mfa for windows authentication

eg1995 1,131 Reputation points
2020-12-14T12:52:03.25+00:00

dears,

can you advise if there is a solution to have mfa for my windows authentication not just the apps?
i need to use double authentication when i sign in to my windows 10 pc.
windows hello replaces the authentication and doesnt offer an mfa solution as far as i know.

thank you in advance

Windows 10
Windows 10
A Microsoft operating system that runs on personal computers and tablets.
10,616 questions
Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,754 questions
0 comments

5 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Joy Qiao 4,886 Reputation points Microsoft Employee
    2020-12-15T02:51:18.527+00:00

    Hi,

    Is it a local device or domain joined device?
    What's your system edition? Windows 10 Professional, home or Enterprise?

    We could check multi-factor authentication types in the following link:
    https://www.microsoft.com/en-us/security/business/identity/mfa

    If you want to choose multi-factor authentication (contains two-factor verification) for personal use on local device, we would recommend to use Microsoft Authenticator app which support personal Microsoft account, Non-Microsoft account and also work or school account.

    If you prefer to use on multiple domain joined computers with work account, we could consider to deploy Windows Hello for Business which could combined with Azure Active Directory or Active Directory.

    If you consider to use external device such as USB disk, tokens, phone or others, we could refer to upper multi-factor authentication types link for more details.

    If my information is useful for you, please accept it as answer.

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments
  2. eg1995 1,131 Reputation points
    2020-12-15T06:02:25.137+00:00

    it is a domain joined device.
    i have a mix of windows pro and ent.

    If you want to choose multi-factor authentication (contains two-factor verification) for personal use on local device, we would recommend to use Microsoft Authenticator app which support personal Microsoft account, Non-Microsoft account and also work or school account.
    is this on the windows level or app level? because i want mfa on signing in to the windows and not to applications.

    If you prefer to use on multiple domain joined computers with work account, we could consider to deploy Windows Hello for Business which could combined with Azure Active Directory or Active Directory.
    windows hello offers mfa? or it replaces the actual password with pin, fingerprint...? i need to add my pass and an additional method each time i log in to my windows machine.

    can you advise please

    0 comments
  3. Joy Qiao 4,886 Reputation points Microsoft Employee
    2020-12-15T07:09:45.637+00:00

    Hi,

    Thank you for your reply.

    Is it a Azure AD environment or hybrid or local environment?

    For Microsoft Authenticator app MFA, we need to download that software on phone.

    When you want to login in PC, type your username and password into the device, and then copy the associated verification code from the Accounts screen of the Microsoft Authenticator app into login. However, your environment is not a local environment, this measure might not suitable for you as it has requirement for phone system version and logon process is little complex.

    As enable passwordless sign-in with the Microsoft Authenticator app is still in preview also need Azure AD environment, so I would not recommend to use it.

    For Windows Hello for Business, which is different with Windows Hello, yes it has replace passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and uses a biometric or PIN. And it could be configured by Group Policy or mobile device management (MDM) policy, always uses key-based or certificate-based authentication.

    "i need to add my pass and an additional method each time i log in to my windows machine."

    Password is not a strong security choice, we would recommend to use PIN or gesture instead of PIN. As In Windows 10, the Windows Hello for business provisioning process creates a cryptographic key pair bound to the Trusted Platform Module (TPM), if a device has a TPM 2.0, or in software. Access to these keys and obtaining a signature to validate user possession of the private key is enabled only by the PIN or biometric gesture. So it just like others even got your PIN still can't get your password and not able to login from other device to access your computer.

    Also Windows hello for business could save money to buy attentional device such as token.

    Here is Authentication method strength and security:(source: link)
    48255-capture.png
    If you don't want to use Windows hello for business, you could try with hardware token or phone.

    Bests,

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments
  4. eg1995 1,131 Reputation points
    2020-12-15T07:37:53.633+00:00

    hello,

    it is a hybrid environment. ad connect is syncing users to 0365. However, devices aren't synced.
    moreover, based on the above: having a two ways authentication methods is not feasible for windows login right in my scenario?

    i just need a confirmation on this, because thecustomer is insisting of having two ways authentication steps when he signs in to windows 10

    thank you in advance

    0 comments
  5. Joy Qiao 4,886 Reputation points Microsoft Employee
    2020-12-15T08:27:15.72+00:00

    Hi,

    I noticed official article Hybrid Windows Hello for Business Prerequisites says

    48257-capture.png

    So that you need to make sure your device and account both sync with AAD and AD to use Windows Hello for Business.

    If your user have misunderstanding about Windows Hello for Business and think it is not a two ways authentication steps, we might need to make a description about Windows Hello for Business, may be after that he could accept it as it's high security protection.

    For the upper reply capture, we could exclusions measure to check if you want a high level security protection or change device sync to use Windows Hello for Business.

    If you have any other concerns or need further assistance, please reply to us.

    If any information is useful for you, please accept it as answer.

    Bests,

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments