- Thread Author
-
- #1
My Win10Pro laptop has multiple options:
a) PIN+Hello;
b) PIN+device and
c) Hello+device
Is this possible? If so, how?
- Password
- PIN (on TPM)
- Windows Hello camera (on TPM)
- Fingerprint (reportedly unreliable)
- Device-based authentication on iphone, via Microsoft program.
a) PIN+Hello;
b) PIN+device and
c) Hello+device
Is this possible? If so, how?
Solution
- Thread Author
-
- #3
Thanks! Just to make sure I am getting this (depressing) answer right, I think you are saying:
a) I can 2Fa w/ a device and MS account. But that will use phone-based authentication, so will lock me out unless I have my phone. Also it will require me to 2Fa my MS account all the time, not just for access to my laptop. I don't always have my phone and I want to be able to access my laptop without it. So that is a nonstarter. (Obviously I could enable an alternate means of access, but that would just be a security hole.)
2) I can just use a long PIN, stored in TPM, instead of a MS account w. 2FA. Obviously that's only 1FA
3) I can just use Windows Hello, stored in TPM, instead of a MS account w. 2FA. Obviously that's only 1FA
4) I cannot even force it to require both Windows Hello and MS account PW when it wakes from sleep.
Am I getting your answer right?
a) I can 2Fa w/ a device and MS account. But that will use phone-based authentication, so will lock me out unless I have my phone. Also it will require me to 2Fa my MS account all the time, not just for access to my laptop. I don't always have my phone and I want to be able to access my laptop without it. So that is a nonstarter. (Obviously I could enable an alternate means of access, but that would just be a security hole.)
2) I can just use a long PIN, stored in TPM, instead of a MS account w. 2FA. Obviously that's only 1FA
3) I can just use Windows Hello, stored in TPM, instead of a MS account w. 2FA. Obviously that's only 1FA
4) I cannot even force it to require both Windows Hello and MS account PW when it wakes from sleep.
Am I getting your answer right?
- Joined
- Jul 4, 2015
- Messages
- 8,998
You can have multiple authentications enabled (I have password, PIN and finger printer) but it's only one factor. When using the 2FA yes you would need to use your phone. It's recommended that you set up three factors to avoid getting locked out if you don't have that second factor available. It can take up to a month to get access to your account again.