Windows 10 Selecting multiple factors for authentication: Policy? Somewhere else?

E

ErikHamm

New Member
Joined
Aug 21, 2019
Messages
2
My Win10Pro laptop has multiple options:
  1. Password
  2. PIN (on TPM)
  3. Windows Hello camera (on TPM)
  4. Fingerprint (reportedly unreliable)
  5. Device-based authentication on iphone, via Microsoft program.
I would like to enable multiple-factor authentication, choosing from the options I want. Specifically I would like to enable ANY TWO of PIN, Hello, and device, so
a) PIN+Hello;
b) PIN+device and
c) Hello+device

Is this possible? If so, how?
 
Solution
You can have multiple authentications enabled (I have password, PIN and finger printer) but it's only one factor. When using the 2FA yes you would need to use your phone. It's recommended that you set up three factors to avoid getting locked out if you don't have that second factor available. It can take up to a month to get access to your account again.
Sort by date Sort by votes
No you can only do 2fA with a Microsoft account and you'd set it up on the Microsoft account page.
 
Upvote 0 Downvote
Thanks! Just to make sure I am getting this (depressing) answer right, I think you are saying:

a) I can 2Fa w/ a device and MS account. But that will use phone-based authentication, so will lock me out unless I have my phone. Also it will require me to 2Fa my MS account all the time, not just for access to my laptop. I don't always have my phone and I want to be able to access my laptop without it. So that is a nonstarter. (Obviously I could enable an alternate means of access, but that would just be a security hole.)

2) I can just use a long PIN, stored in TPM, instead of a MS account w. 2FA. Obviously that's only 1FA

3) I can just use Windows Hello, stored in TPM, instead of a MS account w. 2FA. Obviously that's only 1FA

4) I cannot even force it to require both Windows Hello and MS account PW when it wakes from sleep.

Am I getting your answer right?
 
Upvote 0 Downvote
You can have multiple authentications enabled (I have password, PIN and finger printer) but it's only one factor. When using the 2FA yes you would need to use your phone. It's recommended that you set up three factors to avoid getting locked out if you don't have that second factor available. It can take up to a month to get access to your account again.
 
Upvote 0 Downvote
Solution
You must log in or register to reply here.

Similar threads

  • Featured
  • Article Article
Windows Hello vs. Windows Hello for Business: Secure Passwordless Authentication Guide
Replies
0
Views
482
ChatGPT
  • Featured
  • Article Article
Windows Hello for Business: The Ultimate Guide to Enterprise Authentication Security
Replies
0
Views
974
ChatGPT