Solutions for MFA on Windows Login

[-]

William_NAtty@reddit

We ran into a similar challenge a while back. Using Microsoft Authenticator directly for Windows logins isn’t really supported natively if you want to avoid biometrics. ADSelfService Plus was one option we tested too and it worked okay for hybrid AD setups, but you have to plan carefully for lost devices since MFA is the only login factor.

Reply

[-]

Clarence_Mertens@reddit

Duo can handle Windows MFA, but as you’ve noticed, it typically requires using their own app, which doesn’t integrate directly with existing Entra accounts. Many organizations address this by combining SSO with Conditional Access policies to reduce friction while still enforcing MFA at login.

Reply

[-]

maryteiss@reddit

Have you checked out UserLock? Can work with Windows Hello for Business and/or Microsoft Authenticator in hybrid environments built around AD credentials.

Reply

[-]

Upper_Caterpillar_96@reddit

sounds interesting

Reply

[-]

Lbrown1371@reddit

We use duo with our desktop and server logins. We use it with our entra and with our adselfservice

Reply

[-]

jaank80@reddit

I really cannot understand why so few orgs choose PIV smartcards. Lock it with a PIN and it is MFA, super easy to use and implement, and the cost is basically free. Amortize a yubikey over 3 years and you are looking at less than $2/mo.

Reply

[-]

Codename_Sidewinder@reddit

I do not have direct experience but have heard really good things about secret double octopus. It provides actual mfa for workstations (smb, network logon, and end user).

Reply

[-]

Asleep_Spray274@reddit

It's built in. Windows hello for business. Its a Fido certified strong authentication and was certified by the Fido alliance in 2019

Reply

[-]

Professional-Heat690@reddit

This is the way.

Reply

[-]

TheCyberThor@reddit

Biometrics in WHfB is optional. You can just set up PIN. Web sign-in if you want to use Microsoft Authenticator but there are caveats. [https://learn.microsoft.com/en-us/windows/security/identity-protection/web-sign-in/?tabs=intune](https://learn.microsoft.com/en-us/windows/security/identity-protection/web-sign-in/?tabs=intune) I'd engage an external law firm for a privacy impact assessment via your internal legal team. Get quotes from multiple and ask for historical experience with this use case. Your legal team is out of their depth.

Reply

[-]

ReputationNo8889@reddit

What type of legal requirement prevents you from using biometrics? You still can use WHfB with a pin with no biometrics. Anyway, you can just enable web login on the machine, then you get a classic micrsoft online prompot where users user email + password+ Authenticator. Be carefull, this will prevent users from signing into the device without internet.

Reply

[-]

JwCS8pjrh3QBWfL@reddit

Stupid lawyers that don't understand how TPMs work. I'll bet they're fine with FaceID/TouchID though 🙄

Reply

[-]

gamebrigada@reddit

Its not lawyers its compliance. WHfB is not MFA because password is always an option without a second factor. You can disable password login, but has anyone actually kept a WHfB environment stable enough to not have password bypass?

Reply

[-]

JwCS8pjrh3QBWfL@reddit

I've never had issues with WHfB not working.

Reply

[-]

gamebrigada@reddit

You are the unicorn then. WHfB breaks all the time. Unless you do cloud trust, then it only breaks when you're not online.

Reply

[-]

Reedy_Whisper_45@reddit

O365 never goes down. (/s, obv)

Reply

[-]

LaxVolt@reddit

Not OP but DoJ and CJIS policies make mfa difficult. They require “Something you know & Something you have” or “something you are & something you have” Also a problem with WhfB is that the tpm can only store something like 10 credentials and if you have shared workstations it becomes a problem. There is also no central management tools for WhfB. I honestly really wish they’d just make the entra piece work. They’ve got all the frame work to make it happen. We just moved from Imprivata to HID digital persona to meet CJIS compliance.

Reply

[-]

raip@reddit

You mean something like this: [https://learn.microsoft.com/en-us/windows/security/identity-protection/web-sign-in/?tabs=intune](https://learn.microsoft.com/en-us/windows/security/identity-protection/web-sign-in/?tabs=intune)

Reply

[-]

LaxVolt@reddit

Fuck me but isn’t that interesting. It never came up last year when looking for options. There is one function for me that makes it not feasible in my case but it’s a great option. Thank you for sharing.

