Many people do not realize that you can setup Windows 10 logons to require multi-factor authentication (MFA) with no third-party software. The only requirements are that your PC must support Bluetooth and Bluetooth capable phone (or other Bluetooth device that can be used as your second factor).

The key is some additions that were made by Microsoft to Windows Hello for Business that allows users to configure MFA even if they are not on a domain. To setup MFA using the most common elements (a Windows Hello PIN and a smart phone) all you need to do is to pair your phone to your PC and then configure one group policy setting. Once the group policy setting is “enabled” it defaults to the most common settings (PIN + phone).

First, pair your phone to your computer by going into Settings | Devices and make sure your phone is listed under “Other devices”. If not, add it with the “+ Add Bluetooth or other device” button at the top of the page.

Second, open group policy on your PC by running “gpedit.msc” from the Run or search window. Then under “Local Computer Policy” expand “Computer Configuration” | “Administrative Templates” | “Windows Components” | “Windows Hello for Business”. Double-click on Configure device unlock factors.  Click “Enabled”. The options in the window below should automatically be filled out, but if they’re not here is the configuration for using a PIN as the first factor and a Bluetooth enabled phone as the second factor:

  • First unlock factor credential providers:
    {D6886603-9D2F-4EB2-B667-1971041FA96B},{8AF662BF-65A0-4D0A-A540-A338A999D36F},{BEC09223-B018-416D-A0AC-523971B639F5}
  • Second unlock factor credential providers:
    {27FBDB57-B613-4AF2-9D7E-4FA7A66C21AD},{D6886603-9D2F-4EB2-B667-1971041FA96B}
  • Signal rules for device unlock:

Here is a list of the GUIDs if you want to change the device unlock factors:

  • PIN                                     {D6886603-9D2F-4EB2-B667-1971041FA96B}
  • Fingerprint                     {BEC09223-B018-416D-A0AC-523971B639F5}
  • Facial Recognition       {8AF662BF-65A0-4D0A-A540-A338A999D36F}
  • Trusted Signal               {27FBDB57-B613-4AF2-9D7E-4FA7A66C21AD}

In the event you do not have your phone you can click on “Sign-in options” below “Couldn’t verify additional factor. Please use a different sign-in option.” This will allow you to enter your full password (not PIN) to bypass your phone (in this case your two login factors are PIN and full password).