Ask Christopher: RDP-Only 2FA – Securely Work From Home

by Will Papa 0 Comments

Ask Christopher is a regular blog column accompanying the Quarterly Newsletter. In this column, Christopher Perry, Senior Technical Support Engineer for BIO-key, relates common questions that customers ask over the course of the quarter. The column dives into the answers to these questions, as well as branching use cases and discussion points. Check back regularly for more!


One of the great unifiers of the recent pandemic has been a huge surge in Work From Home (WFH) use-cases in just about every vertical.  Whether you look at school environments, law firms, or even support teams for Point of Sale machines – just about everyone is utilizing WFH to improve overall health safety without sacrificing service or support.  In these environments, security becomes an even bigger concern.  As such, this particular question surrounds balancing security and usability in this specific pandemic-centric climate.

The Question:

“With WFH being so prevalent in the current climate, is there a simple way to secure access to specific machines when they are accessed remotely?”

The Answer:

The short answer is yes!  The PortalGuard Desktop 2FA Client can be configured on specific machines to only require 2FA when the machine is accessed via RDP.  In this scenario, users who do a direct ‘console’ connection can proceed via single factor.

Work From Home (WFH) has become a staple in the current pandemic-centric environment within which we all operate.  As a result, many organizations are forced to seek out solutions to new requirements that were previously unknown or simply not considered out of lack of necessity.  One of those needs is that of accessing a work machine remotely – especially if said machine cannot be brought home as a stopgap.

One of the most common methods of addressing this issue is to enable and utilize RPD to access workstations remotely. This leads to an increasingly common question being sent my way regarding enabling RDP Access without sacrificing security.

The Question:

“With WFH being so prevalent in the current climate, is there a simple way to secure access to specific machines when they are accessed remotely?”


The Answer: 

Absolutely.  The PortalGuard Desktop Two-Factor Authentication (2FA) client allows for RDP-only 2FA to specific machines, while allowing default ‘console’ access to proceed unimpeded.


RDP vs Console Access

RDP has been around for ages, though many individuals know only the acronym and not what it stands for: Remote Desktop Protocol.  RDP is an ever-popular standard for remote access to Windows Machines throughout a wide variety of organizations. As a result of millions of users working from home every day, RDP is being used in increasing amounts including and especially where it was previously never implemented.


On the contrary, console access refers to accessing the machine locally.  For instance, if you are sitting at your desk in the office, you are utilizing a console access scenario, as opposed to remote access via RDP or another similar protocol. In many cases 2FA is only required when users are not on site, and it can be more of a hinderance than a benefit otherwise.


Granting access to a client machine or server via RDP also means opening the machine up to potential attack.  Therefore, implementing 2FA in this scenario adds additional security to the ‘front door’ to ensure only authorized users are accessing the machine. The added benefit of limiting the 2FA to only RDP access helps to eliminate unnecessary obstacles that may prevent productivity or increase user frustration.


Further Control

RDP-Only 2FA is a small part of the overall PortalGuard Desktop 2FA experience. The singular client also offers the following functionality:

  • Self-Service Password Reset from Windows Login
  • PW Change Detection and Propagation
  • Local Account Login
  • Self-Service Enrollment
  • ‘Offline’ Access for Domain Joined Machines that are taken off network.

Expanding to Off-Network Machines

Especially during the pandemic, WFH means bringing a work machine off network. Many environments will have a mix of users that utilize RDP from a personal machine at home and users that bring a work laptop home instead. As a result, one common detriment to the latter scenario crops up often soon after WFH begins: changing an expired password.  For example, if a user brings a Domain-Joined machine home and his or her password expires, the user must change it on the machine via CTRL + ALT + DEL.

This process allows the user to continue using the machine but will not push the change to the organization’s Active Directory, since the machine is not on the network. This scenario leads to out of sync passwords as well as a high level of end-user frustration. On the other hand, the PortalGuard Desktop 2FA Client utilizes PortalGuard to manifest the change directly against the Domain Controller.  As a result, the user can continue using the machine without issue.

Consider Offline Access

The PortalGuard Desktop 2FA Client also offers offline access support.  This feature benefits those individuals that bring a domain-joined machine home but cannot connect to the PortalGuard server remotely for any given reason.  For example, if the user has spotty internet and cannot connect, they would be considered ‘offline’.  For these access scenarios, the PortalGuard Desktop 2FA client supports Offline 2FA by way of a Mobile Authenticator.  Administrators control the amount of times offline 2FA is available, as well as the specific users that may take advantage of this in the first place, maintaining a firm grip on access control.

The Bottom Line

Working from home is not always easy, but it doesn’t have to be a nightmare either.  The end of the summer leading into the fall is a busy time for many organizations: Schools are starting back up, firms are taking in new clients, and business simply cannot afford to slow down.  Nothing brings work to a halt faster than lack of access, but there is no reason to sacrifice security for the sake of moving the needle.

Take advantage of the PortalGuard Desktop 2FA client as needed while everyone works out the WFH routine.  Rest easy knowing that WFH users can still access everything they need, and there are no vulnerabilities as a side effect!

Looking for more information?  Please feel free to reach out to with any questions!

Tags: Uncategorized, Blog Article - Move to HubSpot

Will Papa

Author: Will Papa