Forum Discussion
Why do users have the option to skip MFA while signing into Windows 10?
Ryan_Fischer The purpose of MFA in this case is to setup Windows Hello PIN as part of the initial provisioning process. MFA acts as an additional proof along with the password for this. Once the PIN is setup, the recommended way to login is using PIN which is tied to the device.
Refer to the following links on PIN provisioning process and why a PIN is considered a better alternative than password
How Windows Hello for Business works - Provisioning - Windows security | Microsoft Docs
Why a PIN is better than an online password (Windows) - Windows security | Microsoft Docs
I guess I am confused of the purpose of MFA then when logging into a device. If an attacker was to have gained access to someone's password and either remote or phycial access to enterprise device they would be able to skip the setup process and have access to on-premises resources. I am guessing the MFA only protects Azure resources?
MicrosoftRyan_Fischer The purpose of MFA in this case is to setup Windows Hello PIN as part of the initial provisioning process. MFA acts as an additional proof along with the password for this. Once the PIN is setup, the recommended way to login is using PIN which is tied to the device.
Refer to the following links on PIN provisioning process and why a PIN is considered a better alternative than password
How Windows Hello for Business works - Provisioning - Windows security | Microsoft Docs
Why a PIN is better than an online password (Windows) - Windows security | Microsoft Docs
- sharish19 I think what Ryan_Fischer is referring to is something I'd consider a design flaw: The ability of a user to cancel out of the WHFB registration MFA dialog box, which causes an error and results in the WHFB registration workflow to present the error screen you referenced (with the 'Skip for now' button). Based on my testing, there is no limit to the number of times users can do this. In theory then, a user could avoid WHFB registration in perpetuity. I have spoke with Microsoft support on the matter, and there is no fix for this. We can run reports to see which users haven't registered the WHFB authentication method on any devices, then report them to HR for scolding. The technical solution would be to remove the password credential provider through group or cloud policy. This would require users to sign in with another method like the WHFB PIN. This flaw is glaring and should be addressed by Microsoft.
