diff --git a/education/windows/federated-sign-in.md b/education/windows/federated-sign-in.md
index 35200347df..36a0de01ff 100644
--- a/education/windows/federated-sign-in.md
+++ b/education/windows/federated-sign-in.md
@@ -1,6 +1,6 @@
 ---
 title: Configure federated sign-in for Windows devices
-description: Learn about federated sign-in in Windows how to configure it.
+description: Learn how federated sign-in in Windows works and how to configure it.
 ms.date: 09/11/2023
 ms.topic: how-to
 appliesto:
diff --git a/windows/security/identity-protection/hello-for-business/passwordless.md b/windows/security/identity-protection/hello-for-business/passwordless.md
index 884f5375bb..550f288698 100644
--- a/windows/security/identity-protection/hello-for-business/passwordless.md
+++ b/windows/security/identity-protection/hello-for-business/passwordless.md
@@ -4,7 +4,7 @@ description: Learn how Windows Hello for Business passwordless enables your orga
 ms.collection: 
   - highpri
   - tier1
-ms.date: 09/06/2023
+ms.date: 09/11/2023
 ms.topic: how-to
 ---
 
@@ -17,15 +17,15 @@ When the policy is enabled, certain Windows authentication scenarios don't offer
 
 With Windows Hello for Business passwordless, users who sign in with Windows Hello or a FIDO2 security key:
 
-- Don't have the option to use the password credential provider on the Windows lock screen
+- Can't use the password credential provider on the Windows lock screen
 - Aren't prompted to use a password during in-session authentications (for example, UAC elevation, password manager in the browser, etc.)
-- Don't have the option to use *Accounts > Change password* in the Settings app
+- Don't have the option *Accounts > Change password* in the Settings app
   
   >[!NOTE]
   >Users can reset their password using <kbd>CTRL</kbd>+<kbd>ALT</kbd>+<kbd>DEL</kbd> > **Manage your account**
 
 Windows Hello for Business passwordless doesn't affect the initial sign-in experience and local accounts. It only applies to subsequent sign-ins for Microsoft Entra ID accounts. It also doesn't prevent a user from signing in with a password when using the *Other user* option in the lock screen.\
-The password credential provider is hidden only for the last signed in user who signed in Windows Hello or a FIDO2 security key. Windows Hello for Business passwordless is not about preventing users from using passwords, rather to guide and educate them to not use passwords.
+The password credential provider is hidden only for the last signed in user who signed in Windows Hello or a FIDO2 security key. Windows Hello for Business passwordless isn't about preventing users from using passwords, rather to guide and educate them to not use passwords.
 
 This article explains how to enable Windows Hello for Business passwordless and describes the user experiences.
 
@@ -37,7 +37,7 @@ This article explains how to enable Windows Hello for Business passwordless and
 Windows Hello for Business passwordless has the following requirements:
 
 - Windows 11, version 22H2 with [KB5030310][KB-1] or later
-- Microsoft Entra ID joined
+- Microsoft Entra joined
 - Windows Hello for Busines credentials enrolled for the user, or a FIDO2 security key
 - MDM-managed: Microsoft Intune or other MDM solution
 
diff --git a/windows/security/identity-protection/passkey/index.md b/windows/security/identity-protection/passkey/index.md
index 7b69651936..bd68713d92 100644
--- a/windows/security/identity-protection/passkey/index.md
+++ b/windows/security/identity-protection/passkey/index.md
@@ -14,23 +14,23 @@ appliesto:
 
 ## Overview
 
-Passkeys provide a more secure and convenient method of logging into websites and applications that support them, compared to passwords. Unlike passwords, which users must remember and type, passkeys are stored as secrets on a device and can be unlocked using the device's unlock mechanism (such as biometrics or a PIN). Passkeys are designed to be used without the need for additional login challenges, making the authentication process faster and more convenient.
+Passkeys provide a more secure and convenient method of logging into websites and applications that support them, compared to passwords. Unlike passwords, which users must remember and type, passkeys are stored as secrets on a device and can be unlocked using the device's unlock mechanism (such as biometrics or a PIN). Passkeys can be used without the need for other sign in challenges, making the authentication process faster and more convenient.
 
