2FA for desktops and laptops?

servermonkey8064 · 2018-01-26T12:52:54.000Z

Is anyone doing 2FA on desktops and laptops?

What do you use?

Duo looks like it needs every laptop to have internet access at logon time so doesn’t appear practical.

Like the look/price of Yubikey but not sure about the software infrastructure required on top of AD.

bucko · 2018-01-26T13:13:28.000Z

Why not SmartCard with PIN?

seani · 2018-01-26T13:31:37.000Z

Look into authlite. Uses yubikeys and builds on top of AD.

https://www.authlite.com/

davidvaldez4 · 2018-01-26T14:09:13.000Z

Depending on your infrastructure, Intel makes an add-in product called Authenticate that can work with hardened points on the system and also with Microsoft Hello to offer multi-factor options such as fingerprint (hardened where possible), facial recognition (via Hello), PIN (hardened), AMT location (hardened), virtual smart card (hardened), and a couple of other factors. The nice thing is that it’s free, though it does require a TPM and vPro in order to harden factors. If you’ve deployed vPro systems, then it’s essentially gift with purchase.

drewlubken0647 · 2018-01-26T14:16:36.000Z

We use duo on all our laptops, and yes they do have to have a connection before they can log on. Since they have to be on our vpn to talk to anything but duo and vpn though it’s not like they’d be getting used without a connection and you can setup a connection from login screen.

bryandoe · 2018-01-26T18:04:38.000Z

I’m trialing Duo now as well, and this (and the default fail open) was a sticking point for me. They told me it should work if you use a Yubikey. I briefly tried that and wasn’t able to get it to work, but have a call scheduled with them for next week.

Otherwise, I really like it - I’ve been able to get it working on Windows and Linux, and they support everything else I wanted.

tobywells · 2018-01-26T20:11:55.000Z

No - if I did most of my users wouldnt be starting work until Wednesday morning

50% forget their AD passwords over the weekend
50-75% forget their encryption key or phone IT to say they have a ‘blue screen’ at login
25% claim not to have Chrome installed
100% moan about 2FA for 365 and VPN

dbeato · 2018-01-26T20:53:53.000Z

We had it at my previous employer with Duo. You can set it to not bypass the login if there is no Internet otherwise it will be as you state without Internet it is bypassed.

travisfriesen · 2018-01-30T16:46:31.000Z

The problem is MFA is a second-class citizen in Windows AD environments. It’s the nature of how it handles SSO. You can deploy MFA for interactive logins (RDP and local), but other services, such as SMB/445, WMI/135, HTTP, etc can still be logged into without MFA, and those are the ones the hackers really like to go after.

Such has been my experience, anyway. Maybe things are better since the last time I looked into it.

bryandoe · 2018-01-30T16:50:19.000Z

Bryan Doe:

I’m trialing Duo now as well, and this (and the default fail open) was a sticking point for me. They told me it should work if you use a Yubikey. I briefly tried that and wasn’t able to get it to work, but have a call scheduled with them for next week.

Turns out “use a Yubikey” meant not using Duo at all - but if that’s the case, there’s no use to Duo.