Forum Discussion

RussMeyer-Epik's avatar
RussMeyer-Epik
Copper Contributor
Feb 27, 2025

Force additional MFA for PIN WH4B

so got a request from one of my clients and if you think about it, its on the verge of being valid but an edge case...

 

Lets say you implement WH4B and leverage PIN, how do you prevent someone shoulder surfing and leveraging the PIN on that device if they take it? Or restrict pin patterns? (the patterns I am looking into)

I know Fido2 is the best way along with biometrics...but they were wondering if there was a way to reprompt MS Auth App for a code after login/reboot...

 

I couldnt find anything on this but I did find forcing a mfa device revalidation via graph api

 

Any able to accomplish this with the entra joined device?

Authentication
Authenticator app
Identity
microsoft 365
multi-factor authentication
security
  • VasilMichev's avatar
    VasilMichev
    MVP
    Feb 28, 2025

    It's the same as being able to enter your PIN on a mobile device I have physical access to, or "borrow" your certificate. Those methods are designed to prevent internet-based attacks, not physical ones. For the latter, blocking the device/revoking any methods related to it is the way to address potential issues.

Resources