-Starting in Windows 11, version 22H2 with [KB5030310][KB-1], you can use any apps or websites that supports passkeys to create and sign in using passkeys with the Windows Hello native experience. Once a passkey is created, you can use Windows Hello (biometrics and PIN) or a companion device (phone or tablet) to sign in.
+Starting in Windows 11, version 22H2 with [KB5030310][KB-1], you can use any apps or websites that support passkeys to create and sign in using passkeys with the Windows Hello native experience. Once a passkey is created, you can use Windows Hello (biometrics and PIN) or a companion device (phone or tablet) to sign in.
 
 This article describes how to create and use passkeys on Windows devices.
 
 ## How passkeys work
 
-Passkeys utilize the FIDO industry security standard, which has been adopted by multiple platforms. Leading technology companies like Microsoft are backing passkeys as part of the FIDO Alliance, and numerous websites and apps are integrating support for passkeys.
+Passkeys utilize the FIDO industry security standard, which is adopted by multiple platforms. Leading technology companies like Microsoft are backing passkeys as part of the FIDO Alliance, and numerous websites and apps are integrating support for passkeys.
 
-The FIDO protocols rely on standard public key cryptography techniques to offer more secure authentication. When a user registers with an online service, their client device generates a new key pair. The private key is stored securely on the device, while the public key is registered with the service. To authenticate, the client device must prove that it possesses the private key by signing a challenge. The private keys can only be used after being unlocked by the user using the Windows Hello unlock factor (biometrics or PIN).
+The FIDO protocols rely on standard public key cryptography techniques to offer more secure authentication. When a user registers with an online service, their client device generates a new key pair. The private key is stored securely on the device, while the public key is registered with the service. To authenticate, the client device must prove that it possesses the private key by signing a challenge. The private keys can only be used after they're unlocked by the user using the Windows Hello unlock factor (biometrics or PIN).
 
-FIDO protocols prioritize user privacy, as they are designed to prevent online services from sharing information or tracking users across different services. Additionally, any biometric information used in the authentication process remains on the user's device and is not transmitted to the service.
+FIDO protocols prioritize user privacy, as they're designed to prevent online services from sharing information or tracking users across different services. Additionally, any biometric information used in the authentication process remains on the user's device and isn't transmitted to the service.
 
 ### Passkeys compared to passwords
 
-Passkeys have several advantages over passwords, including their ease of use and intuitive nature. Unlike passwords, passkeys do not require a creation process, do not need to be remembered, and do not need to be safeguarded. Additionally, passkeys are unique to each website or application, preventing their reuse. They are also highly secure because they are only stored on the user's devices, with the service only storing public keys. Passkeys are also resistant to phishing attempts, as they are enforced by the browsers or operating systems to only be used for the appropriate service, rather than relying on human verification. Finally, passkeys provide cross-device and cross-platform authentication, meaning that a passkey from one device can be used to sign in on another device.
+Passkeys have several advantages over passwords, including their ease of use and intuitive nature. Unlike passwords, passkeys don't require a creation process, don't need to be remembered, and don't need to be safeguarded. Additionally, passkeys are unique to each website or application, preventing their reuse. They're also highly secure because they're only stored on the user's devices, with the service only storing public keys. Passkeys are resistant to phishing attempts, as they're enforced by the browsers or operating systems to only be used for the appropriate service, rather than relying on human verification. Finally, passkeys provide cross-device and cross-platform authentication, meaning that a passkey from one device can be used to sign in on another device.
 
 ## System requirements
 
@@ -60,7 +60,7 @@ Follow these steps to create a passkey from a Windows device:
 :::row-end:::
 :::row:::
   :::column span="4":::
-  3. Choose where to save the passkey. By default, Windows prompts to save the passkey locally if you're using Windows Hello or Windows Hello for Business. If you select the option **Use another device**, you can choose to save the passkey in one of the following locations:
+  3. Choose where to save the passkey. By default, Windows offers to save the passkey locally if you're using Windows Hello or Windows Hello for Business. If you select the option **Use another device**, you can choose to save the passkey in one of the following locations:
   :::column-end:::
 :::row-end:::
 :::row:::
@@ -116,7 +116,7 @@ Pick one of the following options to learn how to save a passkey, based on where
 
   :::column-end:::
   :::column span="1":::
-    :::image type="content" source="images/device-save-qr.png" alt-text="Screenshot showing the qr code asking the user to scan on the device." lightbox="images/device-save-qr.png" border="false":::
+    :::image type="content" source="images/device-save-qr.png" alt-text="Screenshot showing the QR code asking the user to scan on the device." lightbox="images/device-save-qr.png" border="false":::
   :::column-end:::
 :::row-end:::
 :::row:::
@@ -158,7 +158,7 @@ Pick one of the following options to learn how to save a passkey, based on where
 :::row:::
   :::column span="3":::
 
