locked
Windows 10 two-factor authentication (2FA) RRS feed

  • Question

  • Hello,

    I heard Windows 10 has got a two-factor authentication.

    So first you have to type a password and secondly you need a PIN or a biometric fingerprint or something else.

    And I don't mean encryption like BitLocker.

    Now my question is where can I activate the two-factor authentication?

    Thank you for your answers.

    Tuesday, August 11, 2015 10:06 AM

Answers

  • Christian,

    Please check the blog below for the two-factor authentication:

    Windows 10: Security and Identity Protection for the Modern World

    "

    Once enrolled, devices themselves become one of two factors that are required for authentication. The second factor will be a PIN or biometric, such as fingerprint. From a security standpoint, this means that an attacker would need to have a user’s physical device – in addition to the means to use the user’s credential – which would require access to the users PIN or biometric information.

    "For more information, please check the blog above.

    Regards


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    • Proposed as answer by lvj1001 Tuesday, August 18, 2015 6:14 PM
    • Marked as answer by Zen the Ocelot Sunday, August 23, 2015 2:30 AM
    Wednesday, August 12, 2015 5:30 AM
  • On Wed, 12 Aug 2015 07:38:48 +0000, Christian Springer wrote:

    You can read all over in the web that it is possible to use a device for example a windows tablet as a second authentication factor.

    I wonder why I am unable to find details about the configuration of this feature.

    It is unclear what exactly you are trying to achieve here. You can setup
    Windows 10 to log you on with a PIN, thumbprint, iris or facial
    recognition. All of these are done through the Settings app. None of these,
    by themselves enable the device as a second factor of authentication.

    If that is what you truly want to do, then you need to implement Microsoft
    Passport and this can only be done with a computer that is joined to either
    a Windows domain or to an Azure AD domain.

    https://technet.microsoft.com/en-us/library/mt219734%28v=vs.85%29.aspx?f=255&MSPPError=-2147217396


    Paul Adare - FIM CM MVP

    • Proposed as answer by Michael_LS Wednesday, August 19, 2015 2:04 AM
    • Marked as answer by Zen the Ocelot Sunday, August 23, 2015 2:30 AM
    Wednesday, August 12, 2015 11:56 AM

All replies

  • On Tue, 11 Aug 2015 10:06:15 +0000, Christian Springer wrote:

    I heard Windows 10 has got a two-factor authentication.

    Windows 10 does support two factor auth.


    So first you have to type a password and secondly you need a PIN or a biometric fingerprint or something else.

    Two factor auth involves something you have and something you know. A
    password, followed by a PIN is not two factor auth as that is simply two
    things you know.

    If you have a fingerprint reader attached to your computer, go to
    Settings/Accounts/Sign-in options. This is where you'll be able to
    configure Windows Hello for fingerprint auth.


    Paul Adare - FIM CM MVP

    Tuesday, August 11, 2015 10:19 AM
  • I was able to configure a PIN and fingerprint auth.

    But I can just switch between password, PIN and fingerprint.

    How can I configure that I first have to type the password or the PIN and after that I have to use the fingerprint auth?

    So that I first have to give something I know and second to give something I have.
    Tuesday, August 11, 2015 11:40 AM
  • On Tue, 11 Aug 2015 11:40:30 +0000, Christian Springer wrote:

    How can I configure that I first have to type the password or the PIN and after that I have to use the fingerprint auth?So that I first have to give something I know and second to give something I have.

    You can't. It is either password, PIN, or fingerprint, you can't combine
    them.

    If you're using a fingerprint to sign-in, what's the point of also entering
    a password or a PIN? It serves no purpose and does not make the sign-in
    more secure.


    Paul Adare - FIM CM MVP

    Tuesday, August 11, 2015 12:12 PM
  • Christian,

    Please check the blog below for the two-factor authentication:

    Windows 10: Security and Identity Protection for the Modern World

    "

    Once enrolled, devices themselves become one of two factors that are required for authentication. The second factor will be a PIN or biometric, such as fingerprint. From a security standpoint, this means that an attacker would need to have a user’s physical device – in addition to the means to use the user’s credential – which would require access to the users PIN or biometric information.

    "For more information, please check the blog above.

    Regards


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    • Proposed as answer by lvj1001 Tuesday, August 18, 2015 6:14 PM
    • Marked as answer by Zen the Ocelot Sunday, August 23, 2015 2:30 AM
    Wednesday, August 12, 2015 5:30 AM
  • You can read all over in the web that it is possible to use a device for example a windows tablet as a second authentication factor.

