Anyone using Desktop MFA for Windows?
Posted by Due-Awareness9392@reddit | sysadmin | View on Reddit | 34 comments
We're evaluating desktop MFA for Windows as an additional layer of protection beyond VPN and cloud application MFA. Most discussions around MFA focus on identity providers and SaaS apps, but I'm curious how many organizations are enforcing Windows MFA directly at the workstation or server login stage.
For those who have implemented MFA at the Windows desktop level, what approach worked best? Did it provide meaningful security improvements, especially for privileged accounts and shared devices, or did it end up creating more user friction than expected? Interested in hearing real-world experiences and lessons learned.
chaosphere_mk@reddit
We use Windows Hello for Business for all standard users on desktops. For admin accounts and server access, we use smart card certs on yubikeys.
We have "Require smart card or Windows Hello for Business" enabled across the board on all devices. Works perfectly. And LAPS still works for emergency scenarios.
cjcox4@reddit
Would think the OP is wanting something for a potentially non-Internet dependent world, possibly disconnected from it for some time. But, I'm just guessing. Otherwise live the life of "broken Internet === dead business" (like the Fortune 100).
chaosphere_mk@reddit
It works when youre not connected to the internet. For apps that only use AD, WHfB still grants you a kerberos ticket. Same for the smart card certs.
cjcox4@reddit
Then, Entra/cloud shouldn't be involved in this at all. Agreed? Why would it. Just something to think about.
chaosphere_mk@reddit
You can still do it with an AD only environment. But nothing I read in the OP said there are no cloud apps involved.
cjcox4@reddit
Assumption on my part (I think I said that). I think it's difficult to imagine too many "worlds" that exist today that can live for more than days or maybe if fortunate, weeks without Internet access.
So, I took a guess as to why the case might be special, but again, difficult to imagine anymore.
chaosphere_mk@reddit
Yep I get it. Im just an expert in WHfB and Entra MFA as a whole so I've fully explored all of the possibilities in large environments. That sounds not humble at all, but my point is that I dont expect everyone else to know. There is such thing as air gapped environments that never have internet access. And it all works there too with the right infrastructure.
cjcox4@reddit
Yes, I have worked gov't. But, outside of that, most businesses are tied directly or indirectly, life blood wise, to something (?) that requires Internet.
Should anyone want to see it all burn....
raip@reddit
Just a point of clarification - if the desktop doesn't have internet access but still has access to the AD - the Cloud Kerberos Trust relationship that WHfB leverages to get a TGT for the on-prem AD doesn't work.
This doesn't really matter though as it's just an extra authentication prompt when the user attempts to get a TGT from on-prem.
Jremy333@reddit
We use DUO on our Desktops for users with Admin access to critical services
Affectionate-Cat-975@reddit
This - We had to provide this for our Cyber Ins policy
Scary_Confection7794@reddit
We use it for all servers and also members of the IT team on their laptops
Due-Awareness9392@reddit (OP)
How's your experience?
Scary_Confection7794@reddit
Perfect. No issues at all been running it for the last year on laptops. Servers at least 3 years
Educational_Boot315@reddit
What in the world is Desktop MFA? Are you talking aboutabout Okta Device Access? Might be a good idea to mention that in your post.
tk42967@reddit
Our solution prompts for MFA every 14 days. We can provide an auth code from or phones or use our Yubikeys. I guess it puts a limit on how long you can log into a lost or rogue device.
I'd like to see the 14 day timer be more like 2 or 3 days,
anikansk@reddit
Ive used Duo for it in the past.
bstevens615@reddit
We currently use Duo and are in POC for Yubikeys.
tk42967@reddit
We use ADSelfService that has the ability to use our Yubikeys to MFA into desktops and servers.
We want to end up at Hello for Buisness.
tk42967@reddit
We want to go to Hello for Business. We're currently using ManageEngine's ADSelfService. It gets the job done but there is a ton of minutia to deal with.
YellowLT@reddit
Okta Desktop MFA, we are testing IR WHfB for giggles tho.
Suitable-Hand-1059@reddit
We use it for our CUI users, and it’s fine. I like Duo because it makes the act of answering the prompt extremely simple.
bumbo79@reddit
I wonder if the OP has ON Prem Active Directory setup currently and is looking for MFA for Active Directory but just worded it strangely? If that's the case, then they might need to check out ADFS....
maryteiss@reddit
I was wondering the same. We see teams deploy UserLock for this use case as well.
Godcry55@reddit
WHfB.
Unique_Inevitable_27@reddit
For privileged accounts and shared devices, where the extra security justifies the additional login step, desktop MFA has proven to be most beneficial. Before implementing it extensively, make sure you test it with a small group of people. While weighing your options, you could also look at OneIdP.
nagdamnit@reddit
Just use Windows Hello for Business.
eyedrops_364@reddit
We use DUO for everything.
Lukage@reddit
It’s just a bot AI post.
Due-Awareness9392@reddit (OP)
How? Can you please explain?
_exclusvty@reddit
Is this just a windows hello post?
Sure-Assignment3892@reddit
This is basically what Windows Hello is.
Server access is governed by a separate "admin" account- with its own set of complex password requirements. It's rotated every 48 hours and you have to retrieve the password from CyberArk.
Lancegoodheart@reddit
Could you elaborate on your exact use case? You could check out Securden to enforce MFA before users login into servers
AppIdentityGuy@reddit
Have you looked into Windows Hello for Business.