3

I have always been looking for a way to require a Two-Factor Authentication (One Time) Passcode on my Windows Login. Using an algorithm such as TOTP, this should be easy, and require no internet connection, and it could work with something like Google Authenticator to require a 6-digit code generated by my mobile device as I log into my computer. I have been snooping around, and I haven't found any program that can do this, therefore I've come to the conclusion that this is near impossible, and I am looking for validation of that observation.

To be clear, I haven't found any software that can do this, and I'm not looking for a comparison of different products as a recommendation, since that's not what SO is about. I'm simply asking if it is possible, and if so, if there is any software that does it already, or if it is something I'd have to create myself.

Sam Weaver
  • 216

3 Answers3

3

Microsoft have committed to supporting U2F FIDO2 in a update to Windows 10 for Active Directory authentication. (source)

ricmarques
  • 253
vk5tu
  • 281
3

Microsoft Active Directory currently supports smartcard authentication as a second factor of authentication. This is designed to support the US Department of Defense "Common Access Card".

Some "security dongle" products support the emulation of a Smartcard and thus can be used with Active Directory today (Microsoft are moving towards FIDO2/WebAuthn but that isn't yet available for on-premises Active Directory). As one example, see this extensive deployment guide from YubiKey.

vk5tu
  • 281
1

I found this one: http://www.rohos.com/rohos-logon-key/, but did not have a chance to try it yet.

Anton
  • 213