Set up Windows Hello for two-step authentication

If you have already enabled two-step authentication via SMS, a mobile app, or a hardware security key, you have the additional option of adding one or more Windows Hello-compatible devices. When signing in from these devices, you can use your fingerprint sensor or facial recognition instead of SMS, an authenticator app, or a hardware security key to complete two-step authentication.

You will not be able to use Windows Hello when signing in from a device that was not added to your account. In these cases, you will need to use SMS, your authenticator app, or a hardware security key to sign in.

Set up two-step authentication with a Windows Hello device

  1. If you have not yet done so, first set up two-step authentication by SMS, an authenticator app, or a hardware security key.
  2. Go to Start > Settings > Account > Sign-in Options and follow the on-screen instructions to set up Windows Hello. For details, see Microsoft’s documentation.
  3. In your Profile settings under the Two-step authentication section, click Add authentication method.
  4. Select Use Windows Hello. This option will only appear if your browser supports Windows Hello.
  5. Follow the instructions displayed in the pop-up window to set up Windows Hello.
    Screenshot of the Windows Hello prompt to sign into in Google Chrome
  1. Next, enter a name for your Windows Hello device. This will help you tell them apart if you add multiple such devices.

The next time you sign in, you will be prompted to use Windows Hello for two-step authentication. Follow the instructions on the screen to login. If you have a hardware security key, you can still use it while being prompted to use Windows Hello. You can also cancel and opt to use a verification code instead, either through SMS or a mobile app.

Additional Information

Windows Hello is supported through WebAuthn, which requires a modern browser.