-  5. Select **OK** to confirm that you want to setup a security key, and unlock the security key using the key's unlock mechanism
+  5. Select **OK** to confirm that you want to set up a security key, and unlock the security key using the key's unlock mechanism
 
   :::column-end:::
   :::column span="1":::
@@ -199,7 +199,7 @@ Follow these steps to use a passkey:
 :::row-end:::
 :::row:::
   :::column span="3":::
-  3. If a passkey is stored locally and protected by Windows Hello, you'll be prompted to use Windows Hello to sign in. If you select the option **Use another device**, you can choose one of the following options:
+  3. If a passkey is stored locally and protected by Windows Hello, you're prompted to use Windows Hello to sign in. If you select the option **Use another device**, you can choose one of the following options:
   :::column-end:::
 :::row-end:::
 :::row:::
@@ -253,7 +253,7 @@ Pick one of the following options to learn how to use a passkey, based on where
 :::row:::
   :::column span="4":::
 
-  5. You are signed in to the website or app
+  5. You're signed in to the website or app
 
   :::column-end:::
 :::row-end:::
@@ -273,7 +273,7 @@ Pick one of the following options to learn how to use a passkey, based on where
 :::row:::
   :::column span="3":::
 
-  5. You are signed in to the website or app
+  5. You're signed in to the website or app
 
   :::column-end:::
   :::column span="1":::
@@ -295,7 +295,7 @@ Pick one of the following options to learn how to use a passkey, based on where
 :::row:::
   :::column span="3":::
 
-  5. You are signed in to the website or app
+  5. You're signed in to the website or app
 
