2FA for UAC/Elevation?


#1

Is there a way to intercept the user access control to force 2FA before you elevate your account to admin? (Not at login, but at the elevation prompt)
(Microsoft Windows in particular, but macOS and Linux/UNIX sudo, too)


#2

This article covers the types of logons Duo for Windows Logon protects: https://help.duo.com/s/article/1079. Currently there is no way to invoke Duo for a “run-as” authentication.

Duo Unix can get called for a sudo login.


#3

Thank you, Kristina! Is there anything on the roadmap to develop a way to interrupt the runas/UAC process? The NIST Special Publication 800-171 requires MFA for escalation. We are using the lack of options to justify MFA on the original login combined with authentication logging (that records the elevation attempt), but a real answer would be to force MFA when moving through the elevation process.

-Bob


#4

Please contact your account exec, customer success manager, or Duo support to submit a feature request (or ask to be notified for future status of the feature request).