Microsoft Passport

To help protect user identities and user credentials, Microsoft Passport offers options such as biometrics or a PIN number to replace the use of a password. As part of strong two-factor authentication, these alternative credentials are protected by hardware or software and can be based on certificates or local keys.

Microsoft Passport can also be managed by Microsoft Intune. With enrolled devices, Intune can deploy certificates to authenticate users. Intune can also manage policy settings for PIN, biometrics, and Trusted Platform Module (TPM) requirements.

A good recommendation is for the user to create a highly complex password for their sign in account, and then configure a 6-8 digit PIN to make it easier to sign in, while still being very secure. If the device is not domain joined and not enrolled in an MDM solution, users can select their own options, such as Windows Hello (see next section) or a PIN to sign in to Windows. To configure these options, go to the Accounts menu and select Sign-in options:

The user can then set or change their PIN:

The next time they log in to Windows, they can choose their sign in method and select PIN. This will then become the default sign in option for all subsequent attempts: