Windows 11 Feature Requests: 2 Factor Authentication for Windows Logon and RDP Logon

New Contributor

Hi,

It should be useful having 2 Factor Authentication for Windows Logon and RDP Logon.

 

Tip solution 1:

A. In Logon window the user write the first password (by the way, make max length longer and activate Paste  and Copy)

 

B. Then the user receives a notification from App on his smartphone and he can insert the second password)

-------------------------------------------------------------

 

Tip solution 2 (stronger and more convenient):

 In Logon window the user choose to load the first password from a cyphered wallet on a pen drive (the cyphered wallet on a pen drive has been created previosly by Windows, which even created a 'Long Casual Password' for Logon) 

So the system:

A. Sends to a notification to th App on User's smartphone and the User can insert his 'Short password'

 

B. Then the system accesses to the cyphered wallet on User's pen drive and retrieves the 'Long Casual Password' for logon 

 

 

 

7 Replies
Microsoft is following different policy and it is removing password and technologies like Windows Hello Face recognition, PIN , etc.
The architecture of Windows is different.
You will use 2FA because login page is accessible remotely from internet.
However, in case of Windows, you will need to have physical access to the system and you may use other methods like BitLocker.

@Reza_Ameri This response is a total ignorance of the nature of the request.   Everyone in the modern world has a smart phone.  We can and should be able to authenticate logins (remote and at end terminal systems) via verifying a 2nd factor.  That can and should offer Text Message, E-Mail, Automated Phone Call (with code), and some "talk to a person" option if all else fails.  This is not a joke, it is important and a major security concern.

@Reza_Ameri MFA using push notifications is massively more secure than existing Windows Hello solutions.

 

The argument that PIN + device or Face + Device is MFA is unreasonable. The technology is literally already there.

 

This is definitely needed.

Well... This would be unnecessary for the login window to implement MFA.

As by current design, MFA should be implement on critical services or system e.g. Microsoft 365 suite or access www.office.com. If MFA detect un-usual signal it will requires MFA authentication.

If adding this to the login window only could cause more authentication attempts for the end users not a good one.
Access to local files isn't considered critical? I support enterprise environments, this is sorely missing. Having it as an option wouldn't affect anyone's workflow that didn't want it.

Third party tools such as Duo currently fill this need but are very expensive. Windows Hello already has the Authenticator support as it's included in the enrollment phase
Using Smart Phone is not a very secure way to do it, there are limitation in protection phones and while it is easy to manage Windows, there are some limitations in managing phones and when someone hack into the phone, they have access to everything including 2FA.
However, your idea might work in certain scenarios and it depends on the security requirements. Therefore, I advise you to use the Feedback Hub app in the Windows 11 or Windows 10 and file a suggestion and explain your requirements and share it, those who agreed with this , would be able to upvote it.
We have to use two factor authentication for Windows sign-in of Azure AD/MEM managed devices too. What solution do you use now?