Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
SOLVED

Why do users have the option to skip MFA while signing into Windows 10?

Brass Contributor

I noticed that there is an option to close the MFA prompts and then skip the MFA process while signing into a Windows 10 device that is Hybrid jonied to Azure AD. I am wondering why this would be and if there is anyway to disable it.  I feel like it defeats the purpose of MFA. 

4 Replies

@Ryan_Fischer This option comes when setting up the Windows Hello PIN during the first time where MFA is a pre-requisite. Given there was an error in the process, SKIP option is given to stop the PIN setup process and get into Windows. When we setup the PIN during the next login, we will go through this process again. The option to do MFA is not something that will happen during every login to windows. 

I guess I am confused of the purpose of MFA then when logging into a device. If an attacker was to have gained access to someone's password and either remote or phycial access to enterprise device they would be able to skip the setup process and have access to on-premises resources. I am guessing the MFA only protects Azure resources?

best response confirmed by Ryan_Fischer (Brass Contributor)
Solution

@Ryan_Fischer The purpose of MFA in this case is to setup Windows Hello PIN as part of the initial provisioning process. MFA acts as an additional proof along with the password for this. Once the PIN is setup, the recommended way to login is using PIN which is tied to the device. 

 

Refer to the following links on PIN provisioning process and why a PIN is considered a better alternative than password

 

How Windows Hello for Business works - Provisioning - Windows security | Microsoft Docs

Why a PIN is better than an online password (Windows) - Windows security | Microsoft Docs

@sharish19 I think what @Ryan_Fischer is referring to is something I'd consider a design flaw: The ability of a user to cancel out of the WHFB registration MFA dialog box, which causes an error and results in the WHFB registration workflow to present the error screen you referenced (with the 'Skip for now' button). Based on my testing, there is no limit to the number of times users can do this. In theory then, a user could avoid WHFB registration in perpetuity. I have spoke with Microsoft support on the matter, and there is no fix for this. We can run reports to see which users haven't registered the WHFB authentication method on any devices, then report them to HR for scolding. The technical solution would be to remove the password credential provider through group or cloud policy. This would require users to sign in with another method like the WHFB PIN. This flaw is glaring and should be addressed by Microsoft.
1 best response

Accepted Solutions
best response confirmed by Ryan_Fischer (Brass Contributor)
Solution

@Ryan_Fischer The purpose of MFA in this case is to setup Windows Hello PIN as part of the initial provisioning process. MFA acts as an additional proof along with the password for this. Once the PIN is setup, the recommended way to login is using PIN which is tied to the device. 

 

Refer to the following links on PIN provisioning process and why a PIN is considered a better alternative than password

 

How Windows Hello for Business works - Provisioning - Windows security | Microsoft Docs

Why a PIN is better than an online password (Windows) - Windows security | Microsoft Docs

View solution in original post