Proposal for Cloud Verified Authentication on Windows Lock Screen

Interesting proposal. Adding additional authentication factors at the Windows sign-in stage could certainly strengthen protection against unauthorised access to stolen devices.

That said, there are a few considerations:

• A cloud-based OTP mechanism would require network connectivity before authentication, which may not always be available.
• If access to the Microsoft account or email is compromised, an attacker could potentially obtain the OTP as well.
• Microsoft already offers several layers of protection, including Windows Hello, FIDO2 security keys, BitLocker device encryption, Conditional Access, and passwordless sign-in with Microsoft Authenticator.

Perhaps a cloud-assisted MFA option as an additional sign-in method, rather than a replacement for existing authentication methods, could provide a good balance between security, usability, and offline access requirements.

It's great to see security-focused ideas like this being discussed and explored.