What NIST 800-63B Actually Says

Written By Jon Martin

What NIST 800-63B Actually Says

Don’t take Microsoft’s word for it — NIST 800-63B Section 5.1.9.1 spells it out.

“Multi-factor cryptographic device authenticators use tamper-resistant hardware to encapsulate one or more secret keys ... accessible only through the input of an additional factor (memorized secret or biometric)... The authenticator could be a suitably secure processor integrated with the user endpoint itself (e.g., a hardware TPM).”

That’s Windows Hello for Business — exactly.
It’s a TPM-backed cryptographic key, unlocked by your PIN or biometric, operating as a multi-factor hardware authenticator.

This means Windows Hello for Business meets NIST’s definition of MFA — without needing a separate phone-based code or token.

In Part 3, I’ll show you how to configure Windows Hello for Business the right way to stay aligned with NIST guidance and CMMC requirements.

https://pages.nist.gov/800-63-3/sp800-63b.html#mfcd

Jon Martin https://thejonmartin.com
Previous

Configuring Windows Hello for Business Securely
Next

Compliance is what you prove — security is what you live.