Reply

[-]

Beznia@reddit (OP)

There isn't a real "legal" requirement, just our legal team informed us if that was our intention, then we would need to have all current employees sign off on storing biometric data before enrolling them and that is something our CTO did not want to deal with. New employees, it'd just be part of the onboarding process and agreeing to the employee handbook. I've already made my arguments about this and how we aren't actually going to be storing biometric data ourselves but it has been a losing battle. Honestly this entire process I feel is not the way we should be going about it, but I want to have a demo to show what we *can* do, and then have our business leaders decide if it is *really* what they want us to do. I'm exploring additional options on the side in the event we do not go this route.

Reply

[-]

itsTeabow@reddit

I'm not sure your legal team understands properly, but the biometric data isn't stored by your company, but locally on the TPM chip of a device. This is nothing different as having company phones with fingerprint or facial recognition. Does your company also block these? If they don't then they shouldn't block WHfB either. Good luck on your uphill battle though.

Reply

[-]

Khue@reddit

Same vibe as senators wanting a "backdoor/universal key" built into all SSL/TLS transaction so they can 'ensure the safety of children'. People are so dumb.

Reply

[-]

Beznia@reddit (OP)

You are correct that they do not understand this. There is zero concern on their end about having FaceID enabled on our corporate phones, but the exact moment the first person on our Legal team received a Dell laptop with an integrated fingerprint sensor, I got an earful over the phone.

Reply

[-]

cvc75@reddit

I don't know if it's true for every biometric solution, but if it's just about storing biometric data, there are solutions that don't do that. Look for privacy-preserving biometrics, zero-knowledge biometrics or something like that. Aside from that, we also use DUO for local login. Yes it has its own authenticator, but we also use it (via Conditional Access) for Entra so it replaced MS Authenticator completely for us.

Reply

[-]

ITguyBass@reddit

Yeah, like he was mentioning here, you need to validate if those machines would be connected to the internet to log in like that. Another way to enforce it is by using VDI, where people would need to authenticate each time they access the virtual desktop. This might be the safer one and provide more control to you guys, but it might incur some extra costs. The Windows Hello with Pin would be another good option as mentioned here, but probably your legal department would also no like it.

Reply

[-]

Patient-Stuff-2155@reddit

Web sign-in on login screen works like any MS-portal login.

Reply

[-]

gamebrigada@reddit

Run from ManageEngine... it does just barely ok in the demo that you'll consider it, and then you'll abandon it in a year. I've seen that story a million times. OpenOTP can do what you need.

Reply

[-]

Lancegoodheart@reddit

You could also check out Securden Self Service Password Reset, not sure of the exact name but they have a similar solution.

Reply

[-]

tailorgayng@reddit

We’ve used [UserLock](https://www.isdecisions.com/en/userlock/features/multi-factor-authentication-mfa-active-directory) as an alternative to Duo

Reply

[-]

Beznia@reddit (OP)

Aw man, I just went through the setup for this and it wants to register a new authenticator token. We would need something that can be registered in Entra to utilize the existing MFA configured for our users. It is looking like this may not be at all possible from any provider.

Reply

[-]

Darkhexical@reddit

It's not. Microsoft isn't going to share authentication tokens. That's a security risk.

Reply

[-]

Darkhexical@reddit

Afaik the only possible method to even obtain the TOTP seed would be if you were to root an android phone and backup all the secrets to it. Gl on the logistics of doing that one...

Reply

[-]

Darkhexical@reddit

The only method of 2fa supported on local ad is smart cards. Outside of that you'd have to use 3rd party software.

Reply

[-]

TechIncarnate4@reddit

WHFB with the PIN can meet MFA requirements. The PIN is only valid on the machine that it is registered on, and cannot be used anywhere else. Prompting users for MFA on each logon attempt can lead to MFA fatigue and them accepting MFA prompts without thinking. >The Windows Hello for Business key meets Microsoft Entra multifactor authentication (MFA) requirements and reduces the number of MFA prompts users will see when accessing resources. For more information, see [What is a Primary Refresh Token](https://learn.microsoft.com/en-us/entra/identity/devices/concept-primary-refresh-token#when-does-a-prt-get-an-mfa-claim). [Windows Hello for Business Frequently Asked Questions (FAQ) | Microsoft Learn](https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/faq)

Reply

[-]

ExceptionEX@reddit

Modern MFA is number match on the screen it's not something you just mindlessly button mash.

