Now, with Windows 10 Fall Creators Update (version 1709) it is possible to do above.
At Microsoft Ignite 2017, Erdal Ozkaya and Raymond Comvalius, showed how to enable N-factor (the real multifactor) authentication in Windows 10. Interesting!
In this guide I am not going to discuss about fully fledged Windows Hello for Business deployment and I will only show how to enable N-factor logon policy with local group policy.
1. Open your local group policy editor. Windows Key + X > Run and then type gpedit.msc
2. In local group policy editor go to, Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business > Configure device unlock factors
3. In Configure device unlock factors setting, you have to mention the GUIDs of each credential provider.
For each credential provider, GUIDs as follows
|
Credential Provider |
GUID |
|
PIN |
{D6886603-9D2F-4EB2-B667-1971041FA96B} |
|
Fingerprint |
{BEC09223-B018-416D-A0AC-523971B639F5} |
|
Face Recognition |
{8AF662BF-65A0-4D0A-A540-A338A999D36F} |
|
Trusted Signals |
{27FBDB57-B613-4AF2-9D7E-4FA7A66C21AD} |
In my case I have used PIN and Finger Print.
To test the functionality, Lock the device and try to sign in.
Firstly it asks me to authenticate by scanning the finger print.
Once authenticated, it says your organization requires one more step and asks for my PIN.
When I enter my PIN, I can log into my device.
*If you made a typo when adding the GUIDs, don't worry you can still login with password and correct everything.
This is a more secure method because it leverages the requirement of multi factor authentication; something that you know (PIN), something part of you (Finger Print) and something that you have (Device).
No comments:
Post a Comment