Windows 10 Multifactor Authentication – Briefing Notes

Posted on Updated on

Introduction

Windows 10 Multi-Factor Authentication (MFA) is a security system that requires more than one method of authentication from independent categories of credentials to verify the user’s identity for a login or other transaction. MFA provides additional protection against brute force and other password based attacks. Three common MFA options available in Windows 10 include:

  1. Picture Password
  2. PIN
  3. Windows Hello (Biometric support for facial, iris, and fingerprint recognition)

Interdependencies

All three of the MFA options in scope for this briefing can be enabled and disabled through Active Directory Group Policies.

Dependencies

In order to implement Device Guard, the following capabilities need to be present:

MFA Option

Requirement

Description

Picture Password Windows 8 or newer The PC must be running Windows 8, 8.1 or 10.
Picture Password Touch Interface The device must support a touch interface
PIN TPM The Trusted Platform Module is required to store the PIN and password hashes.
Windows Hello PIN enabled Windows Hello requires that PIN access be enabled.
Windows Hello Facial Recognition Supported Camera Windows Hello facial recognition requires a supported camera. Currently only the Intel RealSense 3D camera. Over time other cameras will also be supported
Windows Hello Fingerprint Supported Fingerprint Reader Windows Hello fingerprint recognition requires a supported fingerprint reader.

Integration

Windows 10 MFA integrates with Microsoft Passport and with Active Directory to provide seamless authentication through a number of common use cases.

Functionality

The Microsoft MFA options considered for this briefing are typically intended to act as a substitute for regular password authentication. Here will be scenarios where the password will still be required however for the majority of use cases, the password may nto be required if the end user is using one of the described MFA options.

Microsoft MFA solutions addressed are designed to strike a balance between security and ease of use. Most users report that using a MFA is convenient enough that they do not feel it is an undue burden.

MFA Option Functionality Description
Picture Password They user must correctly reproduce three gestures on an image of his/her choosing. Gestures can include, shapes, lines, and spots.
PIN They user must correctly enter a PIN (complexity controlled through GPO).
Hello Facial Recognition The device camera constantly looks for the users face. Once detected, the device unlocks itself.
Hello Finger Print Recognition The user must place a digit with a registered finger print on the devices finger print reader. If it matches a registered print, the user is granted access to the device with the account with which the print is registered.

If the user fails one of the authentication methods, they will need to use a password to unlock the device.

Deployment Considerations

All three of the MFA solutions considered can be deployed using GPO with minimal impact on current end user login methods. Once enabled, additional options will become available.

All of the addressed solutions consider the device as one of the authentication factors. Pins, Picture passwords, and biometric signatures are not stored or managed centrally. They will need to be managed on a per device basis.

It is recommended that end user training take place to ensure that NAV Canada staff understand the additional authentication options and any additional precautions that might be required to safeguard the additional factors.

Issues and Caveats

There are known issues and methods to bypass some of the Microsoft MFA options addressed.

MFA Option Known Issues
Picture Password Users must take care to avoid others from watching them while they enter a picture password. This may not be ideal for crowded environments. Additionally, users must take care to clean the device screen regularly to avoid leaving smudges that simplify reproducing the picture password.
PIN Users must take care to avoid others from watching them while they enter a PIN. This may not be ideal for crowded environments. Additionally, users must take care to clean the device screen regularly to avoid leaving smudges that simplify reproducing the PIN.
Hello Facial Recognition User can inadvertently unlock a device if they enter the cameras field of view. An unsuspecting user may also be “tricked” into unlocking a device by somebody who quickly “flashes” the device in front of them.
Hello Finger Print Recognition There are know issues with false negatives based on changes to digits based on injury or environmental conditions (cold, heat, humidity, etc.)
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s