Reply

[-]

raip@reddit

That's just simply naive. WHfB is phishing resistant and meets NIST AALv3 compliance. Number matching only meets NIST AALv2 and is not phishing resistant.

Reply

[-]

ExceptionEX@reddit

While I agree with you, the statement was specifically. > Prompting users for MFA on each logon attempt can lead to MFA fatigue and them accepting MFA prompts without thinking. No one said anything about Phishing resistance, the statement was about MFA fatigue. Number matching is specifically designed to avoid that. Additionally, walk me through the phishing example, that someone is being phished while not logged into the computer? The only way that would be possible if the network was totally compromised and traffic was being redirected, the SSL cert for microsoft was compromised, and they were able to return the correct authentication signature. I'm all for secure methods but at some point its really pedantic

Reply

[-]

TechIncarnate4@reddit

>No one said anything about Phishing resistance, the statement was about MFA fatigue. Number matching is specifically designed to avoid that. Number matching does not prevent phishing. MFA fatigue could contribute to someone being phished, entering in the digits they see on the screen and getting into the system because they are trying to work. WHFB, even only with the PIN, is phishing resistant. I see your point, but I stand by my statement.

Reply

[-]

CharacterLimitHasBee@reddit

On behalf of your users, this sounds awful and will lead to users leaving their system unlocked when they step away from their laptop because they don't want to spend 30 seconds have to grab their phone and do MFA every time they return.

Reply

[-]

oddball667@reddit

Duo probably has what you are looking for

Reply

[-]

chum-guzzling-shark@reddit

I remember seeing discussion about duo and other MFA for Active Directory. Wasn't there some sort of loophole? I vaguely remember you can force MFA for users, but you could still authenticate to AD without MFA through other means so it was pointless from a security standpoint.

Reply

[-]

sarosan@reddit

Yup. [Duo only protects interactive logins](https://help.duo.com/s/article/1079?language=en_US). It can't enforce MFA on `Enter-PSSession` and similar commands.

Reply

[-]

Sprocket45@reddit

The MFA is configured on the device rather than enforced on the account (which you could enforce with Smart Card Required for Interactive Logon, which brings its own set of caveats)

Reply

[-]

AfterEagle@reddit

Another vote for DUO here. Has been rock solid for us.

Reply

[-]

AlexHuntKenny@reddit

Duo was simple to implement and the trust window is long enough to not frustrate the majority of our users, I also vouch

Reply

[-]

Lord_Saren@reddit

I have one major issue and was curious if anyone else ran into it. If I am on a VPN and lock my machine, the Duo Prompt at sign in takes forever to load and sometimes times out the sign-in itself. If I turn off VPN its fine. I've noticed this with a few users who VPN to customer sites.

Reply

[-]

Routine_Brush6877@reddit

\+1 for DUO

Reply

[-]

TeensyTinyPanda@reddit

We use Duo for Windows login and just recently transitioned everyone to passwordless Duo for Windows Login. Everyone loves it.

Reply

[-]

oddball667@reddit

my grizzled sysadmin gut says that's going to result in everyone forgetting their passwords and inevitably requiring a password reset every time they move to a new computer, or something happens and they need to refresh credentials somewhere is that your experience?

Reply

[-]

TeensyTinyPanda@reddit

Yup, everyone forgot their passwords. That's why we did this in the first place XD. When users get a new computer (our users probably get about 5 years, on average, out of their computers), our helpdesk sets up and logs into everything already for them as part of our workflow. If the user doesn't remember their password when we set up the new computer, we reset their password, helpdesk helps them get logged back in to everything (which really just means we give them the new password to use to log back in to everything), and then we're off to the races. We use SAML SSO for all of our cloud apps that IT has control of password management for, so functionally, nobody needs to know their network password except in the cases you mentioned, which have been rare. And it has significantly cut down on post-holiday "I don't remember my password" tickets.

Reply

[-]

daelsant@reddit

Another vote for DUO, user management is simple enough as well.

Reply

[-]

dadoftheclan@reddit

Duo just seems to work and is simple to config/deploy. I've used it in a few environments now and it just does its job. Especially smaller ones where privileged access is only needed to be tracked for a few folks (under 10 seats is free). I'd give it a +1.

