cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Why do users have the option to skip MFA while signing into Windows 10?

Ryan_Fischer
Occasional Contributor

‎Apr 19 2022 03:21 PM - edited ‎Apr 19 2022 03:45 PM

‎Apr 19 2022 03:21 PM - edited ‎Apr 19 2022 03:45 PM

Why do users have the option to skip MFA while signing into Windows 10?

I noticed that there is an option to close the MFA prompts and then skip the MFA process while signing into a Windows 10 device that is Hybrid jonied to Azure AD. I am wondering why this would be and if there is anyway to disable it.  I feel like it defeats the purpose of MFA. 

Preview file
34 KB
1,069 Views
0 Likes
4 Replies
Reply
4 Replies
sharish19

‎Apr 26 2022 04:56 AM

‎Apr 26 2022 04:56 AM

Re: Why do users have the option to skip MFA while signing into Windows 10?

@Ryan_Fischer This option comes when setting up the Windows Hello PIN during the first time where MFA is a pre-requisite. Given there was an error in the process, SKIP option is given to stop the PIN setup process and get into Windows. When we setup the PIN during the next login, we will go through this process again. The option to do MFA is not something that will happen during every login to windows. 

0 Likes
Reply
Ryan_Fischer

‎Apr 28 2022 04:36 PM - edited ‎Apr 28 2022 04:41 PM

‎Apr 28 2022 04:36 PM - edited ‎Apr 28 2022 04:41 PM

Re: Why do users have the option to skip MFA while signing into Windows 10?

I guess I am confused of the purpose of MFA then when logging into a device. If an attacker was to have gained access to someone's password and either remote or phycial access to enterprise device they would be able to skip the setup process and have access to on-premises resources. I am guessing the MFA only protects Azure resources?

0 Likes
Reply
best response confirmed by Ryan_Fischer (Occasional Contributor)
sharish19

‎Apr 28 2022 10:59 PM

‎Apr 28 2022 10:59 PM

Solution

Re: Why do users have the option to skip MFA while signing into Windows 10?

@Ryan_Fischer The purpose of MFA in this case is to setup Windows Hello PIN as part of the initial provisioning process. MFA acts as an additional proof along with the password for this. Once the PIN is setup, the recommended way to login is using PIN which is tied to the device. 

 

Refer to the following links on PIN provisioning process and why a PIN is considered a better alternative than password

 

How Windows Hello for Business works - Provisioning - Windows security | Microsoft Docs

Why a PIN is better than an online password (Windows) - Windows security | Microsoft Docs

0 Likes
Reply
notyouraverageadmin

‎Mar 30 2023 03:39 PM

‎Mar 30 2023 03:39 PM

Re: Why do users have the option to skip MFA while signing into Windows 10?

@sharish19 I think what @Ryan_Fischer is referring to is something I'd consider a design flaw: The ability of a user to cancel out of the WHFB registration MFA dialog box, which causes an error and results in the WHFB registration workflow to present the error screen you referenced (with the 'Skip for now' button). Based on my testing, there is no limit to the number of times users can do this. In theory then, a user could avoid WHFB registration in perpetuity. I have spoke with Microsoft support on the matter, and there is no fix for this. We can run reports to see which users haven't registered the WHFB authentication method on any devices, then report them to HR for scolding. The technical solution would be to remove the password credential provider through group or cloud policy. This would require users to sign in with another method like the WHFB PIN. This flaw is glaring and should be addressed by Microsoft.
0 Likes
Reply