I’m looking for a simple way to add a 2nd factor to my Windows 10 logins. I’d really like to use the simple time-based 6-digit OTP calculated in a phone app to be that second factor. I’ve seen that it is relatively easy to do this on Linux, but I’m not finding a simple implementation for Windows 10. Can anyone point me in the right direction?
1 Like
Are you wanting TOTP for just RDP or also local login? And is this a standalone PC or a member of a domain?
1 Like
Primarily interested in local login, but if it works for RDP-ing into another PC, that would be cool too.
Standalone PC.
1 Like
So TOTP auth is great for preventing credential stuffing/password reuse attacks originating from the outside but this alone will give you very little protection at the local level. Your best protection will be using full disk encryption using Bitlocker (along with TPM and a passphrase at boot), enabling secure boot, power settings, and setting an extended lockout period through in Group Policy for repeated bad passwords.
If you are wanting secure remote access from the outside consider using a VPN in conjunction with certificate based RDP authentication.
PS - I’m not discounting your desire to use TOTP. I’ve got +40 accounts in my authenticator app and use it on every website that offers it… Absolutely swear by it. But it just doesn’t make sense for a local installation unless Microsoft is handling the auth server in their cloud infrastructure (they do have MFA for Microsoft Logins but I don’t think that’s what you are asking).
1 Like
Thanks for the info. I’m planning to do disk encryption also, but it still seems like a 2nd factor for the account login would be worthwhile. Let’s say my password were compromised via someone shoulder surfing or spy camera or whatever. I might lock the PC to go eat some lunch while some large project files are loading up so I don’t want to shutdown the machine. Someone who has captured my password can now come along and unlock my PC. Obviously I wouldn’t leave it where I think this is remotely likely, but it could happen.
I am unclear on why a separate Auth server would be needed for TOTP. Perhaps I don’t actually understand how TOTP works. I know my phone auth app generates the codes locally based on the clock and a pre-shared secret code. I would assume the Windows PC could do the same thing to generate the demanded code, or generate some corresponding lock that the phone’s code will unlock.
I have traditionally resisted the MS Account for Windows login, but if they can make this MFA happen for me on Windows login I’d consider it. I did some reading on their MFA offering and it seemed like it was only applicable to web logins - outlook, etc, and I do use their TOTP for that. (Frustratingly they only require the TOTP when they feel like it though.) Do you know if that MFA can be extended to the Windows login if it make it a MS Account like they pressure you to do?
Whatever the solution, it has to work without a network connection, since I am sometimes in a factory or whatever with no internet or network connection.
As always with Microsoft, nothing is included, the most basic features requires buying expensive 3rd party add-ons:
https://www.rohos.com/2013/02/27/google-authenticator-windows-login/
https://jumpcloud-support.force.com/support/s/article/JumpCloud-Windows-TOTP-MFA
https://docs.secureauth.com/2104/en/login-for-windows-v21-04-configuration-guide.html
https://saaspass.com/download/how-to-install-saaspass-windows-computer-connector/
1 Like
That’s a really tough situation to be in and not something I’ve explored at a professional level. Have you considered going password-less with an smartcard based PKI solution? There are likely third-party TOTP solutions that work at the local level but they definitely aren’t mainstream. Maybe someone else can suggest an open source project that has worked for them.
Edit: typos
Yeah, SmartCard or YubiKey are potential other solutions. Just thought I’d go as deep down the TOTP rabbit hole as I can first, since I’m already equipped and familiar with that for web-stuff.
As @rcxb mentioned there are several enterprise/commercial offerings that can do this and so much more, but what I’m really hoping to ferret out is some little standalone thing, perhaps an open source project as you suggest. That exists on Linux, so it seems feasible it may exist for Windows, and I’ve just been unable to find it amongst the “noise.”
Thanks to both of you for your responses.
