Hi everyone,
We're in the process of rolling out Windows Hello for Business to improve security for our employees. I've come across information suggesting that Multi-Factor Authentication (MFA) needs to be activated for accounts to utilize Windows Hello.
Given that only about 10% of our workforce has company-issued phones, relying on a mobile authenticator isn't feasible. I know there are options like FIDO2 keys and hardware tokens, but I'm curious about more alternatives.
1. Is there a way to bypass the MFA requirement for provisioning Windows Hello?
2. What other MFA solutions might work for us?
Thanks for your help!
4 Answers
While using a personal phone for an authenticator can be risky, it's one way to enable MFA if company phones aren't available. If that's not an option, consider using SMS as a backup—even if it’s not the best in terms of security, it’s something.
I hear you! By the way, personal phones are not permitted for company use in our case.
Have you thought about deploying YubiKeys? They’re quite effective for secure authentication.
Correct! To provision a strong auth credential like Windows Hello, you indeed have to complete a strong form of authentication first.
To set up a strong authentication method, you'll need MFA. You could potentially provision users via Temporary Access Passes (TAP) if configured correctly.
Employers can’t require staff to use personal phones for work-related tasks. We have extra YubiKeys on hand for these kinds of situations!