Announcing Offline Multi-Factor Authentication for Windows
Duo’s data centers process the authentication requests from thousands of organizations every day, providing us a great view into usage trends and statistics. (We publish an analysis every year in our Duo Trusted Access Report.)
Based on the huge numbers of Windows laptops, desktops and servers in use, it’s no surprise that Duo’s integration with Windows environments (called Duo WinLogon) is one of our most highly used integrations, with nearly 10 million authentications per month.
Customers use Duo WinLogon to enforce multi-factor authentication at initial login and return from screen lock. It can be used for remote Windows server access via Remote Desktop Protocol (RDP) or for local logins to Windows laptops and desktops.
MFA for Local Login
Organizations use multi-factor authentication for local Windows login to ensure the identity of users on Windows machines — either to use the applications installed on that machine, or as an onramp to the rest of the network. Duo confirms the user’s identity to protect against breaches that could originate from the Windows machine due to phishing and other password-based attacks.
Many of our customers deploy Duo WinLogon specifically to fulfill compliance requirements. For example, government-adjacent organizations such as military contractors are regulated by the Defense Federal Acquisition Regulation Supplement (DFARS). DFARS requires these organizations to follow the strict data protection standards outlined in NIST SP 800-171, which mandates “multi-factor authentication for local and network access to privileged accounts.”
Why Offline MFA?
The most commonly seen need for offline MFA is to support users who are required to complete multi-factor authentication but are occasionally offline by the nature of their job function — for example, a frequent traveler on a plane who needs to authenticate to their laptop, or an employee working remotely at a contract customer location, where network access is not allowed.
Introducing Duo WinLogon Offline
In July we began a public beta program for our new WinLogon Offline capability, with general availability planned for October. At that time, it will be available as a feature of Duo MFA, Duo Access and Duo Beyond.
Duo’s modern approach does not require an agent, and it is launched only at the time of login or return from screen lock. With no third-party agent constantly running in the background, Duo avoids issues typically associated with agents, such as high resource consumption and user privacy concerns.
Also, Duo’s approach does not piggyback on top of the Windows RDP protocol. This means that Duo extends offline MFA capability to laptops and desktops, not just to servers.
As you’d expect, deployment and user self-enrollment for WinLogon Offline also follow Duo’s high standards for simplicity and ease of use. Administrators can choose which groups of users are allowed to use offline MFA.
Stay Tuned for More
In the next few weeks we will follow up with another blog post about how Duo with WinLogon Offline works. We’ll dive into the technology and unique design behind it, plus we’ll cover how to deploy and take best advantage of this great new feature.