Traditional computer authentication is based on users providing a name and password. This enables an authentication authority to validate the exchange and grant access. Although password-based authentication is acceptable in many circumstances, Windows 11 provides a number of additional more secure methods for users to authenticate with their devices, including multifactor authentication (sometimes referred to as two-factor authentication).
Multifactor authentication is based on the principle that users who want to authenticate must have two (or more) things to identify themselves:
- Know something (such as a password)
- Have something (such as a security token)
- Be something (such as fingerprints or biometrics)
For example, a user might know a password, have a security token (in the form of a digital certificate), and be able to prove who they are with biometrics, such as fingerprints or facial recognition.
Explore Biometrics
Biometrics, such as a fingerprint, provides more secure and often more convenient methods for identifying and verifying users and administrators. Windows 11 includes native support for biometrics through the Windows Biometric Framework (WBF), and when used as part of a multifactor authentication plan, biometrics is increasingly replacing passwords in modern workplaces.
Biometric information is obtained from the individual and stored as a biometric sample which is then securely saved in a template and mapped to a specific user. You can use a fingerprint reader to capture a person’s fingerprint. (You “enroll” the user when configuring this.) Also, you can use a person’s face, retina, or even voice. The Windows Biometric service can also be extended to include behavioral traits, such as body gait and typing rhythm.
Windows includes several Group Policy settings related to biometrics, as shown in Figure 2-3, that you can use to allow or block biometrics from your devices. You can find Group Policy Objects here: Computer Configuration\Administrative Templates\Windows Components\Biometrics.
FIGURE 2-3 Biometrics Group Policy settings