Let’s Talk Desktop 2FA

Desktop 2FA is a more modern take on the Two-Factor Authentication idea.  The notion is to add the level of security brought by 2FA to the end-user’s machine.  In an era where Data Breaches have become a norm, the question is no longer if data will be compromised, but when.  When credentials are captured and data is exposed, Desktop 2FA adds an additional layer of security to ensure personal and private data remains secure.


What is it?

Two-Factor Authentication is not always simple, but the consensus has shifted to a more open approach to end-user security.  Desktop 2FA has capitalized on that shift to provide desirable security features for better protection of sensitive data at a common point of access.  In practice, Desktop 2FA involves going one step further to identify the user.  The goal is to prove that you are who you say you are. 

A username and password are no longer synonymous with identity.  Just because you know a thing or two, does not mean you are the CEO of a famous fortune 500 company or the Dean of a prestigious Higher Education institutions.  Unfortunately, the digital age has made it much easier for less than reputable people to find out personal information about someone else, just by looking in the right place.

Desktop 2FA acts as the wall that you raise between your data and those that wish to take it from you.  In days past, this wall would have been a hindrance to users and attackers alike.  Fortunately, popular opinion has changed in the last few decades, and security is not only expected but requested more often than not.


Popular Options and Considerations                       

Desktop 2FA is like many consumer offerings in which there are multiple options for buyers to consider.  With the increased interest and drive from end-users and the general public, many organizations have implemented a version of Desktop 2FA to help secure data for individual users and enterprises alike.

Some common options are listed below, but this list is by no means entirely complete or definitive.

  • Windows Hello
    • A Microsoft offering that replaces the password altogether. Instead, Microsoft updates the login screen for windows devices to utilize either a pin or a biometric of some sort.  Popular among Windows Hello enthusiasts is the facial recognition software pointed to by the startlingly simple logo:  Hello logo
  • YubiKey Desktop
    • Provided by Yubico, the Yubikey Desktop 2FA offering also replaces the password in favor of a hard token. Users simply connect the USB device to the machine an away they go – some models allow for Desktop 2FA immediately after inserting the device, while others require a single tap to activate.
    • The Yubico Desktop integration is only available for local accounts (e.g., no Domain/enterprise accounts).
  • BIO-key
    • BIO-Key provides enterprise-ready biometric authentication via fingerprint scanners. This true biometric solution requires the implementation of physical fingerprint readers, but some built-in readers are supported.
    • The solution supports the simple enrollment of multiple fingers to ensure seamless login to the machine.
  • Duo Security
    • Duo Security is a common name in the two-factor authentication sphere, and the Desktop 2FA solution provided by Duo is one of the most well-known. Duo’s Desktop 2FA solution supports Push notifications on Mobile devices, as well as Mobile Authenticator, SMS, and voice call delivery.
    • The solution can be quite pricey.
  • PortalGuard
    • The PortalGuard Desktop 2FA solution is an enterprise-ready solution that allows users to choose from a host of over a dozen different 2FA options that can change based on the specific access scenario.
    • PortalGuard Desktop 2FA utilizes a modified Credential Provider to require true 2FA with a username & password as the first factor, and an out-of-band method for the second.

Best Practices

In terms of Desktop 2FA, Best Practices range from usability to features and flexibility.  Each environment will have unique requirements and may need a tailored solution to find the best fit.  The following is a list of Best Practices for Desktop 2FA outline that organizations should consider when analyzing solution options with the best chance of satisfying both admins and end-users alike.

  1. Utilize Out-of-Band 2FA
    1. Out-of-Band (OoB) 2FA involves utilizing a 2FA method that occurs via a communication channel outside of the username/Password channel. SMS, Mobile Authenticators, Hard tokens, etc. – these are all methods that take the 2FA out of the standard authentication channel to inhibit attackers further. 
    2. OoB 2FA adds yet another layer of protection against Man-in-the-Middle attacks as well as other data scraping attempts to bypass honest authentication requirements.
  2. Adjust Security Requirements By User Level
    1. We believe the best approach to Desktop 2FA is to provide your end-users with the most options possible to address various access scenarios. This holds true even if those access scenarios change with the user throughout the week.
      1. Consider Remote Access, during the office during regular business hours vs. off-hours, or even offline 2FA.
    2. Secure RDP or VPN Access
      1. Due to the nature of RDP, it is a common attack vector for attackers who have gained a valid username and password. Desktop 2FA can be implemented to prevent the login form succeeded and further lockdown your environment in the event of a set of compromised credentials.
    3. Provide Offline Functionality Where Needed
      1. Offline functionality for Desktop 2FA allows appropriate users to access protected information even when the machine cannot connect to the local network or the internet. Furthermore, offline 2FA secures data against accounts or credentials that are not allowed access while offline by failing closed.
        1. In the event that an unauthorized user attempts to login locally or after taking the machine offline, they are blocked outright, and no login is allowed.
    4. Allow User Personalized 2FA
      1. In the same vein of flexibility comes user-controlled settings. Providing users with control over which 2FA method they can use for specific actions invokes a sense of purpose and utility to the action.  By enabling users to have a choice of 2FA options – or even to swap between them on the fly – you are reinforcing secure behavior without increasing user frustration.
Access Recording: Tech Talk | Let's Talk Desktop 2FA

Desktop 2FA In practice


Desktop 2FA while Online – PortalGuard:

Desktop 2FA while Offline – PortalGuard:

Call to Action/Conclusion

Security and usability are seen as opposite ends of the same pole – two sides of the same coin.  With Desktop 2FA, that is no longer the case.  In a market saturated with options for consumers to choose from, you can be picky with your solution.  With the right solution, usability is a feature of your security implementation, not a begrudging sacrifice.

If you are interested in learning more, please check out the recording of our most recent Tech Talk - Let's Talk Desktop 2FA, or reach out to our team directly.  We would love to hear from you!

Try PortalGuard Now!

Tags: Two-Factor Authentication, Yubico, Biometrics, desktop 2FA, offline desktop 2fa, enable 2fa, security compliance, bio-key, two-step authentication