Additional authentication after using Windows Hello logon

robnicholson · ‎10-14-2022

A client uses Windows 10 laptops linked to Microsoft 365/Azure for authentication. They use Windows Hello and therefore can logon and/or unlock using password, PIN, fingerprint or face. The laptop locks after 5 minutes of being idle. MFA is implemented but this only kicks in when logging into a new device/password changed etc.

This has been deemed not secure enough and they want to implement additional 2FA authentication via mobile phone. The requirement is simple - upon authenticating using Windows Hello (logon or unlock) and 24 hours has expired, require an additional authentication step via their mobile phone.

We’ve done a trial of Duo and it wasn’t ideal as it turned off Windows Hello and resorted to forcing the users to re-enter their password each time they unlocked the screen. Feedback was that this really was too user-unfriendly.

Anyone know why Duo can’t work in conjunction with Windows Hello?

mrfrundles · ‎10-14-2022

NAA (not an answer)

11:57 AM Friday, October 14, 2022
+Can second this, issue is legit

robnicholson · ‎10-17-2022

I assume that an answer was deleted as this doesn’t make sense

mrfrundles · ‎10-17-2022

Hi, Rob! Not, I meant that my comment was itself not an answer, resolution, workaround, presecription, or suggestion.
I was saying that I agree with you, that this issue exists.

=)