Windows 10 Multi-Factor Authentication (MFA) is a security system that requires more than one method of authentication from independent categories of credentials to verify the user’s identity for a login or other transaction. MFA provides additional protection against brute force and other password based attacks. Three common MFA options available in Windows 10 include:
- Picture Password
- Windows Hello (Biometric support for facial, iris, fingerprint recognition, companion device, etc.)
Active Directory Integration
All three of the MFA options in scope for this briefing can be enabled and disabled through Active Directory Group Policies.
Dependencies & Prerequisites
In order to implement Device Guard, the following capabilities need to be present:
|Picture Password||Windows 8 or newer||The PC must be running Windows 8, 8.1 or 10. Of course Windows 8 is no longer in mainstream support.|
|Picture Password||Touch Interface||The device must support a touch interface|
|PIN||TPM||The Trusted Platform Module is required to store the PIN and password hashes.|
|Windows Hello||PIN enabled||Windows Hello requires that PIN access be enabled.|
|Windows Hello Facial Recognition||Supported Camera||Windows Hello facial recognition requires a supported camera. Currently the Intel RealSense 3D camera is one the most common supported. Over time other cameras will also be supported|
|Windows Hello Fingerprint||Supported Fingerprint Reader||Windows Hello fingerprint recognition requires a supported fingerprint reader.|
|Windows Hello Companion Device||Supported Companion Device||Use an authenticator app on a companion device such as a mobile phone or wearable to authorize access|
Windows 10 MFA integrates with Microsoft Passport and with Active Directory to provide seamless authentication through a number of common use cases.
The Microsoft MFA options considered for this briefing are typically intended to act as a substitute for regular password authentication. Here will be scenarios where the password will still be required however for the majority of use cases, the password may not be required if the end user is using one of the described MFA options.
Microsoft MFA solutions addressed are designed to strike a balance between security and ease of use. Most users report that using a MFA is convenient enough that they do not feel it is an undue burden.
|MFA Option||Functionality Description|
|Picture Password||They user must correctly reproduce three gestures on an image of his/her choosing. Gestures can include, shapes, lines, and spots.|
|PIN||They user must correctly enter a PIN (complexity controlled through GPO).|
|Hello Facial Recognition||The device camera constantly looks for the users face. Once detected, the device unlocks itself.|
|Hello Finger Print Recognition||The user must place a digit with a registered finger print on the devices finger print reader. If it matches a registered print, the user is granted access to the device with the account with which the print is registered.|
|Hello Companion Device||The user is prompted to authorize access on a companion device either with a PIN, Push, or biometric prompt|
If the user fails one of the authentication methods, they will need to use a password to unlock the device.
All of the MFA solutions considered can be deployed using GPO with minimal impact on current end user login methods. Once enabled, additional options are regularly becoming available.
All of the addressed solutions consider the device as one of the authentication factors. Pins, Picture passwords, and biometric signatures are not stored or managed centrally. They will need to be managed on a per device basis.
It is recommended that end user training take place to ensure that staff understand the additional authentication options and any additional precautions that might be required to safeguard the additional factors.
Consider integrating with Azure Active Directory for more advance Conditional Access options
Issues and Caveats
There are known issues and methods to bypass some of the Microsoft MFA options addressed.
|MFA Option||Known Issues|
|Picture Password||Users must take care to avoid others from watching them while they enter a picture password. This may not be ideal for crowded environments. Additionally, users must take care to clean the device screen regularly to avoid leaving smudges that simplify guessing to reproduce the picture password.|
|PIN||Users must take care to avoid others from watching them while they enter a PIN. This may not be ideal for crowded environments. Additionally, users must take care to clean the device screen regularly to avoid leaving smudges that simplify reproducing the PIN.|
|Hello Facial Recognition||User can inadvertently unlock a device if they enter the camera’s field of view. An unsuspecting user may also be “tricked” into unlocking a device by somebody who quickly “flashes” the device in front of them.
Hello Facial Recognition relies on infrared scanning of features and cannot be “fooled” by photographs or even identical twins.
|Hello Finger Print Recognition||There are know issues with false negatives based on changes to digits based on injury or environmental conditions (cold, heat, humidity, etc.)|