Windows 10 Multi-Factor Authentication

Posted on Updated on


Windows 10 Multi-Factor Authentication (MFA) is a security system that requires more than one method of authentication from independent categories of credentials to verify the user’s identity for a login or other transaction.  MFA provides additional protection against brute force and other password based attacks.  Three common MFA options available in Windows 10 include:

  1. Picture Password
  2. PIN
  3. Windows Hello (Biometric support for facial, iris, fingerprint recognition, companion device, etc.)

Active Directory Integration

All three of the MFA options in scope for this briefing can be enabled and disabled through Active Directory Group Policies.

Dependencies & Prerequisites

In order to implement Device Guard, the following capabilities need to be present:

 MFA Option  Requirement  Description 
Picture Password  Windows 8 or newer The PC must be running Windows 8, 8.1 or 10. Of course Windows 8 is no longer in mainstream support.
Picture Password  Touch Interface The device must support a touch interface
PIN  TPM The Trusted Platform Module is required to store the PIN and password hashes.
Windows Hello  PIN enabled Windows Hello requires that PIN access be enabled.
Windows Hello Facial Recognition  Supported Camera Windows Hello facial recognition requires a supported camera.  Currently the Intel RealSense 3D camera is one the most common supported.  Over time other cameras will also be supported
Windows Hello Fingerprint  Supported Fingerprint Reader Windows Hello fingerprint recognition requires a supported fingerprint reader.
Windows Hello Companion Device Supported Companion Device Use an authenticator app on a companion device such as a mobile phone or wearable to authorize access


Windows 10 MFA integrates with Microsoft Passport and with Active Directory to provide seamless authentication through a number of common use cases.


The Microsoft MFA options considered for this briefing are typically intended to act as a substitute for regular password authentication.  Here will be scenarios where the password will still be required however for the majority of use cases, the password may not be required if the end user is using one of the described MFA options.

Microsoft MFA solutions addressed are designed to strike a balance between security and ease of use.  Most users report that using a MFA is convenient enough that they do not feel it is an undue burden.

MFA Option  Functionality Description 
Picture Password  They user must correctly reproduce three gestures on an image of his/her choosing.  Gestures can include, shapes, lines, and spots.
PIN  They user must correctly enter a PIN (complexity controlled through GPO).
Hello Facial Recognition  The device camera constantly looks for the users face.  Once detected, the device unlocks itself.
Hello Finger Print Recognition  The user must place a digit with a registered finger print on the devices finger print reader.  If it matches a registered print, the user is granted access to the device with the account with which the print is registered.
Hello Companion Device The user is prompted to authorize access on a companion device either with a PIN, Push, or biometric prompt

If the user fails one of the authentication methods, they will need to use a password to unlock the device.

Deployment Considerations

All of the MFA solutions considered can be deployed using GPO with minimal impact on current end user login methods.  Once enabled, additional options are regularly becoming available.

All of the addressed solutions consider the device as one of the authentication factors.  Pins, Picture passwords, and biometric signatures are not stored or managed centrally.  They will need to be managed on a per device basis.

It is recommended that end user training take place to ensure that staff understand the additional authentication options and any additional precautions that might be required to safeguard the additional factors.

Consider integrating with Azure Active Directory for more advance Conditional Access options

Issues and Caveats

There are known issues and methods to bypass some of the Microsoft MFA options addressed.

MFA Option  Known Issues 
Picture Password  Users must take care to avoid others from watching them while they enter a picture password.  This may not be ideal for crowded environments.  Additionally, users must take care to clean the device screen regularly to avoid leaving smudges that simplify guessing to reproduce the picture password.
PIN  Users must take care to avoid others from watching them while they enter a PIN.  This may not be ideal for crowded environments.  Additionally, users must take care to clean the device screen regularly to avoid leaving smudges that simplify reproducing the PIN.
Hello Facial Recognition  User can inadvertently unlock a device if they enter the camera’s field of view.  An unsuspecting user may also be “tricked” into unlocking a device by somebody who quickly “flashes” the device in front of them.

Hello Facial Recognition relies on infrared scanning of features and cannot be “fooled” by photographs or even identical twins.

Hello Finger Print Recognition  There are know issues with false negatives based on changes to digits based on injury or environmental conditions (cold, heat, humidity, etc.)

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s