OTP at Windows 10 login

I’m looking for a simple way to add a 2nd factor to my Windows 10 logins. I’d really like to use the simple time-based 6-digit OTP calculated in a phone app to be that second factor. I’ve seen that it is relatively easy to do this on Linux, but I’m not finding a simple implementation for Windows 10. Can anyone point me in the right direction?

Are you wanting TOTP for just RDP or also local login? And is this a standalone PC or a member of a domain?

1 Like

Primarily interested in local login, but if it works for RDP-ing into another PC, that would be cool too.

Standalone PC.

So TOTP auth is great for preventing credential stuffing/password reuse attacks originating from the outside but this alone will give you very little protection at the local level. Your best protection will be using full disk encryption using Bitlocker (along with TPM and a passphrase at boot), enabling secure boot, power settings, and setting an extended lockout period through in Group Policy for repeated bad passwords.

If you are wanting secure remote access from the outside consider using a VPN in conjunction with certificate based RDP authentication.

PS - I’m not discounting your desire to use TOTP. I’ve got +40 accounts in my authenticator app and use it on every website that offers it… Absolutely swear by it. But it just doesn’t make sense for a local installation unless Microsoft is handling the auth server in their cloud infrastructure (they do have MFA for Microsoft Logins but I don’t think that’s what you are asking).

Thanks for the info. I’m planning to do disk encryption also, but it still seems like a 2nd factor for the account login would be worthwhile. Let’s say my password were compromised via someone shoulder surfing or spy camera or whatever. I might lock the PC to go eat some lunch while some large project files are loading up so I don’t want to shutdown the machine. Someone who has captured my password can now come along and unlock my PC. Obviously I wouldn’t leave it where I think this is remotely likely, but it could happen.

I am unclear on why a separate Auth server would be needed for TOTP. Perhaps I don’t actually understand how TOTP works. I know my phone auth app generates the codes locally based on the clock and a pre-shared secret code. I would assume the Windows PC could do the same thing to generate the demanded code, or generate some corresponding lock that the phone’s code will unlock.

I have traditionally resisted the MS Account for Windows login, but if they can make this MFA happen for me on Windows login I’d consider it. I did some reading on their MFA offering and it seemed like it was only applicable to web logins - outlook, etc, and I do use their TOTP for that. (Frustratingly they only require the TOTP when they feel like it though.) Do you know if that MFA can be extended to the Windows login if it make it a MS Account like they pressure you to do?

Whatever the solution, it has to work without a network connection, since I am sometimes in a factory or whatever with no internet or network connection.

As always with Microsoft, nothing is included, the most basic features requires buying expensive 3rd party add-ons:





That’s a really tough situation to be in and not something I’ve explored at a professional level. Have you considered going password-less with an smartcard based PKI solution? There are likely third-party TOTP solutions that work at the local level but they definitely aren’t mainstream. Maybe someone else can suggest an open source project that has worked for them.

Edit: typos

Yeah, SmartCard or YubiKey are potential other solutions. Just thought I’d go as deep down the TOTP rabbit hole as I can first, since I’m already equipped and familiar with that for web-stuff.

As @rcxb mentioned there are several enterprise/commercial offerings that can do this and so much more, but what I’m really hoping to ferret out is some little standalone thing, perhaps an open source project as you suggest. That exists on Linux, so it seems feasible it may exist for Windows, and I’ve just been unable to find it amongst the “noise.”

Thanks to both of you for your responses.