We've recently implemented Evo for multi-factor authentication (MFA) in our organization, but I'm having trouble getting it to work alongside Windows Hello for Business (WHfB). I'm curious if there's a way to make these two systems compatible. Many users, including myself, are used to logging in with our fingerprints or PINs instead of lengthy passwords (some of us have passwords over 20 characters!). Additionally, we need to meet compliance requirements for MFA on workstation logins, and Evo is the preferred choice from our managed service provider.
2 Answers
Can you clarify what you mean by Evo MFA in relation to Windows Hello? Are you referring to using Evo for enrollment into Windows Hello, or are you asking if you can unlock devices with Evo MFA? If it’s the first, Evo's MFA service would need to support Entra authentication methods, and without that, you may be out of luck. You’ll need MFA to set up Windows Hello. Using something like the Trusted Access Platform (TAP) might help if you can make it work together.
As for the second option, you can't use Evo to unlock your device once it's set up with Windows Hello; those two processes are separate.
Unfortunately, Evo uses a custom credential provider that doesn't work with Windows Hello for Business, so they won't be compatible. If you federate your Office 365 with Evo, you can log in using your Evo username and password along with their mobile app for MFA. I looked into whether they support passwordless login for Windows, but right now, it seems there’s no support for WHfB or passwordless sign-on with Windows.
I actually tried Evo before settling on Duo for my own needs. While I still use Evo for some local elevation requests and access control, Duo is leaps and bounds better as an identity access management platform. Duo’s passwordless sign-in for Windows is fantastic—it allows you to log in just by sending a push notification to your Duo app, and it requires your device to be nearby for extra security. If Duo eventually adds local access control like Evo, I would switch for sure!
Duo is definitely the way to go for passwordless. Windows Hello for Business is based on FIDO standards, which makes it way more reliable.
I think the goal is to use Evo MFA while logging in with a Windows Hello pin. Setting up Evo’s Enterprise Security Management with Entra ID could help, but then again, a pin alone doesn’t count as MFA, so technically, you wouldn't meet the full requirements.