SOLVED

Why do users have the option to skip MFA while signing into Windows 10?

Occasional Contributor

I noticed that there is an option to close the MFA prompts and then skip the MFA process while signing into a Windows 10 device that is Hybrid jonied to Azure AD. I am wondering why this would be and if there is anyway to disable it.  I feel like it defeats the purpose of MFA. 

3 Replies

@Ryan_Fischer This option comes when setting up the Windows Hello PIN during the first time where MFA is a pre-requisite. Given there was an error in the process, SKIP option is given to stop the PIN setup process and get into Windows. When we setup the PIN during the next login, we will go through this process again. The option to do MFA is not something that will happen during every login to windows. 

I guess I am confused of the purpose of MFA then when logging into a device. If an attacker was to have gained access to someone's password and either remote or phycial access to enterprise device they would be able to skip the setup process and have access to on-premises resources. I am guessing the MFA only protects Azure resources?

best response confirmed by Ryan_Fischer (Occasional Contributor)
Solution

@Ryan_Fischer The purpose of MFA in this case is to setup Windows Hello PIN as part of the initial provisioning process. MFA acts as an additional proof along with the password for this. Once the PIN is setup, the recommended way to login is using PIN which is tied to the device. 

 

Refer to the following links on PIN provisioning process and why a PIN is considered a better alternative than password

 

How Windows Hello for Business works - Provisioning - Windows security | Microsoft Docs

Why a PIN is better than an online password (Windows) - Windows security | Microsoft Docs