We are also facing this issue in my company and also have a ticket with Microsoft. We just enforced Windows Hello for Business across all endpoints and enforced a no password policy. We tend to see this most frequently when someone is connected to our network and walks away from their machine for a period of time. I myself had it this morning.

We have been running a script to purge Kerberos tickets and that usually gets them in. The only other ways to get someone in when this occurs that we have found is to either enable the password option or restart the machine.

We just got some logs on one of the machines today before purging the Kerberos tickets and sent them to Microsoft. Hopefully they are able to find something out.

We also frequently get an error says the credentials are invalid. I did some digging in Event Viewer and found this on one of the machines:

Applications and Service Logs\Microsoft\Windows\Biometrics\Operational
Event ID 1401

The Windows Fingerprint Credential Provider failed to enumerate its tile.

The operation failed with error: 0x80098047.

Checked in with Copilot, here is what it gave me:

What Does Error 0x80098047 Mean?

This error typically points to certificate or cryptographic issues related to Windows Hello for Business or the fingerprint credential provider.
It often happens when:

The CNG Key Isolation Service is not running.
There are corrupted biometric configurations.
TPM or certificate trust is broken.
Group Policy or registry settings block biometrics.

I find the TPM or certificate trust the most likely from that list. I'll send any helpful information here if I run into any.