    I wonder why I am unable to find details about the configuration of this feature.
    Wednesday, August 12, 2015 7:38 AM
  • Check below:

    Set up device enrollment in Microsoft Intune

    https://technet.microsoft.com/en-us/library/dn646962.aspx

    Regards


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Wednesday, August 12, 2015 9:09 AM
  • On Wed, 12 Aug 2015 07:38:48 +0000, Christian Springer wrote:

    You can read all over in the web that it is possible to use a device for example a windows tablet as a second authentication factor.

    I wonder why I am unable to find details about the configuration of this feature.

    It is unclear what exactly you are trying to achieve here. You can setup
    Windows 10 to log you on with a PIN, thumbprint, iris or facial
    recognition. All of these are done through the Settings app. None of these,
    by themselves enable the device as a second factor of authentication.

    If that is what you truly want to do, then you need to implement Microsoft
    Passport and this can only be done with a computer that is joined to either
    a Windows domain or to an Azure AD domain.

    https://technet.microsoft.com/en-us/library/mt219734%28v=vs.85%29.aspx?f=255&MSPPError=-2147217396


    Paul Adare - FIM CM MVP

    • Proposed as answer by Michael_LS Wednesday, August 19, 2015 2:04 AM
    • Marked as answer by Zen the Ocelot Sunday, August 23, 2015 2:30 AM
    Wednesday, August 12, 2015 11:56 AM
  • If you're using a fingerprint to sign-in, what's the point of also entering a password or a PIN? It serves no purpose and does not make the sign-in more secure.

    How does it not make the login more secure?  I don't consider possession of a device to be one of the factors, because possession has absolutely nothing to do with authentication.  Laptops and phones get lost or stolen ALL THE TIME, and it should not be that easy for a ne'er-do-well to climb right over one of the hurdles just by snatching the device out of my car/desk/pocket/backpack/whatever.

    So that factor is pretty much useless.  Possession.  Come on.  Combine how EASY it is to take possession of a device and how EASY even a 3 year old child can watch someone enter a 4-digit PIN once then recall it and use it later... 

    And Mythbusters showed just how easy it is to fake a fingerprint with a little practice and motivation...

    To me, even with all this, this is literally no better than an 8-character lower case password based on a dictionary word.  If I log onto someone else's device with a PIN that I saw them enter on a numeric keypad once, and they are logged into any of their accounts in their desktop session... well, I can read all their email, set up forwarders, set up rules to hide things, install malware, spyware, anything, really.

    And we don't even know how secure the 3D facial recognition stuff is, yet.  If I hold up a 3D printed head, is that enough to get me in?  I can turn a 3D printed bust of a person left and right no problem, and capturing the 3D model is dead easy if you get enough photographs of a person.

    I freaking HATE passwords, but I don't see how any of this stuff is better than passwords.

    Feel free to correct me on any of this.  I really want to believe that this is 2 factor authentication, but right now I see it as 1 factor that's weaker than a bad password, never mind a pass phrase.


    Wednesday, September 30, 2015 3:48 PM
  • I am trying to figure out if I can restrict Windows Hello to use only biometrics or to at least ask for biometrics first.  As things are now I am first prompted for a password.  I have to click bring up the fingerprint or picture choice.   I too think that a PIN is no better than a password and may be worse since it is harder to enforce complexity requirements and because there are fewer bits of entropy per character in a PIN.
    Tuesday, November 10, 2015 1:55 AM
  • It absolutely makes it more secure. You always have the option to bypass the fingerprint reader and type in a password as far as I know. If you could disable all but the fingerprint, or require both a fingerprint and password it would be much more secure. 
    Friday, June 2, 2017 8:52 PM
  • Very much agree - I think Microsoft and chip makers like Intel/AMD should work together to make that happen so that the end result is Windows users can use a passphrase + fingerprint scan as 2FA for disk encryption. That would be heaven!
    Monday, March 5, 2018 6:22 PM
  • Have a look at this it must be addressed and patched.

    https://youtu.be/HZmAeyNM-TM

    Saturday, April 21, 2018 8:06 PM

  • Once enrolled, devices themselves become one of two factors that are required for authentication. The second factor will be a PIN or biometric, such as fingerprint. From a security standpoint, this means that an attacker would need to have a user’s physical device

    That is utterly ridiculous. It's fine against online attacks, but if your PC is in a school or business then someone who watches you enter your PIN has full access if you are away from your device.
    Monday, May 14, 2018 8:00 AM
  • I agree, this solution does not provide 2 factor authentication to get onto a device.  Given that Microsoft have their own mobile app authenticator the easiest solution would be to require a password and an app authenticator code.  As long as you unlock your phone biometrically or with your fingerprint then you cover as many bases as possible.  If only Microsoft could apply easy solutions!
    Thursday, November 1, 2018 8:44 PM