   :::column-end:::
   :::column span="1":::
diff --git a/windows/security/identity-protection/toc.yml b/windows/security/identity-protection/toc.yml
index 5d12ea0f74..755b0efd7d 100644
--- a/windows/security/identity-protection/toc.yml
+++ b/windows/security/identity-protection/toc.yml
@@ -15,8 +15,6 @@ items:
       href: passkey/index.md
     - name: FIDO2 security key 🔗
       href: /azure/active-directory/authentication/howto-authentication-passwordless-security-key
-    - name: Federated sign-in 🔗
-      href: /education/windows/federated-sign-in
     - name: Smart Cards
       href: smart-cards/toc.yml
     - name: Virtual smart cards
@@ -24,6 +22,10 @@ items:
       displayName: VSC
     - name: Enterprise Certificate Pinning
       href: enterprise-certificate-pinning.md
+  - name: Web sign-in
+    href: web-sign-in/index.md
+  - name: Federated sign-in 🔗
+    href: /education/windows/federated-sign-in
   - name: Advanced credential protection
     items:
     - name: Windows LAPS (Local Administrator Password Solution) 🔗
diff --git a/windows/security/identity-protection/web-sign-in/index.md b/windows/security/identity-protection/web-sign-in/index.md
new file mode 100644
index 0000000000..cb2e0e0c92
--- /dev/null
+++ b/windows/security/identity-protection/web-sign-in/index.md
@@ -0,0 +1,106 @@
+---
+title: Configure Web sign-in for Windows devices
+description: Learn how Web sign-in in Windows works and how to configure it.
+ms.date: 09/11/2023
+ms.topic: how-to
+appliesto:
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
+ms.collection:
+  - tier1
+---
+
+# Configure Web sign-in for Windows devices
+
+Starting in Windows 11, version 22H2 with [KB5030310][KB-1], you can enable your users to sign-in using a web experience on Microsoft Entra joined devices.
+This feature is called *Web sign-in*.\
+
+Web sign in is a new sign-in experience that allows users to sign in to their Windows devices using a web browser experience, opening new sign in scenarios.
+
+>[!Note:]
+>Web sign-in was initially realeased in windows 10 for TAP-only scenarios. Windows 11 is the first version where Web sign-in capabilities are extended.
+
+## Benefits of web sign-in
+
+## Prerequisites
+
+To use web sign-in, the following prerequisites must be met:
+
+- The devices must have Internet access. This feature doesn't work without it, as the authentication is done over the Internet.
+- The device must be Microsoft Entra joined
+- Windows 11 Pro Edu/Education, version 22H2 with [5030310][KB-1]
+
+<!-- [!INCLUDE [federated-sign-in](../../includes/licensing/federated-sign-in.md)] -->
+
+## Configure web sign-in
+
+You can configure federated sign-in for student assigned (1:1) devices or student shared devices:
+
+- When federated sign-in is configured for **student assigned (1:1) devices**, the first user who signs in to the device with a federated identity becomes the *primary user*. The primary user is always displayed in the bottom left corner of the sign-in screen
+- When federated sign-in is configured for **student shared devices**, there's no primary user. The sign-in screen displays, by default, the last user who signed in to the device
+
+To use web sign-in, your devices must be configured with different policies. Review the following instructions to configure your devices using either Microsoft Intune or a provisioning package (PPKG).
+
+#### [:::image type="icon" source="images/icons/intune.svg"::: **Intune**](#tab/intune)
+
+[!INCLUDE [intune-settings-catalog-1](../../../../includes/configure/intune-settings-catalog-1.md)]
+
+| Category | Setting name | Value |
+|--|--|--|
+| Authentication | Enable Web Sign In | Enabled |
+| Authentication | Configure Web Sign In Allowed Urls | This setting is optional, and it contains a semicolon-separated list of domains, for example: `samlidp.clever.com;clever.com;mobile-redirector.clever.com` |
+| Authentication | Configure Webcam Access Domain Names | This setting is optional, and it should be configured if you need to use the webcam during the sign-in process. Specify the list of domains that are allowed to use the webcam during the sign-in process, separated by a semicolon. For example: `clever.com` |
+
+[!INCLUDE [intune-settings-catalog-2](../../../../includes/configure/intune-settings-catalog-2.md)]
+
+Alternatively, you can configure devices using a [custom policy][INT-1] with the following settings:
+
+| Setting |
+|--------|
+| **OMA-URI**: `./Vendor/MSFT/Policy/Config/Authentication/EnableWebSignIn`<br>**Data type**: Integer<br>**Value**: `1`|
+| **OMA-URI**: `./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebSignInAllowedUrls`<br>**Data type**: String <br>**Value**: Semicolon separated list of domains, for example: `samlidp.clever.com;clever.com;mobile-redirector.clever.com`|
+| **OMA-URI**: `./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebCamAccessDomainNames`<br>**Data type**: String <br>**Value**: This setting is optional, and it should be configured if you need to use the webcam during the sign-in process. Specify the list of domains that are allowed to use the webcam during the sign-in process, separated by a semicolon. For example: `clever.com`|
+
+#### [:::image type="icon" source="images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg)
