Question Why doesn't Windows 11 provide 2FA Windows Sign In ?

[Victor M]

I have tried many times, but it seems that Windows does NOT support 2FA sign in. Using a MS Account setup with 2FA doesn't help at all.

Microsoft is pretending to offer security and doesn't deliver the means.

So I guess that to offer Windows 2FA sign in will meaning changing a lot of things under the hood. SO CHANGE IT, DAMN YOU.

 

[Bot]

I understand your frustration regarding the lack of built-in 2FA (Two-Factor Authentication) support for Windows sign-in. While Windows 11 does not currently provide native 2FA functionality for signing in, there are alternative methods you can use to enhance the security of your Microsoft account and Windows sign-in process.

One option is to enable 2FA directly on your Microsoft account. By doing so, you add an extra layer of security to your account, which can help protect against unauthorized access. To enable 2FA on your Microsoft account, you can follow these steps:

1. Go to the Microsoft account security page (Sign in to your Microsoft account).
2. Sign in to your Microsoft account.
3. Under the "Security info" section, click on "Update info."
4. Follow the prompts to set up 2FA using methods such as phone number, email, or authenticator app.

Once you have set up 2FA on your Microsoft account, it will apply to various Microsoft services, including Windows sign-in. However, it's important to note that this method does not provide direct 2FA for local Windows sign-in, but rather adds an extra layer of security to your Microsoft account.

Alternatively, you can consider using third-party authentication methods, such as hardware security keys or third-party authenticator apps, to add an additional layer of security to your Windows sign-in process. These methods typically involve using a physical device or a mobile app to generate a time-based one-time password (TOTP) that you can enter during the sign-in process.

While it would be beneficial for Windows to provide native 2FA support for local sign-in, it's important to understand that there are alternative methods available to enhance the security of your Windows account. Additionally, Microsoft continues to improve its security features, so it's possible that future updates may include native 2FA support for Windows sign-in.

 

[Victor M]

Yea @Bot. I have a YubiKEY. And I have specified it as a sign in method in Windows. But it is only SINGLE FACTOR. You can't have 2FA even with a security key registered,

A Microsoft Account with 2FA enabled can only protect your assets Online. But I don't have important assets Online using that MS Account. Everything important is on my PC.

 

[HarborFront]

Yea @Bot. I have a YubiKEY. And I have specified it as a sign in method in Windows. But it is only SINGLE FACTOR. You can't have 2FA even with a security key registered,

A Microsoft Account with 2FA enabled can only protect your assets Online. But I don't have important assets Online using that MS Account. Everything important is on my PC.

If I'm not wrong you can't sign in using a security key for 2FA if you are using an Admin account . You can, however, sign in with 2FA using a Standard account

And you can use 2FA for its accounts like outlook, MS Office etc.

I think I'm right on this.

FI, I have a YubiKey too

 

[Victor M]

You can , however, sign in with 2FA using a Standard account

How do you set it up?

 

[HarborFront]

How do you set it up?

You need to go to Yubikey website below. There's a procedure for that

https://support.yubico.com/hc/en-us/articles/360013708460-Yubico-Login-for-Windows-Configuration-Guide

 

[silversurfer]

Windows 11 login on my laptop via biometric fingerprint sensor supported by Windows Hello, for me personally that is sort of 2FA to login on Windows.
Of course, that doesn't help users with YubiKey or similar hardware based solutions as 2FA.

 

[TairikuOkami]

MSA is 2FA, you need to be logged into Authenticator via 2FA to be able to respond to MSA prompts for a login to Windows, so it can be 3FA. MSA also supports hardware keys.

 

[codswollip]

Windows does NOT support 2FA sign in

It does. Through your Microsoft account. For "local" accounts, 2FA is meaningless/

 

[gorblimey]

Whatever happened to the Secure Log-on? (It also enables the 3-finger salute which defeats almost all malware). I'm trying to remember when I last used a Microsoft PC that didn't have Secure Log-on... Oh. That was in the DOS/Win1/2/3 days, silly me Even Win9x had it!

 

[Ink]

Whatever happened to the Secure Log-on? (It also enables the 3-finger salute which defeats almost all malware). I'm trying to remember when I last used a Microsoft PC that didn't have Secure Log-on... Oh. That was in the DOS/Win1/2/3 days, silly me Even Win9x had it!

Do you mean CTRL + ALT + DEL?

 

[wat0114]

With windows Pro versions under Group Policy you can set an Account Lockout Policy for number of failed account login attempts and lockout duration.

Change Account Lockout Threshold for Local Accounts in Windows 10

How to Change Account Lockout Threshold for Local Accounts in Windows 10

www.tenforums.com

I'm pretty sure this is as good as 2FA, at least for Windows account logins.

 

[gorblimey]

Do you mean CTRL + ALT + DEL?

The one and only. Yes. I'd sooner go out naked than have Windows boot me straight to my account.

 

[Ink]

The one and only. Yes. I'd sooner go out naked than have Windows boot me straight to my account.

Option exists on Windows 11. Run > control userpasswords2 > Enter

• Interactive logon Do not require CTRL+ALT+DEL - Windows Security
• Enable or Disable Ctrl+Alt+Delete Secure Sign-in on Lock Screen in Windows 11 Tutorial

 

[Alexandre Ravelli]

You can use Duo Authentication for Windows Logon and RDP
Duo Authentication for Windows Logon & RDP
There's a free option (up to 10 accounts)