Forum Discussion
Solved
Windows Hello for Business as laptop's MFA
Hi,
I'm trying to set Windows Hello for Business as laptop's MFA with some success. So I'm using PIN and my mobile phone Bluetooth what meet my requirements. However I can always bypass MFA just entering user name and password, without any second authentication. Could you advise how to resolve this please? I want to use only methods which are supported by Microsoft.
- It depends... sfaik there isn't any ms doc out there NOT or DO recommending it .. most of the times it are just about experiences someone had
https://call4cloud.nl/2021/04/battle-for-the-planet-of-the-credential-providers/#part10
But if you are okay with the issues you could endure when that pw provider is disabled... of course it s more secure, because you are removing the possibility to login with the same password as their ms account
5 Replies
WHFB Not ready for this. Disabling the password cred provider is not recommended either. Use third party service like DUO.
- Thank you for your rely. Could you give me link to the document which shows that disabling of password cred provider is not recommended? I just need to prove it to management.
- Coexistence is really more of a sound passwordless strategy at least in early stages until you answer some of the hard questions when passwords are disabled https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/passwordless-strategy#:~:text=In%20this%20first%20step%2C%20passwords%20and%20Windows%20Hello%20for%20Business%20must%20coexist.
Some high level questions to ask:
- if %100 Passwordless was ready, why do not we see that at least as the DEFAULT experience with Win10/11 HOME ? Rolling out this tech to consumers to begin with seems more plausible
- Why can't we have the MS auth app or FIDO2 security keys as the second factor (if PIN was the first factor)
- What happens if the user forgets the PIN and passwords are disabled? How does some one go about remediation in a TIMELY manner ? one of the possible MEM reset options /ps script to enable the password cred again ?
- What about RUN AS admin ? What do we there ?