Reply

[-]

the_doughboy@reddit

DUO for Windows, it works well enough. OKTA also has a couple of products.

Reply

[-]

secret_configuration@reddit

We use DUO for Windows. It's a "feel good" security measure but it ticks the box.

Reply

[-]

cisco@reddit

We appreciate you choosing DUO and for your recommendation! Would you be open to leaving us a review here: https://cs.co/sectrduo ? Thank you!

Reply

[-]

sidEaNspAn@reddit

WHfB when set up with a PIN or biometrics is a 2FA login, and it works really well. I would be curious about the hard no on biometrics for authentication, with WHfB those biometrics never leave the device and they are not kept anywhere else.

Reply

[-]

Asleep_Spray274@reddit

It's not even bio metrics anyway. No bio metric data is stored. A histographic representation of the face or finger print is stored. You can not that the data and reverse it back to the original face or print

Reply

[-]

pc_load_letter_in_SD@reddit

As stated..web login is your only option here. https://learn.microsoft.com/en-us/windows/security/identity-protection/web-sign-in/?tabs=intune#configure-web-sign-in

Reply

[-]

doofesohr@reddit

But does that work with hybrid devices? It would be the solution once they can switch to cloud joined devices. Though WHfB is also considered MFA as someone else already mentioned.

Reply

[-]

pc_load_letter_in_SD@reddit

Crap, yeah, you're right, cloud only feature.

Reply

[-]

AutisticToasterBath@reddit

If you go cloud only, you can force the web sign in for windows then that will use the MFA that is configured for that user.

Reply

[-]

AppIdentityGuy@reddit

What is your security department issue with biometric authentication such as WHFB?

Reply

[-]

Secret_Account07@reddit

We use Duo. Works great for several things. VPN included. That would be my recommendation without any budget constraints

Reply

[-]

Beznia@reddit (OP)

I haven't reached out to Duo yet, just looked through their page. Would Duo allow us to utilize our existing Microsoft Authenticator? We just migrated all users from Okta to Entra for authentication a week ago for all authentication and there's a hard requirement to not add another authenticator. It seemed like this would require the Duo app and that's why I haven't looked further with Duo.

Reply

[-]

gwildor@reddit

you can technically configure duo to work with any authenticator, but the user will need to type the 6-digit code: they wont get a push they can just click OK on. As you are looking for a "works everywhere" single solution, and Entra wont work for you needs: someone needs to admit that setting up users with Entra MFA was a mistake and cut their losses. if the requirements have changes; its not unreasonable that the solution may change. CTO needs to put on his big boy pants, do some research, and earn that paycheck.

Reply

[-]

Beznia@reddit (OP)

It's not that they would have to enter the 6 digit code, it's specifically that it would be a second Microsoft Authenticator token to configure. The goal here is to use the same Authenticator token that is tied to our Microsoft accounts. In order to do that, we would have to be configuring an app registration for that vendor in our Entra for whatever application is meant to be authenticating those users. From a business standpoint now after what it took for us to get our 3,000 users and 250 apps migrated from Okta Verify to Entra ID over the past few weeks, I think we would end up dropping this MFA requirement versus switching to a new MFA provider.

Reply

[-]

gwildor@reddit

you have two requirements: single token not abandon the entra work you completed. IMO, you asked us the wrong question. you asked for a solution - the best solution is duo. you dont want duo.. ask us again: how to make entra work for me needs.

Reply

[-]

Beznia@reddit (OP)

I said >The goal here is to utilize the existing Authenticator that our users have tied to their Entra accounts. Microsoft doesn't seem to support this with Windows Hello for Business and we have a hard No from our legal team to use any sort of biometric authentication, which is the reason for the Authenticator requirement. So the solution I'm looking for is what platform would allow to utilize the existing Entra MFA

Reply

[-]

gwildor@reddit

there isnt... you use Entra MFA - everything must be configured to use Entra MFA. If you can inject DUO-stuff, for example, into your Entra workflow - then so can the bad guys: invalidating any reason to use what you have setup. MFA solutions are single provider. you setup 3000+ users with Entra MFA... your computers must use Entra MFA, or your users must have 2 tokens.

