Multi-factor authentication is used in many areas, but I don't yet know of its implementation for a Windows user's local account. However, you can go a step further.
This exposition refers to authentication on the local computer (the focus here does not deal with other areas such as remote access, etc.)
Authentication has been implemented with systems such as password, PIN, pattern in an image, fingerprint, facial recognition, physical keys, etc.
These systems are classified into:
Memo Elements: Password, PIN, Pattern
Physical Elements: Fingerprint, Facial, Key
As we can only use one of them as a means of authentication, it would be very easy for an attacker to overtake them, so our desktop would be exposed.
Memo Elements: We are being educated to use long and complicated passwords, to be safe from brute force attacks.
Therefore, these complicated passwords are usually written on paper or in a text file (memorizing it is difficult).
Prying eyes make a local environment with high vulnerability.
Physical Elements: their use can be forced by force or theft. With the "Memo Elements" it is more difficult to force them to be revealed.
This scenario could occur in people with access to very important information, and in their own homes, bank directors, technology companies, etc.
Given this weakness, of a single control point, optionally, for those who consider it necessary, having a second barrier could avoid many breakdowns, although when talking about security we already know that it will never be 100%.
The Physical Elements give more agility, but they are weak, relying only on these systems weakens my security.
Personally I have a password and a pin very long and difficult to remember, so I use a Physical Element (Fingerprint) to which I would like to add a token / "salt" (auxiliary, attached or complementary key), optional, call it what you want but that is very simple in its daily use.
My "salt" (short key of 1 to 4 characters) is easy to memorize and type.
For example: "kk", "asdf", "123", "ñlk", "ç", etc.
At the same time it is difficult to detect how to write.
So every time I identify with: "fingerprint" and write "kk" is ready.
False Door:
To avoid intimidation we can have two versions for the "salt", the True Door of which we have already spoken, and another called False Door that give the appearance of having provided the true key but is an identification that tells the system to appear a normal login without being able to access critical information.
Schematic table: there may be more elements at play, and you would have to look at them and fill in this table in a thoughtful way, but what is clear to me is that if I could choose to activate my "sauce" I would apply it unequivocally to the Physical Elements.
| Password | PIN | Pattern | Fingerprint | Facial | Physical keys | Salt |
Password | - | | | | | | No |
PIN | No | - | | | | | No |
Pattern | ?? | ?? | - | | | | ?? |
Fingerprint | ?? | ?? | ?? | - | | | Yes |
Facial | ?? | ?? | ?? | ?? | - | | Yes |
Physical keys | ?? | ?? | ?? | ?? | ?? | - | Yes |
This scheme can grow with elements such as: mobile fingerprint, bluetooth proximity, voice, OTP, etc. But to understand the idea is enough.
