Windows 10 Selecting multiple factors for authentication: Policy? Somewhere else?

[ErikHamm]

My Win10Pro laptop has multiple options:

1. Password
2. PIN (on TPM)
3. Windows Hello camera (on TPM)
4. Fingerprint (reportedly unreliable)
5. Device-based authentication on iphone, via Microsoft program.

I would like to enable multiple-factor authentication, choosing from the options I want. Specifically I would like to enable ANY TWO of PIN, Hello, and device, so
a) PIN+Hello;
b) PIN+device and
c) Hello+device

Is this possible? If so, how?

 

[Neemobeer]

No you can only do 2fA with a Microsoft account and you'd set it up on the Microsoft account page.

 

[ErikHamm]

Thanks! Just to make sure I am getting this (depressing) answer right, I think you are saying:

a) I can 2Fa w/ a device and MS account. But that will use phone-based authentication, so will lock me out unless I have my phone. Also it will require me to 2Fa my MS account all the time, not just for access to my laptop. I don't always have my phone and I want to be able to access my laptop without it. So that is a nonstarter. (Obviously I could enable an alternate means of access, but that would just be a security hole.)

2) I can just use a long PIN, stored in TPM, instead of a MS account w. 2FA. Obviously that's only 1FA

3) I can just use Windows Hello, stored in TPM, instead of a MS account w. 2FA. Obviously that's only 1FA

4) I cannot even force it to require both Windows Hello and MS account PW when it wakes from sleep.

Am I getting your answer right?

 

[Neemobeer]

You can have multiple authentications enabled (I have password, PIN and finger printer) but it's only one factor. When using the 2FA yes you would need to use your phone. It's recommended that you set up three factors to avoid getting locked out if you don't have that second factor available. It can take up to a month to get access to your account again.