Cyber Essentials v3.3 and passwordless authentication: what the scheme allows

Cyber Essentials v3.3 and passwordless authentication: what the scheme allows

Passwordless sign-in - FIDO2 security keys, Windows Hello biometrics, passkeys on phones - is rapidly becoming the default for UK enterprise. v3.3 does not prohibit passwordless; it defines what passwordless configurations pass the MFA requirement.

This article clarifies which passwordless setups are acceptable under CE v3.3 and which require additional compensating controls.

The scheme's test

MFA under v3.3 requires two independent factors. Traditional MFA is "password + something else". Passwordless combines two factors into one action - typically possession (key/device) + biometric (face/fingerprint) or possession + PIN.

The scheme asks: does the authentication require two independent factors, at least one of which is something-the-user-has?

If yes, passwordless passes.

FIDO2 security keys

A FIDO2 security key (YubiKey, SoloKey, Titan) requires:

• Possession of the key (factor 1).
• PIN or biometric to unlock the key (factor 2).

This passes CE v3.3 MFA. In fact, FIDO2 is the preferred admin factor because it is phishing-resistant.

Windows Hello for Business

Windows Hello for Business binds a FIDO2 credential to a specific TPM-enabled Windows device. Sign-in requires:

• Possession of the device (factor 1).
• Biometric or PIN (factor 2).

This passes v3.3 MFA when deployed correctly:

• Windows Hello for Business (not "Windows Hello" - they are different).
• Deployed via Intune or Group Policy with TPM-bound credentials.
• PIN complexity meets organisational requirements (minimum 6 digits, ideally 8).

Assessors sometimes ask for a screenshot of the Intune Windows Hello for Business policy to verify it is the Business variant (not consumer Windows Hello).

Passkeys

Passkeys are FIDO2 credentials synchronised across a user's Apple or Google account. They pass v3.3 MFA when:

• The user authenticates with a biometric or device PIN to use the passkey.
• The synchronisation service is MFA-protected (iCloud Keychain, Google Account).

Assessors will ask about the iCloud / Google Account protection - a user with a passkey stored in an iCloud that lacks 2FA is a circular dependency.

Face ID / Touch ID on mobile banking apps

Some line-of-business mobile apps authenticate with device biometrics. This passes v3.3 when the app is registered to the user, the device is enrolled in corporate MDM, and losing the device triggers a remote wipe.

What does not pass

• "We use biometric login" without clarifying what the underlying factor is. Assessor will ask - biometric alone is not a second factor if the first factor is also biometric.
• Windows consumer Hello (not Windows Hello for Business) on consumer machines. Treated as single-factor.
• Face unlock on a personal phone accessing work email if the phone is not MDM-enrolled.

What to declare in the self-assessment

When the self-assessment asks about MFA, state clearly:

• Which users use passwordless.
• Which technology (FIDO2, Windows Hello for Business, passkey).
• How the device is registered (Intune, Jamf, manual).
• How the backup factor works if the primary device is lost (recovery key, fallback MFA).

A clean answer:

> "All 42 corporate Windows 11 laptops are Intune-enrolled with Windows Hello for Business. Users sign in via biometric to an Entra ID passwordless credential bound to the device TPM. Administrators use FIDO2 hardware keys (YubiKey 5C NFC) as the primary factor and Microsoft Authenticator number-matching push as fallback. Mobile users authenticate via passkeys stored in Entra ID, protected by device biometric."

This passes cleanly.

Service account question

Service accounts cannot do passwordless; they use tokens or certificates. Document each service account separately:

• Purpose.
• Scope.
• Rotation policy.
• Monitoring.

Bottom line

v3.3 allows passwordless. Configure it correctly - Windows Hello for Business, FIDO2, passkey with protected sync - and declare it clearly in the self-assessment. Passwordless can be stronger than traditional password + MFA and is increasingly the correct choice for UK SMBs and MSPs.

Start Cyber Essentials | MFA pillar | See pricing