The Benefits of Two-Factor for Your Offline Desktop

17967Why Require Two Factor for Windows Logons?

PortalGuard has offered two-factor authentication for Windows workstations and servers as part of its PortalGuard Desktop offering since 2013. As with all multi-factor initiatives, the primary use case is to increase security. As an example, multiple customers have installed the PortalGuard Desktop 2FA on Windows servers in their environment. If a hacker is able to phish an IT username and password with access to a server and has compromised an internal jump-off point, Desktop 2FA ensures the hacker cannot successfully login to the server remotely using something like RDP since they don't also have the IT account's second factor. The PortalGuard Desktop 2FA feature can allow end users to choose their own default second factor method and supports numerous options such as SMS, Google Authenticator, hardware tokens like YubiKeys or HOTP-based devices and 3rd party solutions like Duo Security's Push offering.

Component Architecture

The PortalGuard Desktop 2FA utilizes real-time HTTPS requests to your organization's PortalGuard instance. A custom Credential Provider is responsible for both collecting the user credentials (username, password and One-Time Passcode/OTP when required), making these HTTPS callouts and interpreting the responses. A Credential Provider filter ensures that other Credential Providers (including the standard Microsoft version that allows login with username and password only) are suppressed and not available options for the user. Communicating with the PortalGuard web server determines the following:

  • Is the provided username and password correct in Active Directory?
  • Is the user required perform multi-factor for a Windows logon?
  • If multi-factor is required, have they provided a valid 2nd factor?

Only when these are all satisfied will the PG Desktop allow the user to logon to the Windows machine.

Prior Limitations

One historical limitation of the PortalGuard Desktop 2FA implementation is its dependency on real-time access to the PortalGuard web server. Considering that 2FA is employed to increase security, the original design decision was to fail "closed" if the PortalGuard server could not be reached over the network.

New Enhancements

The new version of the PortalGuard Desktop now supports multi-factor authentication even when your PortalGuard server is unavailable on the network. The offline multi-factor works with any Time-based OTP generator app like Google Authenticator, Authy or PortalGuard's own mobile app. The user simply must have logged into the Windows machine at least once after enrolling a mobile app through PortalGuard. For users where offline Desktop 2FA is enabled, an encrypted copy of their mobile app secret key is automatically downloaded from the PortalGuard server and staged on the Windows machine. If the PortalGuard server is not available on the network, the PortalGuard Desktop software will look for the staged copy of the mobile app secret and compare the value entered by the user against a value generated using the local copy of the secret.

This even works when the Windows machine is completely off the LAN. Please note this scenario has the additional requirements that the machine allows the storage of cached domain credentials and the domain-based user has logged into the machine at least once before going offline. Cached credentials are allowed in Microsoft's Default domain policy by default but please check your own GPOs and evaluate the benefits and trade-offs of any changes to this setting.

Installation Requirements

As you would expect, modifying the logon flow of a Windows machine requires additional software to be installed on it. The PortalGuard Desktop software is packaged as a standard MSI so it can be pushed out programmatically through most add-on desktop management offerings like SmartDeploy or Microsoft's SCCM and can also be pushed out using nothing more than a Group Policy object. Your PortalGuard server requires changes to support this new functionality so it must be upgraded to version 6.2.2.1.

Questions?

Do you feel that the use of Google Authenticator for 2FA when offline is acceptable? Are there other features you'd like to see in the PortalGuard Desktop? Please let us know or contact us for more information!

Tags: 2FA, #2FASolutions, MFA, Microsoft Active Directory, Multi-Factor Authentication, PortalGuard, #2FA, #One-time password, two-factor, Two-Factor Authentication, Windows 10, #YubiKey, increase security, off network access, Duo Push Security, mobile authenticator, Benefits of 2FA, maintain security privacy, server-to-server communication, PortalGuard Service Provider, improve security, desktop 2FA, credential provider, HTTPS requests, Installation Requirements, offline, offline desktop 2fa, domain policy, modifying

Gregg Browinski

Author: Gregg Browinski