How to Use Windows Hello for Business and Microsoft Authenticator Together?

By
William Rossbach
-
0
27
Asked By TechWhiz1234 On

Hey everyone! We're transitioning to Windows 11 laptops at our company, and to simplify things for our users, we're adopting Windows Hello for Business (WhfB) for device logins. The idea is to provide a more user-friendly and secure experience by using a PIN instead of traditional passwords. However, our IT-Security team is concerned about relying solely on WhfB because they believe it lacks the added security of using Microsoft Authenticator. They want a setup where both WhfB and Microsoft Authenticator are required for accessing Citrix Workspace. I've tried setting up Conditional Access Policies to enforce this, but it seems like I can only choose one method – WhfB or Authenticator, not both. I've also faced issues while trying to force a password and Authenticator, as Citrix keeps prompting for WhfB. Is there any way to make an exception for specific applications or combine the two methods effectively?

3 Answers

Answered By DataGuardian7 On

I personally believe that Windows Hello offers stronger security since it’s device-specific. Have you thought about adding FIDO security keys like YubiKey? They're user-friendly and work seamlessly to provide additional security without the hassle. You could also consult the documentation on Microsoft's passwordless authentication approach; there are some great insights that might help your case!

Answered By CyberNinja99 On

I think you might run into limitations with Conditional Access Policies when trying to enforce both methods simultaneously. One suggestion is to integrate passkeys into Microsoft Authenticator and set up a custom Authentication Strength that only allows passkeys or an external FIDO2 key. This way, you can ensure a stronger authentication method. Also, have you looked into configuring WhfB to require both a PIN and biometric authentication? That could add an extra layer of security for device access.

Answered By SecureSailor42 On

Your IT-Security team might be overlooking the strengths of WhfB. Remember, a WhfB PIN is bound to the device, effectively providing two factors — something you have (the device) and something you know (the PIN). It’s not about using multiple methods, but leveraging the multifactor aspect efficiently. You can set up Conditional Access to require MFA, and the WhfB PIN should meet that requirement. Also consider excluding Citrix Workspace from certain policies and see if that helps.

Related Questions

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.