We have recently migrated our user base to require multi-factor authentication (MFA) for certain applications. However, we have some computers located in restricted areas of our factories where mobile phones aren't allowed. These computers are shared and lack Windows Hello functionality. While we're currently using FIDO keys as a workaround, I wanted to know if it's possible to implement a conditional access policy that excludes MFA for these specific computers. Given their location, the likelihood of unauthorized access is extremely low.
4 Answers
In my experience with secure facilities, hardware keys are usually part of a broader zero trust strategy. You might also consider using passkeys on corporate phones if that fits your security model.
I recommend sticking with FIDO keys, but consider looking into physical passkeys like Yubico. It's crucial to keep MFA in place unless there's absolutely no other option.
What about placing those computers on a specific subnet? You could then exclude that subnet from the MFA policy. Just be aware that it all hinges on your IP setup.
If your factory has a static IP address, you could set up that IP as a trusted network location, which would allow you to exclude it from the MFA policy. Just make sure to confirm that this won't create any security issues for you.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures