Many UW customers need 2FA for Windows. This analysis looks closely at the enterprise solution provided by UW-IT–Duo for Windows, and summarizes the best 2FA solutions for Windows.
Duo integrates with Microsoft Windows client and server operating systems to add two-factor authentication to Remote Desktop and local logons and credentialed UAC elevation prompts.
Scenarios covered by Duo for Windows
Duo Authentication for Windows Logon adds Duo two-factor authentication to these Windows logon scenarios:
- Local or domain account logins
- Logins at the local console and/or incoming Remote Desktop (RDP) connections
- Credentialed User Access Control (UAC) elevation requests (e.g. Right-click + “Run as administrator”) in v4.1.0 and later
Scenarios not covered by Duo for Windows
Duo’s Windows Logon client does not add a secondary authentication prompt to the following logon types:
- Shift + right-click “Run as different user”
- PowerShell “Enter-PsSession” or “Invoke-Command” cmdlets
- Non-interactive logons (i.e. Log on as a Service, Log on as Batch, Scheduled Tasks, drive mappings, etc.)
- Pre-Logon Access Providers (PLAPs) such as Windows Always On VPN, or the Managed Workstation VPN service
Additionally, Duo Authentication for Windows Logon can be bypassed by booting a Windows system into Safe Mode.
The number of “gaps” in coverage mean that for a workstation that has Duo for Windows installed, users can easily avoid Duo if well-informed; it is not a strong security measure.
Other Potential Problems for Duo for Windows
If the user logging into Windows after Duo is installed does not exist in Duo, the user may not be able to log in to the system.
- It’s a good idea to have your BitLocker recovery key available in the event you need to boot into safe mode to uninstall Duo.
- This application doesn’t support Surface Pro X or other devices with ARM processors. Installing Duo for Windows Logon on these devices may block logins, requiring uninstallation from Safe Mode.
Duo service is unavailable
When the Duo service can not be contacted by the workstation for any reason, there is a potential problem. The options to address this issue are:
- By default, Duo Authentication for Windows Logon will “fail open” and permit the Windows logon to continue if it is unable to contact the Duo service. This represents a problem as it provides a simple way for a regular user or a malicious user to bypass the Duo Authentication process
- During installation the fail mode can be adjusted to “fail closed.” This will deny all login attempts if there is a problem contacting the Duo service. This represents a problem as it will render workstations entirely useless until the Duo service can be successfully contacted.
- Fail open can be disabled and instead “offline access” can be enabled for a select number of users: https://duo.com/docs/rdp#offline-access. This represents the best option but requires a set of prerequisites are in place to work correctly.
Duo for Windows is a porous, inadequate security control which does not guarantee 2FA has happened to get access to a given Windows computer. For this reason, the risks of adding it outweigh the potential benefits–it falsely leads everyone to believe you have adequate security controls in place. If Windows 2FA is required there are known possible solutions which may meet the requirement:
- Azure Virtual Desktop, a cloud-based Windows virtual desktop, can leverage Entra ID Conditional Access to require Duo 2FA or Azure MFA. This does not leverage the Duo for Windows component.
- Windows 365, a cloud-based Windows virtual desktop, can leverage Entra ID Conditional Access to require Duo 2FA or Azure MFA. This does not leverage the Duo for Windows component. This solution is not currently available due to licensing and other requirements. UW-IT is investigating how we can offer Windows 365 and will provide more info as it’s available.
- Windows Hello for Business. UW-IT currently provides the infrastructure required for this solution, but hasn’t yet provided documentation and recommendations for its use. The infrastructure provided by UW-IT requires NETID Active Directory domain join or UW Entra ID device join.