
The Security and Audit team is responsible for verify compliance with internal and external regulationsThis involves regularly reviewing authentication processes, assessing risks, and proposing improvements. All of this is complemented by the work of technical support, which assists end users in their initial steps with passwordless authentication and resolves specific issues.
Finally, the area of end-user communications It plays a fundamental role. A change as significant as abandoning passwords requires clear messaging: what will change, what the user should do, why it is more secure, and what to do if they lose their phone or change devices.
In parallel, application integration with Microsoft Entra ID is another essential aspect. The more applications (SaaS, LOB, published on-premises, etc.) integrated with Entra ID, the more can be achieved. leverage passwordless authentication and apply conditional access to require phishing-resistant methods in a uniform manner.
Known problems and limitations of passwordless authentication
Although the passwordless model is very robust, Microsoft documents several Known problems and restrictions which should be kept in mind to avoid surprises during implementation or support.
One of the most frequent cases is when a user You don't see the option to log in by phone without a password on the authentication screen, even though Authenticator is configured. Sometimes this is because there is a pending verification in Authenticator; if the user tries to log in again while that request remains unanswered, the system may only display the option to enter the password.
The solution in that scenario is simple: the user must Open the Microsoft Authenticator app on your mobile device and respond to (approve or reject) any pending notifications. Once these requests are released, the "phone without password" option will reappear normally on subsequent login attempts.
Another important limitation is that the old AuthenticatorAppSignInPolicy directive It is obsolete and no longer supported for controlling Authenticator. To allow push notifications or passwordless phone login, you must always use the Authentication Methods policy, which is maintained and updated by Microsoft.
In environments with federated or hybrid accounts (for example, with Active Directory Federation Services, AD FS), when a user enables any passwordless credential, the Microsoft login process enters Stop using the login_hint parameterThis means that the flow no longer automatically forces the user to a federated login point as it did before.
This behavior typically prevents a user from a The hybrid tenant will be redirected to AD FS to validate their credentialsThis is because direct authentication with passwordless methods supported by Entra ID is favored. However, the manual option to select "Use password instead" is usually still available if the configuration allows it.
In the case of users managed by a local identity provider However, even with MFA enabled, these users may only be able to create and use a single, passwordless phone login credential. If they attempt to update too many Authenticator installations (for example, more than five different devices) using the same passwordless credential, errors may occur when trying to register new instances.
As with any security project, these limitations do not prevent the adoption of the passwordless model, but they do require... plan the architecture of identities wellespecially in very large, hybrid organizations or those with special federation and local authentication needs.
Ultimately, passwordless authentication in Microsoft Entra ID, especially with Microsoft Authenticator and passkeys, allows organizations to drastically reduce the risk associated with weak or stolen passwords while making the login process faster and more convenient for users. By combining effective authentication policies, conditional access, and good internal communication, the password becomes less important, and mobile, biometrics, and security keys become the cornerstone of a more secure and less easily impersonated identity.
Passionate writer about the world of bytes and technology in general. I love sharing my knowledge through writing, and that's what I'll do on this blog, show you all the most interesting things about gadgets, software, hardware, tech trends, and more. My goal is to help you navigate the digital world in a simple and entertaining way.