2FA for a small City(~200 ppl)

Posted by asianeddie@reddit | sysadmin | View on Reddit | 10 comments

Hello all, we are looking into two factor authentication for our local government hybrid Windows environment. We have some local domain controllers that sync up to our M365 tenant.

What are some good recommendations/experiences with a good mix between price/implementation simplicity? Can't do authenticator codes because we can't force employees to have a smart phone. We tossed around the idea of using WIndow Hello, smart card reader, etc.

[-]

asianeddie@reddit (OP)

Thank you all for the reply’s and recommendations. Gives me plenty to start vetting and researching!! 👍👍

[-]

symcbean@reddit

we can't force employees to have a smart phone. We tossed around the idea of using WIndow Hello

I admit my knowledge of MS-Windows hello is limited but it seems to be very difficult to integrate anything other then MS software and MS OS. As for implementing your own account management and on-boarding - erk!

By the time you add up all the edge cases and integration costs, supplying a $50 phone without a mobile contract and using TOTP looks like a much cheaper option to me.

[-]

matthewp62@reddit

Cisco Duo, also small city 200 users... Duo for Windows and rdp, ldap proxy or radius proxy, azure eam and azure sso.. syncs with azure or on prem ad user if you want Easy to setup and go.. credit card free for 10 user,

[-]

longroadtohappyness@reddit

Duo and their fobs for the folks that won't/don't have a smart phone.

[-]

Tinkev144@reddit

We use MS conditional access with a mix of phones and fobs.

[-]

teriaavibes@reddit

If you can do windows hello for business, then just do that. Simple, secure and convenient.

If not, you can give employees the option between an app in their personal phone or fido2 hardware key they would be responsible for, most from my experience go for the first option.

[-]

lart2150@reddit

the Secure Enclave feature in the company portal app is also very slick for mac users. You don't need to use intune to set it up but you do need mdm. From a user point of view it works a lot like hello.

https://learn.microsoft.com/en-us/intune/intune-service/configuration/platform-sso-macos

[-]

Asleep_Spray274@reddit

Windows hello for business is a fido certified phishing resistant strong authentication method. You can use a TAP to onboard the users. Won't be a massive job for about 200 users. At a minimum you need to be hybrid joined. This will do MFA at the desktop logon and the user will not get an MFA prompt when accessing services as MFA has been done a few moments ago when logging on

[-]

xendr0me@reddit

get FIPS compatible Yubikeys, don't do non-FIPS just incase your requirements change down the line and then you need to repurchase keys for that, the price difference is about $20 more up front.

[-]

trebuchetdoomsday@reddit

seems like a good use case for yubikey/FIDO2. check out this bit of knowledge if you plan on deploying a fido2 solution in a hybrid environment:

https://www.reddit.com/r/sysadmin/comments/1ec6pmq/issues_with_fido2_passwordless_login_and_hybrid/