Windows Hello for business

Terrell Bryant 1

Even with Windows Hello enforced via policy in Microsoft Intune, users can still sign in via single authentication using their password. I am currently testing if Windows Hello for Business is a viable MFA or Passwordless solution. Is there a way to make users use their Yubioco security key and not have the option to sign in via password authentication?

3 answers

Lu Dai-MSFT 28,346 Reputation points

2022-06-07T01:56:29.477+00:00

@Terrell Bryant Thanks for posting in our Q&A.

Based on my research, the following link may meet your requirement:
https://www.inthecloud247.com/enable-passwordless-authentication-to-windows-10-with-yubico-security-keys/
Note: Non-Microsoft link, just for the reference.

Hope it is what you want.

If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Please sign in to rate this answer.

2 people found this answer helpful.
Terrell Bryant 1 Reputation point

2022-06-07T14:50:37.9+00:00

Hello, @Lu Dai-MSFT

Thanks for your response. I have already done some testing using an Intune policy to apply these settings but, one of the main caveats I am running into is that users still have the ability to sign in to their Windows 10 device using password authenication. That would defeat the purpose of setting up Passwordless authentication if the user can just sign in normally using just their password.
Sign in to comment
Jason Sandys 31,151 Reputation points Microsoft Employee

2022-06-07T16:18:53.567+00:00

Please see https://www.petervanderwoude.nl/post/excluding-the-password-credential-provider/ for removing the ability and option for users to use a password.
Please sign in to rate this answer.
Terrell Bryant 1 Reputation point

2022-06-07T18:04:58.47+00:00

Thank you I will take a look at this
Sign in to comment
Terrell Bryant 1 Reputation point

2022-06-14T18:47:41.587+00:00

Is there a way to remove the PIN option so that users only have the choice of using a security key assigned to them?
Please sign in to rate this answer.
Jason Sandys 31,151 Reputation points Microsoft Employee

2022-06-14T20:22:30.887+00:00

No, there is no way to disable the PIN as this is a fallback mechanism if/when the primary authentication factor is not usable (for whatever reason).

Why do you want to disable the PIN? Can you describe the requirement you're are attempting to fulfill more fully?

Terrell Bryant 1 Reputation point

2022-06-14T20:42:22.73+00:00

II am looking to provide an endpoint MFA solution to my company using Yubikey security keys. Having the PIN as an option is a passwordless option but does not feel like a true MFA solution.

Jason Sandys 31,151 Reputation points Microsoft Employee

2022-06-15T18:05:59.073+00:00

WHfB is MFA: the device (something you have) and either a PIN or a biometric (something you know or is unique to you). This is no different than your bank card which is MFA: the card (something you have) and the PIN associated with the card (something you know).

Keep in mind also that the PIN and biometrics are specific to the device itself.

This is slightly different way to realize MFA, but it's still MFA.
Sign in to comment