Is there a way to do a Password challenge or required re-entering the password when there is a Windows Hello PIN set up?
Posted by i_try2hard_sum_times@reddit | sysadmin | View on Reddit | 8 comments
We require Windows Hello at my work, but so many users confuse it with their password or forget their password entirely. Is there a way to have Windows, Intune, Azure or something else prompt a Password Challenge once a week or so? Looking to have the user need to type in their password regularly, but not get locked out. Any ideas?
omgdualies@reddit
Do you have services that are keeping you from going full passwordless? We are looking to hit 80-90% phishing resistant/passwordless/passkeys by end of the year.
i_try2hard_sum_times@reddit (OP)
We are an international, company and the bulk of our IT team is in Europe. I’m not sure on our plans for passkeys and such, but the bigger the boat the slower it turns. Especially when it stretches across oceans.
I’m on the USA IT team.
altodor@reddit
WHfB is technically a passkey. But the question is more "what do people even need to have the password for?". The goal of WHfB is to have people stop using the password entirely and use OIDC/SAML/Kerberos for everything instead.
If you have SSPR (https://aka.ms/sspr) setup for your users they don't even need to know their password, they can just reset it when they need it for something.
i_try2hard_sum_times@reddit (OP)
In our environment the WHfB is only on the one computer. It doesn’t talk to other applications that use their Microsoft ID that sync to our AD system. One of which is our phone/call center application, if they need to manually authenticate to our VPN (happens sometimes), and at least one other service we use.
It also doesn’t sync to their work phones. So if they need to log onto their Microsoft account on their phone since it got logged out for some reason (which does randomly happen sometimes) they need to log back in using their Microsoft account password.
altodor@reddit
Well that's awful.
There's not a native way to do what you want. The modern strategy is to make Entra what applications use for authentication.
i_try2hard_sum_times@reddit (OP)
Thank you
cjcox4@reddit
Actually, this may be the biggest flaw in today's "password less" Hello. I mean, it's "good", but not if the trust isn't somehow "everywhere". So, indeed, in places where a password is still required, you end up with people that no longer know their password.
I worked with our Windows team on a solution that allows them to "prove" themselves to our team so they can do a one time use password reset for them, but it requires a resource (ideally) that notices the password is one time (yet another flaw in Microsoft's broad systems,etc.). That is, if you reset with a "one time" and the user authenticates to a "service" that is password based, if that is all that is done, you can use that password "forever". However, if logging into an AD domain, the user will be prompted to set a new password before continuing.
I did the above because of the problem you mentioned... nobody knows their password anymore. And if like most places, it's a password that expires... and well... here we are at the problem again.
Anyhow, as with all things Microsoft, it's a "not well thought out" tack on, that is, Windows Hello. Many problems, including security related ones are due to Microsoft taking "what is" and trying to "extend it". Microsoft land isn't designed for Windows Hello everywhere, so.... problems.
So, they've instituted partial trusts. Ideally, Windows Hello would replace the need for password universally, but there's a ton of stuff that would have to change. And you'd have to figure out how to handle public key propagation.
ZAFJB@reddit
Why?
Educate your users instead.