Does local account support Two-factor authentication?


  1. Posts : 13
    Windows 10 Pro
       #1

    Does local account support Two-factor authentication?


    I'm guessing one needs a Microsoft account for it... but I'm not sure, I would like it to first scan my fingerprint then I get prompted for a password. Does anyone know if this is possible on a local account?
      My Computer

  2. lx07's Avatar
    Posts : 5,479
    2004
       #2

    I'm not sure if it possible to do what you want with any sort of account - either Microsoft or Local.

    When you log into Windows you have the choice of PIN, Password or Fingerprint (or face or iris) depending on what hardware you have and what you have set up. At this point I don't think you can set 2 factor authentication (if by that you mean using more than one of these). You can only chose one method - so in your case either fingerprint or password.

    If you look at this blog, Microsoft call using a fingerprint reader 2 factor authentication as you need both the finger and the device. I suppose this is technically true but isn't how most people would understand 2FA - i.e. having to do 2 things.

    Once enrolled, devices themselves become one of two factors that are required for authentication. The second factor will be a PIN or biometric, such as fingerprint. From a security standpoint, this means that an attacker would need to have a user’s physical device – in addition to the means to use the user’s credential – which would require access to the users PIN or biometric information.
    Windows 10: Security and Identity Protection for the Modern World

    What you could do is set an password to be displayed earlier in the boot process. If you had 10 Pro you could set a bitlocker password but as you have home this is not possible. Depending on your BIOS you may be able to set a BIOS password and/or a password to unlock your hard disk. All of these passwords are issued before windows boots so none of these would be triggered if you locked your screen - only after shutting down or restarting. They would mean it requires both a password and fingerprint to boot your system though.
      My Computer


  3. Posts : 13
    Windows 10 Pro
    Thread Starter
       #3

    lx07 said:
    I'm not sure if it possible to do what you want with any sort of account - either Microsoft or Local.

    When you log into Windows you have the choice of PIN, Password or Fingerprint (or face or iris) depending on what hardware you have and what you have set up. At this point I don't think you can set 2 factor authentication (if by that you mean using more than one of these). You can only chose one method - so in your case either fingerprint or password.

    If you look at this blog, Microsoft call using a fingerprint reader 2 factor authentication as you need both the finger and the device. I suppose this is technically true but isn't how most people would understand 2FA - i.e. having to do 2 things.


    Windows 10: Security and Identity Protection for the Modern World

    What you could do is set an password to be displayed earlier in the boot process. If you had 10 Pro you could set a bitlocker password but as you have home this is not possible. Depending on your BIOS you may be able to set a BIOS password and/or a password to unlock your hard disk. All of these passwords are issued before windows boots so none of these would be triggered if you locked your screen - only after shutting down or restarting. They would mean it requires both a password and fingerprint to boot your system though.
    Thank you for the reply, its unfortunate you cant modify it for multiple identification methods after one another in my opinion
      My Computer

  4. lx07's Avatar
    Posts : 5,479
    2004
       #4

    OxtailSnail said:
    Thank you for the reply, its unfortunate you cant modify it for multiple identification methods after one another in my opinion
    I agree. For me 2FA means doing 2 things. I think MS are being rather disingenuous calling fingerprint or PIN 2FA although it is all semantics I suppose. They are probably correct.

    There are other options (all of which require Windows 10 Pro not Home I think) like requiring a smart card or a bitlocker USB key and password). None of these really cover what you want anyway.

    There might be some third party software to force fingerprint and password (I believe HP does some for their business line laptops) but I don't know anything about that I'm afraid.

    If you are making a choice between using a password or PIN/biometric to logon (rather than both) is definitely more secure to take the second option - see the link below

    Why a PIN is better than a password (Windows 10) | Microsoft Docs
      My Computer

  5. slicendice's Avatar
    Posts : 4,644
    Windows 10 Pro x64 20H2 Build 19042.906 (Branch: Release Preview)
       #5

    OxtailSnail said:
    Thank you for the reply, its unfortunate you cant modify it for multiple identification methods after one another in my opinion
    I agree. I would have password/pin, iris and fingerprint on at the same time if possible, if I ever would have such security requirements. Then if for some reason I can not get into my system I would have to use a master password only that is insanely long (like 200+ characters long) :)

    I would love to have an easy way to accomplish this.
      My Computers


 

  Related Discussions
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 06:53.
Find Us




Windows 10 Forums