A client uses Windows 10 laptops linked to Microsoft 365/Azure for authentication. They use Windows Hello and therefore can logon and/or unlock using password, PIN, fingerprint or face. The laptop locks after 5 minutes of being idle. MFA is implemented but this only kicks in when logging into a new device/password changed etc.
This has been deemed not secure enough and they want to implement additional 2FA authentication via mobile phone. The requirement is simple - upon authenticating using Windows Hello (logon or unlock) and 24 hours has expired, require an additional authentication step via their mobile phone.
We’ve done a trial of Duo and it wasn’t ideal as it turned off Windows Hello and resorted to forcing the users to re-enter their password each time they unlocked the screen. Feedback was that this really was too user-unfriendly.
Anyone know why Duo can’t work in conjunction with Windows Hello?