Locking down Laptop/PCs with 2FA keys

Discussion in 'Business & Enterprise Computing' started by evo800v, Jul 8, 2019.

  1. evo800v

    evo800v Member

    Joined:
    Jul 26, 2004
    Messages:
    524
    Location:
    Australia, Sydney, NtRyde
    As the title suggest, love to hear what everyone is doing out there. Due to new customer requirement, we need to lock down PCs that authenticate to AD & local accounts for security measures. Most PCs a either running Windows 7/10 with small numbers on XP.

    Has to be a physical USB key that support FIFO or industry 2FA standard.

    Any suggestions?
     
  2. bcann

    bcann Member

    Joined:
    Feb 26, 2006
    Messages:
    5,714
    Location:
    NSW
    https://www.yubico.com/why-yubico/for-business/computer-login/windows-login/

    But i guarantee people will just leave the usb key in 24/7
     
  3. OP
    OP
    evo800v

    evo800v Member

    Joined:
    Jul 26, 2004
    Messages:
    524
    Location:
    Australia, Sydney, NtRyde
    Being talking with the Yubico guys for the last several days, looks promising. Good thing it using windows native tools so no third party software to manage. Organizing a trial atm.
     
  4. Doc-of-FC

    Doc-of-FC Member

    Joined:
    Aug 30, 2001
    Messages:
    3,352
    Location:
    Canberra
  5. Dr Kildare

    Dr Kildare Medic!

    Joined:
    Jun 27, 2001
    Messages:
    3,898
    Location:
    Melbourne
    Using Yubikeys for a few of our staff that don't have smartphones alongside Okta 2FA.
    Limited use case but does the trick :)
     
  6. OP
    OP
    evo800v

    evo800v Member

    Joined:
    Jul 26, 2004
    Messages:
    524
    Location:
    Australia, Sydney, NtRyde
    Windows Hello might be ok for non-joined AD domain but only 15% of the organisation are laptops. So yubikeys + pin/password is the safest option.
     
  7. Doc-of-FC

    Doc-of-FC Member

    Joined:
    Aug 30, 2001
    Messages:
    3,352
    Location:
    Canberra
  8. JuicEmatic

    JuicEmatic Member

    Joined:
    May 14, 2012
    Messages:
    39
    Anyone know of anything that will provide password + biometric in Windows 10?
    Don't want to go passwordless
     
  9. Doc-of-FC

    Doc-of-FC Member

    Joined:
    Aug 30, 2001
    Messages:
    3,352
    Location:
    Canberra
    The link I posted above deals with multifactor auth, have you read this yet?
     
  10. JuicEmatic

    JuicEmatic Member

    Joined:
    May 14, 2012
    Messages:
    39
    I've had a glance and it looks like using Windows Hello doesn't allow for password + biometric (require both to authenticate) login.

    I've actually done a little bit of research found that it's not possible - just thought i'd ask here in case i was wrong.
     
  11. Doc-of-FC

    Doc-of-FC Member

    Joined:
    Aug 30, 2001
    Messages:
    3,352
    Location:
    Canberra
    With PIN Complexity values appropriately set, how is it any different to a password?
     
  12. JuicEmatic

    JuicEmatic Member

    Joined:
    May 14, 2012
    Messages:
    39
    Yeah fair call. i didn't realise you could set a PIN to require the same complexities as a password.
    might be worth another look!
    cheers
     
  13. Varg

    Varg Member

    Joined:
    Oct 2, 2016
    Messages:
    27
    Location:
    Sydney
    I've had my Yubikey for over a year now. It's a solid hardware 2FA solution. Definitely worth every penny.
     
  14. OP
    OP
    evo800v

    evo800v Member

    Joined:
    Jul 26, 2004
    Messages:
    524
    Location:
    Australia, Sydney, NtRyde
    I'm using AuthLite with the YubiKeys, what are you using your's Varg ?
     
  15. Varg

    Varg Member

    Joined:
    Oct 2, 2016
    Messages:
    27
    Location:
    Sydney
    Authlite as well. Found it pretty easy to use and to implement with active directory.
     

Share This Page

Advertisement: