2

Two step verification or authentication (2FA) for online services is fairly common. How about 2FA for Windows machine logins? Windows machines like desktops, laptops, servers, POS etc. could be compromised via a password hack or breach.

I have seen only a very few solution in the market, mostly aimed at enterprises. Is there a 2FA solution for security and privacy conscious consumers as well as small to medium sized businesses that operate Windows machines (on-premises or cloud based)? The solution should work for both physical as well as remote login.

If there is no viable solution, i am willing to put some time to start a side/open-source project for this. I envision a plugin or middleware that once installed will trigger 2FA during the Windows login.

Do you think this is something you or people you know will use? Is there even a need for this thing in the first place? Your answers are most welcome.

StackzOfZtuff
  • 17,783
  • 1
  • 50
  • 86
fox_hound_33
  • 91
  • 1
  • 4
  • Yubico say they can do that. Haven't tried. -> [*How to Use the Yubico Windows Login Tool*](https://www.yubico.com/support/knowledge-base/categories/articles/use-yubico-windows-login-tool/) – StackzOfZtuff Jan 09 '17 at 10:55

4 Answers4

1

I've spent some time thinking about this and wanting a good solution. At the moment, Windows 10 can join Azure AD, and the device itself become a form of authentication, where you can use your Azure AD PW, or set up a PIN. You can also set up a Yubikey with Azure and Windows Hello these days. But this won't help you with on-prem AD or Windows 7 and prior installs.

For Non-Azure AD or non-Win10 installs, take a look at AuthLite (http://www.authlite.com/). It is the solution that kept cropping up in my research. I really wanted to deploy Yubikeys and AuthLite a few years ago, but the project was cancelled, so I don't have any personal experience deploying this setup.

tim_shane
  • 75
  • 4
1

My company's product can do native AD 2FA: https://www.wikidsystems.com/learn-more/features-benefits/native-active-directory-two-factor-authentication/. Free for 5 users. It will also do password resets using 2FA.

We're promoting it for Admins rather than users. Our thinking is: limit infiltration with 2FA for remote access; limit escalation with 2FA for admins. (You can limit ex-filtration too with 2FA if your firewall can handle it.) An attack inside the firewall on a user is likely to be malware and not stopped by 2FA for logins. Depends on your threat model, of course.

nowen
  • 767
  • 3
  • 8
1

Windows will do this natively with smartcard logon. But for doing smartcard logon natively you need:

  1. A smartcard logon certificate on the smartcard, which is issued by a trusted CA
  2. A Domain Controller Certificate (which is issued by a trusted CA)
  3. A valid revocation list.

To keep it short: You need a PKI which is probably enterprise stuff.

If you do not want to do this, you need your own Credential Provider like

cornelinux
  • 1,993
  • 8
  • 11
0

It sounds like Azure Multi-Factor Authentication Server can do 2FA when the user logs in; I have not tried and cannot be 100% sure from these docs.

I think there might be bigger problems to deal with first if the attacker has access to the physical machine, but it probably does make sense in some environments.

The user's machines usually are not RDP accessible from the internet and it sounds like a bad idea to expose servers via RDP over the internet.

In my opinions it certainly makes sense when using RDP through a VPN; Transakt provides this service.

Community
  • 1
Bvrce
  • 126
  • 2