+
+To configure web sign-in using a provisioning package, use the following settings:
+
+| Setting |
+|--------|
+| <li> Path: **`Policies/Authentication/EnableWebSignIn`**<br>Value: **Enabled**|
+| <li> Path: **`Policies/Authentication/ConfigureWebSignInAllowedUrls`**<br>Value: Semicolon separated list of domains, for example: **`samlidp.clever.com;clever.com;mobile-redirector.clever.com`**|
+| <li> Path: **`Policies/Authentication/ConfigureWebCamAccessDomainNames`**<br>Value: This setting is optional, and it should be configured if you need to use the webcam during the sign-in process. Specify the list of domains that are allowed to use the webcam during the sign-in process, separated by a semicolon. For example: **`clever.com`**|
+
+Apply the provisioning package to the shared devices that require web sign-in.
+
+---
+
+## How to use Web sign-in
+
+Once the devices are configured, a new sign-in experience becomes available.
+
+## Important considerations
+
+### Known issues affecting student shared devices
+
+The following issues are known to affect Web sign-in:
+
+- Non-federated users can't sign-in to the devices, including local accounts
+- The *Other user* button is missing from the sign-in screen
+
+### Preferred Azure AD tenant name
+
+To improve the user experience, you can configure the *preferred Azure AD tenant name* feature.\
+When using preferred AAD tenant name, the users bypass the disambiguation page and are redirected to the identity provider sign-in page. This configuration can be especially useful for student shared devices, where the disambiguation page is always shown.
+
+For more information about preferred tenant name, see [Authentication CSP - PreferredAadTenantDomainName][WIN-4].
+
+## Troubleshooting
+
+- The user can exit the federated sign-in flow by pressing <kbd>Ctrl</kbd>+<kbd>Alt</kbd>+<kbd>Delete</kbd> to get back to the standard Windows sign-in screen
+- Select the *Other User* button, and the standard username/password credentials are available to log into the device
+
+<!--links-->
+
+[INT-1]: /mem/intune/configuration/custom-settings-windows-10
+[KB-1]: https://support.microsoft.com/kb/5030310
+[WIN-4]: /windows/client-management/mdm/policy-csp-authentication#preferredaadtenantdomainname
diff --git a/windows/security/images/icons/provisioning-package.svg b/windows/security/images/icons/provisioning-package.svg
new file mode 100644
index 0000000000..dbbad7d780
--- /dev/null
+++ b/windows/security/images/icons/provisioning-package.svg
@@ -0,0 +1,3 @@
+<svg xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 2048 2048">
+  <path d="M1544 128q75 0 143 30t120 82 82 120 31 144v328q0 26-19 45t-45 19q-26 0-45-19t-19-45V507q0-50-20-95t-55-80-80-55-96-21H346q16 15 27 28t11 36q0 26-19 45t-45 19q-26 0-45-19L147 237q-19-19-19-45t19-45L275 19q19-19 45-19t45 19 19 45q0 23-11 36t-27 28h1198zm-57 896q0 24 22 43t50 39 50 46 23 63q0 21-12 51t-30 61-37 59-33 44q-31 37-79 37-20 0-42-8t-44-17-41-17-35-8q-15 0-24 6t-14 15-8 20-5 24l-17 91q-6 34-25 52t-45 27-55 10-57 2h-5q-27 0-58-1t-58-11-47-28-26-53l-20-116q-2-14-14-26t-28-12q-20 0-40 7t-42 17-43 17-43 8q-50 0-80-37-14-16-32-43t-35-59-29-61-12-52q0-39 22-64t50-45 49-38 23-43q0-25-22-43t-50-39-50-45-23-64q0-22 12-52t30-60 37-58 33-45q31-37 79-37 20 0 42 7t43 17 40 17 36 8q21 0 32-11t16-30 8-41 7-46 11-45 24-38q12-12 29-19t37-10 40-5 39-1h15q27 0 57 1t58 11 46 28 26 53l20 116q3 18 16 27t31 10q17 0 37-7t41-17 42-17 42-8q23 0 44 10t36 28q14 17 32 44t36 58 29 61 12 52q0 39-22 64t-50 45-49 38-23 43zm-128 0q0-37 12-64t31-50 45-42 52-42q-13-30-29-58t-36-54q-36 13-76 29t-80 16q-24 0-44-6t-42-18q-33-19-51-42t-27-51-13-59-11-67q-16-2-32-3t-33-1q-17 0-33 1t-32 3q-7 35-11 66t-14 58-28 52-51 43q-21 13-41 18t-45 6q-40 0-79-16t-76-30q-38 51-66 112 26 22 51 42t45 42 32 50 12 65q0 37-12 64t-31 50-45 42-52 42q13 30 29 58t36 54q35-13 74-29t79-16q32 0 61 10t52 30 39 46 22 58l17 99q17 2 32 3t33 1q17 0 33-1t33-3q5-30 9-59t13-57 24-52 43-43q23-15 48-23t53-9q18 0 38 5t40 12 39 15 37 14q38-51 66-112-26-22-51-42t-45-42-32-50-12-65zm-207 0q0 27-10 50t-27 40-41 28-50 10q-27 0-50-10t-41-27-27-40-10-51q0-27 10-50t27-40 41-28 50-10q26 0 49 10t41 27 28 41 10 50zm768 832q0 26-19 45l-128 128q-19 19-45 19t-45-19-19-45q0-23 11-36t27-28H504q-75 0-143-30t-120-82-82-120-31-144v-328q0-26 19-45t45-19q26 0 45 19t19 45v325q0 50 20 95t55 80 80 55 96 21h1195q-14-14-26-28t-12-36q0-26 19-45t45-19q26 0 45 19l128 128q19 19 19 45z" fill="#0078D4" />
+</svg>
\ No newline at end of file
diff --git a/windows/security/includes/sections/identity.md b/windows/security/includes/sections/identity.md
index 916ffeceb1..eb93e585d9 100644
--- a/windows/security/includes/sections/identity.md
+++ b/windows/security/includes/sections/identity.md
@@ -12,8 +12,8 @@ ms.topic: include
