I've been diving into the topic of Windows Hello for Business (WHfB) and its role in multifactor authentication. I came across various posts indicating that WHfB can be considered MFA at the Windows level given it combines something you are (biometrics or PIN) with something you have (the TPM chip on the device). However, I'm wondering if this actually qualifies as genuine MFA when logging into Windows. Since we're accessing the Windows platform and the TPM is tied to it, the only other means of authentication seems to be the biometric or PIN. For comparison, when signing into Microsoft services, you still need a password (something you know) or MFA methods like a phone or passkey (something you have). This is all related to leadership concerns about stolen laptops and compromised credentials. While WHfB with biometrics seems secure, I'm not sure how safe devices that rely solely on PINs really are, as they could be vulnerable to phishing like passwords can be.
5 Answers
In the case of a stolen device, WHfB could fall short of offering real protection, especially if it’s just a PIN compared to a password. That could be a risk.
You can't really fish for a PIN... But if you're looking for true multifactor unlock, you should use a reliable signal for devices that lack biometrics (they should be on the network). Check out the Multi-factor unlock guide from Microsoft for more insights!
Nah, I don't think WHfB counts as MFA. One of the factors is the device itself, which uses the TPM to unlock things. It doesn't fully meet the criteria for multifactor authentication in my view.
I guess that makes sense, but wouldn't having that device be an important part of the security equation?
Man, I need more caffeine! This took way too long to read. Auditors might let it slide as MFA, but they could still see it as a risk. Biometrics are good, but I wouldn’t rely on a PIN for security.
It really depends on your perspective. To me, if you have a biometric factor along with a specific device, that covers two factors—biometric + device equals two factors, which can be seen as MFA.
Totally agree! A PIN isn’t as robust as a password in terms of security.