3

I have a need for dual factor authentication on a windows 10 workstation that is NOT connected to a domain. The user accounts are local. I have not been able to find any solutions that will work without AD, is there any way to use smartcards, yubico keys or biometrics in conjunction with password/pin for logon? Please let me know if more information is needed.

Thanks!

Run5k
  • 15,723
  • 24
  • 49
  • 63
Josh Barton
  • 33
  • 1
  • 5
  • You could potentially use BitLocker with PIN so you have the HD encryption level of protection, then you have the PIN level needed to boot, and lastly the correct username and password to sign on so that'd be three levels of protection I suppose depending on who you ask, etc. Please note you can have 10 levels of authentication and make it so you have 10 things to authentication against before it allows you access and unless the HD is encrypted, the data on the disk is not protected if someone had physical access to the machine. What exactly are you trying to protect or accomplish here? – Vomit IT - Chunky Mess Style Apr 04 '17 at 20:28
  • "is there any way to use smartcards, yubico keys or biometrics in conjunction with password/pin for logon?" - Yes; This is possible. but specifically Smartcard and a pin is possible. The other combinations are not. – Ramhound Apr 04 '17 at 20:29
  • It is a new requirement being passed down from leadership, how would I setup smartcard logon without a domain? I am not aware of how to associate a card with a local windows account – Josh Barton Apr 04 '17 at 22:01
  • A smartcard solution seems possible, requiring mostly the local installation of Certificate Services. The rest involves the physical cards, the readers, and the vendor's software. Smartcards may replace the logon, and the vendor's software can also demand password/PIN specific to the card. Without the DC the annoyance would be the individual installation per computer. I think Yubico does what you want, and you can check directly with them. – harrymc Sep 22 '17 at 08:11
  • @dylanweber I did want to at least show you my answer here https://superuser.com/questions/1104810/clearing-tpm-does-not-ask-for-new-password-but-change-owner-password-asks-for/1115768#1115768 from a year or so ago I wrote but look over the **Configuring Local Group Policy Settings for BitLocker** section for getting BitLocker PIN configuration setup. Just use the fingerprint authentication built in functionality and be done with your two levels to authenticate. With BitLocker get both PIN and encryption and then use Wave or whatever fingerprint config software comes with your machine (model). – Vomit IT - Chunky Mess Style Sep 23 '17 at 05:45
  • I assume your hardware has a built in fingerprint reader and thus has device drivers and configuration software, etc. otherwise you use an external connect fingerprint reader that would come with device drivers, software, etc. as well. The encryption with BitLocker will also encrypt the drive further securing it more than authentication alone. – Vomit IT - Chunky Mess Style Sep 23 '17 at 05:47
  • To the poster : Some answers to the above comments will be useful. – harrymc Sep 27 '17 at 10:46

2 Answers2

4

According to this TechNet discussion it is not possible to require two factors for logon using Windows Hello (the logon service for biometrics on Windows) on standalone systems (outside of Active Directory). Factors are all either/or such as fingerprint or PIN.

It might be possible to do this with third party software if it installs itself as a GINA DLL and can read the biometric or other factor and requires a PIN in addition. I'm unsure though if Windows 10 still supports alternative logons via GINA DLLs. You would also need to find a third party GINA DLL program which was able to read your second factor and had the option to require a pin in addition.

There is a third party GINA DLL provider which is open source and may be able to be made to meet your needs called pGINA but it is unclear whether it will work in Windows 10 or is still being actively developed.

Ben Franske
  • 670
  • 3
  • 9
0

Yes. I'm using both a fingerprint and a Yubikey with Windows 10. Or you could use password plus Yubikey. Just install the Yubikey logon tool that requires the key be installed when you login for your second factor PIV card.

Jorge gonzalez
  • 1