Passwordless / Passkeys support has been added for authentication using the FIDO2 standard; this can be done on a per-user basis and must be carried out by the user. Our implementation leaves the user options open with regard to how they enrol into passwordless.
  • The feature is controlled by the user, activated only by them, through editing their user profile
  • Once activated, it will remove the password from the system
  • To Sign in, the user enters their email address, they will then be prompted to authenticate using the method created ie face scan, touch or PIN.  At present, as user can choose whether to lock their account to a specific device or use a cross-device credential, the only limiting factor is the options the device supports.

It can be turned off by using "Recover My Account" on the login page.
This will allow the user to create a password to sign in using the traditional method




Where is Windows Hello biometrics data stored?

When you enrol in Windows Hello, a representation of your face called an enrollment profile is created more information can be found on Windows Hello face authentication. This enrollment profile biometrics data is device-specific, is stored locally on the device, and does not leave the device or roam with the user. Some external fingerprint sensors store biometric data on the fingerprint module itself rather than on a Windows device. Even in this case, the biometrics data is stored locally on those modules, is device-specific, doesn't roam, never leaves the module, and is never sent to Microsoft Cloud or an external server


Who has access to Windows Hello biometrics data?

Since Windows Hello biometrics data is stored in an encrypted format, no user, or any process other than Windows Hello has access to it


Where is Touch ID data stored? Secure Enclave
The chip in your device includes an advanced security architecture called the Secure Enclave, which was developed to protect your passcode and fingerprint data. Touch ID doesn't store any images of your fingerprint and instead relies only on a mathematical representation. It isn't possible for someone to reverse engineer your actual fingerprint image from this stored data.
 Your fingerprint data is encrypted, stored on the device, and protected with a key available only to the Secure Enclave. Your fingerprint data is used only by the Secure Enclave to verify that your fingerprint matches the enrolled fingerprint data. It can’t be accessed by the OS on your device or by any applications running on it. It's never stored on Apple servers, it's never backed up to iCloud or anywhere else, and it can't be used to match against other fingerprint databases