1 Like
I recently wanted the same thing. Local standalone pc but wanted an extra layer of security. I ran across multiOTP. It is open source and it works with Google Authenticator. It will take a bit to figure out as the instructions are a bit lacking unless I missed something. I now have it working.
1 Like
what sort of options? We “gave up” on this for the time and went with windows hello fingerprint stuff, but i still would prefer a simple otp code tbh.
I left my phone 4 hours away once; now I use Bitwarden for TOTP.
Hi,
I am afraid that there are only commercial tools available. I am using the CodeB Credential Provider V2 as they are very open to give discounts to students.
Good Luck
Ene
1 Like
I am now pursuing Hello’s multifactor. Still kinda baffled why OTP or MS Authenticator is not an option for one of the factors, but as long as there are 2 factors to get into the PC account I think that would satisfy.
1 Like
I was looking into this a while back for Windows Hello for Business, and you require minimum:
- A domain controller (to bind everything together)
- An AD Certification Authority (to issue certificates through the AD)
- An AD FS (to integrate Windows to your MFA setup)
- AN MFA PROVIDER!! (Because of course!!)
Now the kicker is that Microsoft does no longer provide a local MFA solution (OTP and what not) and will want you to integrate to Microsoft Entra. If you want to follow that path further let me know and I can dig up the info I had on that!
Ps: “User certificates” also count as MFA and can be issued by AD CS!
Yubico has had a otp method in play for a while now. I don’t know for how long or how well it works as I’ve never been down that rabbit hole!
Yeah we’re all Azure/Entra, so sounds like any info you have would be applicable to us.
The argument from MS years ago was that Hello PIN technically is 2 factors because it’s theoretically only good on that one device… but it’s so absurdly easy to watch someone poke in a PIN and come back around while they aren’t there to log in and own that machine.
Oh never trusted a simple “PIN”, always had an “alphanumeric” PIN - which ended up converting the entire thing into a 2nd password. But yeah, it’s ridiculously easy to defeat in its initial incantation.
1 Like
Yubikey 5 FIPS has a PIV function
You can enroll the certificate on the YubiKey which requires a 6-8 digit PIN to unlock.
This requires the device be on a domain with a certificate authority and trusted root and intermediate certs being on the domain and domain joined workstations.
Disable and delete all local accounts and BitLocker with network unlock.
This prevents any machine from being able to login outside the domain.
Alternatively, Windows Hello can enroll a physical security key.
Again, my recommendation is the Yubikey 5 FIPS.
It’s FIPS 140-2 compliant as the 140-3 compliant firmware has yet to be approved and made readily available.
TOTP is only as secure as the server serving the requests.
If you are receiving SMS messages for multi factor, it isn’t compliant and insecure.
Thanks for your insights. We had looked at Yubikey options in the past and may again, but for the moment we’re trying to see what can be done without additional hardware. Plus we know for certain some folks will just leave a Yubikey or smartcard etc in their machine all the time.
Also, we’re all Azure/Entra/inTune - no local domain and no “Azure Domain Services” etc
The TOTP I use is generated locally on my phone, the drive of which is encrypted. Some folks at work do the same while others use the “push” style approvals. We do not use SMS.
Yubikey or smart card or other “thing you have” would certainly be an answer, but I was and still am perplexed why MS doesn’t leverage the TOTP/Authenticator App they use everywhere else at the PC account login screen. That said, I’m mostly over it, since certainly OTP is a bit more friction and user-hostile than eg fingerprint+known PIN, or even as you say a Yubikey + PIN.
Pursuing this with Windows Hello for Business for now. Multi-Factor (MFA, 2FA) for Windows Login
I should mention, it appears NIST and DOD etc are satisfied that PIN + TPM chip in the machine you’re unlocking complies with the 2FA requirement. So if you just need compliance, PIN alone may be enough.
This is all driven from me knowing how people are not “guarded” when entering their PIN, so it’s tremendously easy to gain access to their Windows account (thereby all their logged-in accounts) if they leave the machine unattended, which they absolutely do.