Multi-factor authentication (MFA) is a process where a user is prompted during a sign-in event for additional forms of identification. This prompt could be to enter a code on their smartphone or to provide a fingerprint scan. When you require a second form of authentication, security is increased as this additional factor isn't something that's easy for an attacker to obtain or duplicate.
It is very difficult to compare two technologies that have different approaches to MFA. MS Authenticator (MSA) is only used for account two-factor verification in the onboarding (register or join devices) phase. For further logging into the Windows, the Hello system factors are then utilized, such as PIN, password, shape or finger biometrics. In contrast, the Excalibur solution requires Excalibur Token-mediated factors for each logon to Windows. Excalibur also extends the set of standard factors such as PIN, finger print, shape biometrics with precise geolocation, time window, IP address and other factors. In case of unavailable connectivity, Excalibur system also allows logging in with OTP, which is not possible in case of MS Authenticator 1, as well as it is not possible to log in to the system in case the user forgets the PIN and tries to login with a passwordless account.
The following table lists other features of the Excalibur system compared to the capabilities of the MS Authenticator.
The following procedure demonstrates the obscure process of registering an account into MS Authenticator and Windows 10. Azure Active Directory Premium P2 Subscription was used as Identity and Access Management (IAM). Setting up such an environment is beyond the scope of this document.
If MFA on your account is enabled, you need to validate it by the next factor. Since MS Authenticator is not yet active, you have to authenticate by SMS Click Next
Enter phone number to validate your identity. Click Next
Retype code from SMS. Click Next
If everything went ok, you should see a similar screen. Click Next
Create application password. Type app name. This step is optional, and depends on the setup of organization policy. Click Next
Click Next
Now you have successfully set up security info. Click Done
Now add a new Authentication method. Click Add method and select Authentication app from dropdown menu.
Now open the MS Authenticator app on your phone, add a new account and select Work or school account. Tap Scan QR code
Scan QR code from screen.
A dialogue appears, waiting for confirmation on your phone.
Approve sign-in. Tap Approve
If you approved, then this dialog appears. Click Next
In the list of accounts open the details of the account you just added, you should see a similar screen. Tap Enable phone sign-in
On the next screen Tap Continue
Enter your account password. Tap Sign in
Select method for identity verification. Tap Approve a request on my Microsoft Authenticator app
On next screen Tap Approve
Final step of the MS Authenticator setup is registration of your device. Tap Register
After successful registration you will see the following screen which will automatically switch to the account detail after a while
Now is your MS Authenticator set up, and you can see Passwordless sign-in enabled
In Security info you can see all authentication methods are set up.
Change default sign-in method to Microsoft Authenticator
Now login to PC as Administrator, go to Settings → Accounts → Access work or school and click ➕ On dialog select Join this device to Azure Active Directory
Sign in with your AD account. Click Next
Dialog appears with a random number which you need to enter on the phone.
Retype random number from dialog on PC screen. Tap Yes
Connect the device to your organization AD. Click Join
If everything went ok, you should see a similar screen. Click Done
In the list of connected accounts you can see something like this. Now you can logout from Administrator account or switch account.
Try login with your AD account
Windows Hello informs you that your organisation requires the setting of other factors, such as Face biometrics, PIN or Fingerprint
Dialog appears, which needs to be approved on the phone.
On the phone Tap Approve
Set up PIN or other factors. Click OK
If everything went ok, you should see a similar screen. Click OK
Now your device is set up for passwordless login. Try login with PIN
If you forget the PIN you can reset it, but this operation is available only if the device has connectivity!
If the device does not have connectivity it is not possible to log in with OTP.
OTP, TOPT capability is not available for Windows logon ↩