 | **[Windows Hello for Business](/windows/security/identity-protection/hello-for-business)** | Windows 11 devices can protect user identities by removing the need to use passwords from day one. It's easy to get started with the method that's right for your organization. A password may only need to be used once during the provisioning process, after which people use a PIN, face, or fingerprint to unlock credentials and sign into the device.<br><br>Windows Hello for Business replaces the username and password by combining a security key or certificate with a PIN or biometrics data, and then mapping the credentials to a user account during setup. There are multiple ways to deploy Windows Hello for Business, depending on your organization's needs. Organizations that rely on certificates typically use on-premises public key infrastructure (PKI) to support authentication through Certificate Trust. Organizations using key trust deployment require root-of-trust provided by certificates on domain controllers. |
 | **[Windows presence sensing](https://support.microsoft.com/windows/wake-your-windows-11-pc-when-you-approach-82285c93-440c-4e15-9081-c9e38c1290bb)** | Windows presence sensing provides another layer of data security protection for hybrid workers. Windows 11 devices can intelligently adapt to your presence to help you stay secure and productive, whether you're working at home, the office, or a public environment. Windows presence sensing combines presence detection sensors with Windows Hello facial recognition to automatically lock your device when you leave, and then unlock your device and sign you in using Windows Hello facial recognition when you return. Requires OEM supporting hardware. |
 | **[Windows Hello for Business Enhanced Security Sign-in (ESS)](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)** | Windows Hello biometrics also supports enhanced sign-in security, which uses specialized hardware and software components to raise the security bar even higher for biometric sign in. <br><br>Enhanced sign-in security biometrics uses VBS and the TPM to isolate user authentication processes and data and secure the pathway by which the information is communicated. These specialized components protect against a class of attacks that include biometric sample injection, replay, tampering, and more. <br><br>For example, fingerprint readers must implement Secure Device Connection Protocol, which uses key negotiation and a Microsoft-issued certificate to protect and securely store user authentication data. For facial recognition, components such as the Secure Devices (SDEV) table and process isolation with trustlets help prevent additional class of attacks. |
-| **[Windows Hello for Business passwordless](/windows/security/identity-protection/hello-for-business/passwordless)** | |
-| **[Passkey](/windows/security/identity-protection/passkey)** | |
+| **[Windows Hello for Business passwordless](/windows/security/identity-protection/hello-for-business/passwordless)** | Windows Hello for Business passwordless is a security policy that aims to create a more user-friendly experience for Microsoft Entra joined devices by eliminating the need for passwords in certain authentication scenarios. By enabling this policy, users will not be given the option to use a password in these scenarios, which helps organizations transition away from passwords over time. |
+| **[Passkey](/windows/security/identity-protection/passkey)** | Passkeys provide a more secure and convenient method of logging into websites and applications that support them, compared to passwords. Unlike passwords, which users must remember and type, passkeys are stored as secrets on a device and can be unlocked using Windows Hello (biometrics or a PIN). Passkeys are designed to be used without the need for additional login challenges, making the authentication process faster and more convenient.|
 | **[Security key (FIDO2)](/azure/active-directory/authentication/howto-authentication-passwordless-security-key)** | Fast Identity Online (FIDO) defined CTAP and WebAuthN specifications are becoming the open standard for providing strong authentication that is non-phishable, user-friendly, and privacy-respecting with implementations from major platform providers and relying parties. FIDO standards and certifications are becoming recognized as the leading standard for creating secure authentication solutions across enterprises, governments, and consumer markets. <br><br>Windows 11 can use external FIDO2 security keys for authentication alongside or in addition to Windows Hello which is also a FIDO2 certified passwordless solution. Windows 11 can be used as a FIDO authenticator for many popular identity management services. |
 | **[Federated sign-in](/education/windows/federated-sign-in)** | Windows 11 Education editions support federated sign-in with third-party identity providers. Federated sign-in enables secure sign in through methods like QR codes or pictures. |
 | **[Smart Cards for Windows Service](/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service)** | Organizations also have the option of using smart cards, an authentication method that pre-dates biometric sign in. Smart cards are tamper-resistant, portable storage devices that can enhance Windows security when authenticating clients, signing code, securing e-mail, and signing in with Windows domain accounts. Smart cards can only be used to sign into domain accounts, not local accounts. When a password is used to sign into a domain account, Windows uses the Kerberos version 5 (v5) protocol for authentication. If you use a smart card, the operating system uses Kerberos v5 authentication with X.509 v3 certificates. |
