It seems there have been some slight refinements in “Windows Hello for Business multifactor unlock” to truly require 2 factors to log into your PC Windows account. Some possible examples are Fingerprint + PIN, or Fingerprint + Presence of a particular bluetooth device eg phone.
I’m curious if anyone here uses this. We are just beginning to experiment with it at work. It still does not enable OTP or MS Authenticator push approvals as one of the factors, which seems like a missed opportunity to me since users are already familiar with this for everywhere else they log into their MS account.
At work our mentality has been that fingerprint login might would be good enough, but that the PIN is not since it’s easy to snoop and people absolutely will use the same PIN on every machine. Afaik, Hello always has the PIN as an option, so even if users normally use fingerprint to log in, an attacker has the option to use PIN (or password if you don’t block that) instead. Requiring an additional credential to get into the PC seems like a good idea.
1 Like
I had this setup for a while with user certificates… but I ended up having issues when removing the integration to Microsoft Entra - so I had to remove user certs and just rely on “convenience pin”. Can also be a pain when your hardware keeps changing, breaking the trust on the TPM and having you to recreate your PIN + Face ID
Cross posting from windows 10 otp login.
Yubico has had a otp method in play for a while now. I don’t know for how long or how well it works as I’ve never been down that rabbit hole!
1 Like
Thus far, we’ve enabled the “requirement” for Hello for Business Multifactor Unlock on two machines. It has done something but I can still log in with just a Password or just a fingerprint. I can no longer log in with just a PIN though. So I don’t think it’s working right. PIN is the credential I felt was the weakest because it’s short and folks re-use on multiple machines (phones, etc) and often they are not watching for shoulder surfers.
You can disable “biometrics” through GPO and still retain the PIN, but sounds like you want a combination of Password+PIN, correct?
As a note: Windows Hello for Business was designed to replace passwords - so it would still work as single factor authentication, just that it no longer relies on password. Doesn’t matter what Microsoft says, it does not behave like this. So you have to think whether you’re looking into “compliance” or actual 2FA 
2nd note: you can force complex PINs… which will render it into another password… you’re drunk Microsoft!! 
We like fingerprint, but are concerned that it is not sufficiently “2-factorish” to satisfy CMMC2.0. MS’s docs and demo video seem as though this multifactor unlock can be configured to unquestionably require 2 factors to banish the question from our minds. eg finger plus a pin. or finger plus your phone, or indeed password plus pin etc.
Yeah “compliance” with what, with whom? To be honest I’m so worn down that if a single PIN to unlock my pc is good enough for CMMC2.0 then sure I don’t care that it’s not very secure in practice. Was just exploring this multifactor unlock in case we do actually need/want 2 keys to the lock that are both removed from the lock after the unlock action. But so far it is not working as advertised.
looking in event viewer… it seems like it’s finding a pin recovery key and counting that as one of the two factors, which might explain why i cannot log in with just a pin (since the recovery key might fall into that same category) but anything else lets me in if the second factor is automatically satisfied with this pin recovery key. It just seems so bafflingly stupid to construct this thing so that keys are glued into the locks. It’s multiple factors, but most of them are always being satisfied and you can’t unsatisfy them.
Exactly - it was so underwhelming for me, I’d rather just enable “Convenience PIN” (I.e Windows Hello without the Microsoft-2FA part) that set up the whole ADFS/Entra structure needed for this.
yeah i hate what a mixed up unfriendly mess the MS admin world is. we have so many windows-dependent applications that we’re pretty well stuck with it though.