Reply

[-]

Beznia@reddit (OP)

My expectation with Duo in that case would be to register Duo in Entra just like any of our other hundreds of applications and grant it the proper API permissions to read from our tenant. It would then be utilizing our same Entra MFA for login to Duo. It appears Duo does not support this.

Reply

[-]

gwildor@reddit

your expectation is not possible. You might as well ask us to built you a teleportation device.

Reply

[-]

Sinsilenc@reddit

Generally duo shops switch to the duo app and replace auth on o365 with duo in totality. I have been running duo for 8 or so years. We have it integrated with about 40 different sso platforms and windows as well.

Reply

[-]

ntrlsur@reddit

I agree. We went full duo and skipped the Microsoft authenticator. Windows Linux Mac it works nicely.

Reply

[-]

Beznia@reddit (OP)

Damn. We just had all ~3,000 users switch from Okta Verify to Microsoft Authenticator last week along with about 250 applications. We wouldn't be able to make that change a second time now.

Reply

[-]

buck-futter@reddit

I would also like the same thing. Duo does a great job for their own app, but it would be nice to reuse the existing entra 2FA

Reply

[-]

ExceptionEX@reddit

Web sign in for windows. It's not without it's issues but works fine.

Reply

[-]

ExceptionEX@reddit

Web sign in for windows, you are prompted with the exact same work flow as if you were trying to login to any entra based web login. Default is number matching via authenticator app. Can use fido if you rather. https://learn.microsoft.com/en-us/windows/security/identity-protection/web-sign-in/?tabs=intune

Reply

[-]

TeensyTinyPanda@reddit

>Duo seems to only support using their authenticator rather than integrating with our Entra ID. We ran in the opposite direction. We federated our Entra ID with Duo so now all Entra ID logins get passed to Duo for authentication, which then lets us employ Passwordless SSO and MFA for all applications, even the ones that "only support Entra ID." Yes, you have to use Duo's authenticator to get the push, but the upside is that as long Microsoft properly passes authentication to Duo, if anything goes wrong you can contact Duo support, which actually answers the phone, rather than Microsoft support.

Reply

[-]

akdigitalism@reddit

If you're hybrid and/or doing co-management and many of your systems are 1 to 1 plus you're looking at going cloud-native I would look at Windows Hello for business. It'll act as a form of MFA for the user when they're logging in. In your Entra conditional access policies if they're logging in with WHfB that counts as a phishing-resistant MFA method. Here is the different authentication strengths from MS [https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-strengths](https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-strengths) if you're using Entra as your IdP then when they're using a corporate system they could use their hello for business to authenticate against the website. If you're in a situation where you have a ton of different users using the same systems then I would say Duo would be something to look at as others have suggested. If you're looking at that option though solely for just MFA at the desktop you could also consider using Duo as the IdP as an option.

Reply

[-]

TerrorToadx@reddit

Wfhb is mfa..

Reply

[-]

masterne0@reddit

We just use Duo for RDP/Windows for both desktops and laptops. You have to configure it with offline mode if the laptops are wandering off the office network but easy to do and test. Works mine for us.

Reply

[-]

kubrador@reddit

yeah you're basically looking at third-party mfa providers since microsoft's own stack doesn't do this. manageeengine and duo are the main players here, though duo's limitation of only supporting their app is annoying when you've already invested in authenticator. the hybrid ad situation makes this more painful since you're essentially bolting on mfa to an on-prem auth system that wasn't designed for it.

Reply

[-]

saxmaster896@reddit

We use miniOrange for MFA into our windows servers. It's, okay. They did do an update recently and now their on premise server runs a ton of micro services which can be annoying if one breaks (looking at you REDIS) and their support is kinda bad. It's good for basic MFA needs, but I'd recommend deploying the actual authentication server using their cloud server

Reply

[-]

mautobu@reddit

I've used duo for this in the past with great success. If you're a Palo Alto shop, it may be possible to used their enforced VPN with saml for login, then conditional access policies.

Reply

[-]

ITguyBass@reddit

Regarding the AD migration, the best thing to do would be to clean as much as you can during this migration. Also, it doesn't need to be instant, so you can use maybe an IT assessment tool to start preparing the migration and clean both users and decommissioned devices under your AD. I imagine the MFA will be directly connected to this new use of EntraID only, so any tool that can identify if MFA is properly enforced for all users is also important.

Reply

Reply to Post

85 Comments