Many UW customers need 2FA for Windows. This analysis looks closely at the enterprise solution provided by UW-IT–Duo for Windows, and summarizes the best 2FA solutions for Windows.

Duo integrates with Microsoft Windows client and server operating systems to add two-factor authentication to Remote Desktop and local logons and credentialed UAC elevation prompts.

Scenarios covered by Duo for Windows

Duo Authentication for Windows Logon adds Duo two-factor authentication to these Windows logon scenarios:

Local or domain account logins
Logins at the local console and/or incoming Remote Desktop (RDP) connections
Credentialed User Access Control (UAC) elevation requests (e.g. Right-click + “Run as administrator”) in v4.1.0 and later

Scenarios not covered by Duo for Windows

Duo’s Windows Logon client does not add a secondary authentication prompt to the following logon types:

Shift + right-click “Run as different user”
PowerShell “Enter-PsSession” or “Invoke-Command” cmdlets
Non-interactive logons (i.e. Log on as a Service, Log on as Batch, Scheduled Tasks, drive mappings, etc.)
Pre-Logon Access Providers (PLAPs) such as Windows Always On VPN, or the Managed Workstation VPN service

Additionally, Duo Authentication for Windows Logon can be bypassed by booting a Windows system into Safe Mode.

The number of “gaps” in coverage mean that for a workstation that has Duo for Windows installed, users can easily avoid Duo if well-informed; it is not a strong security measure.

Duo service is unavailable

When the Duo service can not be contacted by the workstation for any reason, there is a potential problem. The options to address this issue are:

By default, Duo Authentication for Windows Logon will “fail open” and permit the Windows logon to continue if it is unable to contact the Duo service. This represents a problem as it provides a simple way for a regular user or a malicious user to bypass the Duo Authentication process
During installation the fail mode can be adjusted to “fail closed.” This will deny all login attempts if there is a problem contacting the Duo service. This represents a problem as it will render workstations entirely useless until the Duo service can be successfully contacted.
Fail open can be disabled and instead “offline access” can be enabled for a select number of users: https://duo.com/docs/rdp#offline-access. This represents the best option but requires a set of prerequisites are in place to work correctly.

Summary

Duo for Windows is a porous, inadequate security control which does not guarantee 2FA has happened to get access to a given Windows computer. For this reason, the risks of adding it outweigh the potential benefits–it falsely leads everyone to believe you have adequate security controls in place. If Windows 2FA is required there are known possible solutions which may meet the requirement:

Azure Virtual Desktop, a cloud-based Windows virtual desktop, can leverage Entra ID Conditional Access to require Duo 2FA or Azure MFA. This does not leverage the Duo for Windows component.
Windows 365, a cloud-based Windows virtual desktop, can leverage Entra ID Conditional Access to require Duo 2FA or Azure MFA. This does not leverage the Duo for Windows component. This solution is not currently available due to licensing and other requirements. UW-IT is investigating how we can offer Windows 365 and will provide more info as it’s available.
Windows Hello for Business. UW-IT currently provides the infrastructure required for this solution, but hasn’t yet provided documentation and recommendations for its use. The infrastructure provided by UW-IT requires NETID Active Directory domain join or UW Entra ID device join.

20220926: Duo and 2FA for Windows

Scenarios covered by Duo for Windows

Scenarios not covered by Duo for Windows

Other Potential Problems for Duo for Windows

Duo service is unavailable

Summary