What is the difference between Windows Hello for Business and a passkey?

Both are FIDO2 / WebAuthn credentials. Windows Hello for Business binds the credential to a specific Windows PC's TPM and unlocks Windows + Entra-protected apps from that machine. A passkey is a portable Entra ID credential that can live in Microsoft Authenticator, iCloud Keychain, Google Password Manager, or Windows Hello, and is usable across browsers and apps.

Should I roll out Windows Hello for Business or passkeys first?

Most enterprises run both. WHfB carries the Windows desktop sign-in (already passwordless on managed PCs), while a Microsoft Authenticator passkey on each user's phone covers Mac, iPad, BYOD, and roaming. Hardware FIDO2 keys layer on top for privileged accounts.

Are Windows Hello for Business credentials FIDO2 passkeys?

WHfB credentials are TPM-bound passkeys against Microsoft's first-party protocol but are not registered as FIDO2 passkeys against Entra by default. Microsoft Entra passkey on Windows is a separate feature that registers a true FIDO2 passkey inside the Windows Hello container.

← Back to home

Guide · Windows

Windows Hello for Business vs passkeys: which to use, and where they overlap

Both Windows Hello for Business (WHfB) and Entra ID passkeys deliver passwordless, phishing-resistant sign-in. They are not interchangeable. For most organisations the right answer is "both, in different roles". This guide explains what each one does, where they overlap, and how to draw the line cleanly.

What each one actually is

Windows Hello for Business is a Microsoft-specific Windows feature that turns the user's PC into a secure, biometric-bound credential for that user's Entra ID account. The credential is provisioned during sign-in, lives in the device's TPM (or in a hardware-backed key on Pluton-equipped silicon), and is bound to that physical Windows machine. The user signs in with PIN + biometric; Windows handles the cryptography behind the scenes. WHfB has been around since Windows 10 and integrates deeply with both Entra-joined and hybrid-joined PCs.

Entra ID passkeys are FIDO2 credentials registered against the user's Entra account. They can live in Microsoft Authenticator (device-bound on the phone), in Apple iCloud Keychain, in Google Password Manager / Samsung Pass, or in Windows Hello itself. The credential is portable across browsers and apps via the WebAuthn standard, and works on macOS and mobile, not just Windows.

Both are FIDO2 / WebAuthn credentials under the hood. The difference is what they unlock and where they live: WHfB unlocks the Windows device (and signs the user in to Entra apps via that device's credential). A passkey is a portable credential that any Entra-protected app can verify.

Where they overlap

The boundary blurs in three places where most rollouts get confused:

On a fully Entra-joined Windows 11 PC, signing in with Windows Hello effectively is a passkey sign-in to Entra ID. The user types their PIN, the TPM signs the challenge, and Entra accepts the credential. Whether you call that "Windows Hello" or "a passkey" is a labelling choice — the cryptography is the same.
When a user registers a passkey in Edge or Chrome on a Windows machine, Windows may offer to store the passkey in Windows Hello itself. That passkey is then usable for that Entra account specifically from this PC, sitting alongside the WHfB device-sign-in credential.
Microsoft documentation now refers to "Windows Hello for Business as a passkey provider" — the tooling has converged. The differences are around enrolment, attestation, and management, not the cryptographic primitives.

When to pick Windows Hello for Business

You issue managed Windows machines to staff and want desktop sign-in to be passwordless without depending on the user having their phone or a security key with them at the keyboard.
You need attested, hardware-backed device credentials for regulatory reasons. WHfB's TPM-bound credentials carry an attestation that maps one-to-one to the Windows device.
You have hybrid-joined PCs talking to on-premises AD. WHfB has well-understood paths for hybrid scenarios; passkey-only authentication on hybrid AD is still a more nuanced configuration.
The user spends most of their time at one PC. WHfB is excellent on the device it lives on; less helpful when the user roams between machines.

When to pick Entra ID passkeys

Your fleet is mixed. Mac, iPad, work-issued iPhones, BYOD Android — a passkey strategy covers all of them, while WHfB is a Windows-only answer.
Users roam between many shared or personal devices. A passkey on the user's phone authenticates anywhere they bring the phone — including a checkout terminal or a colleague's laptop in a pinch.
You want to retire MFA push prompts entirely. A passkey registration replaces both "password + push" and "password + TOTP" in one credential. WHfB still expects users to MFA into other apps unless those apps are covered by SSO.
You serve external collaborators. Guest users in your tenant can register a passkey of their own without you having to provision a Windows Hello credential on a managed PC they do not have.

The hybrid pattern most enterprises end up running

For organisations larger than ~200 staff, the practical pattern is:

Windows Hello for Business on every managed Windows PC. Desktop sign-in is passwordless and phishing-resistant by default. This is the largest single source of password-related tickets, and WHfB takes them off the helpdesk permanently.
Entra ID passkeys (in Microsoft Authenticator) on every user's phone. Covers the case where the user is on a Mac, on a personal device, on a kiosk, or signing in from home. Also covers the Windows-laptop-died-but-I-need-to-sign-in scenario.
Hardware FIDO2 keys for privileged accounts and break-glass admins. Tenant administrators, DBA-level access, and any account that should never depend on a personal device.

A passkey rollout in this pattern is mostly about getting an Authenticator passkey registered for every user on their phone, before you tighten Conditional Access to require phishing-resistant MFA. WHfB is already doing the desktop work.

The three traps in deciding between them

Treating WHfB as "good enough" so you skip the passkey rollout. Users on Mac, on iPad, on personal devices, or away from their primary PC still fall back to password + MFA. The phishing-resistance gap is the long tail you do not want to leave open.
Rolling out passkeys but not enabling WHfB. Every desktop sign-in requires the user to authenticate via their phone. Friction adds up fast over a working week, and users start leaving sessions open longer than they should as coping behaviour.
Misunderstanding what "passkey-only" means. Microsoft's passwordless framing sometimes implies a passkey replaces every other factor. In a mature deployment, WHfB, Authenticator passkeys, and Conditional Access are working together — not one in place of the others.

Where SetupPasskeys fits

SetupPasskeys covers the Authenticator-passkey side of this pattern. It walks each end user through registering a phone passkey on their actual device — Pixel, iPhone, Galaxy, iPad — without needing them to interpret the Microsoft documentation themselves. WHfB on the Windows side is policy-driven and provisions itself; the rollout work for it is small.

See the Entra ID passkey rollout guide for the broader programme view, and the Microsoft Authenticator setup guide for the per-device steps end users actually need.

Run a branded demo for your tenant

Type your company domain to see a passkey registration walkthrough that recognises your Windows + mobile fleet automatically.

Try the branded demo → Talk to us

Last reviewed 25 April 2026. Microsoft has been actively converging WHfB and passkey terminology; the technical primitives are stable but the product-marketing names keep shifting. Verify your tenant's specific configuration on Microsoft Learn before publishing internal documentation.