Mac OS X lock screen doesn't prompt for 2FA


#1

I have Duo Security set up on a MAC. For some reason there is no 2FA prompt when the machine is locked.

When the account is logged out it works fine.

Is there a way to set up it so it enforces 2FA authentication after the machine is logged out or locked out?


#2

Hi mohsm, that is expected behavior. As indicated in the documentation, Duo 2FA is only required for new console logons but not when unlocking the computer or when an already logged-on user wakes the system from sleep.

Currently there is no way to prompt for Duo 2FA when unlocking the computer.


#3

Is there a reason for this when it works on Windows 10? and do you know if it is the same with Unix based systems?


#4

I spoke with one of our developers about this. He shared that it is currently a feature request for our macOS integration.

He also stated that one of the top feature requests for our Windows Logon integration was to make it so that 2FA was not required after locking the system, so that guided the development of the initial release of our macOS integration.


#5

Interesting. I personally think it should be a requirement.

Most of the time I lock my laptop or computer so I am able to carry on what I am doing later on. Which is why I would want 2FA on lock screen.

Can always have a compromise where you can specify a time-out when the screen lock forces to use 2FA. That means when you are working at your desk and it locks, no 2FA required but after being locked for X minutes, 2FA kicks in.

I do wonder what will end up being chosen considering both features are being requested.


#6

That may be a common feature request from end users; but, compliance and security teams want 2fa on the screensaver for good reasons.

Put a tick in the feature request column for macOS for me!


#7

Completely agree with Brian here. This is the only thing that stopped us from getting Duo Security.


#8

One more tick from me too for this. It is already possible to configure pam on macOS to use another method of MFA to challenge on lock screen, but I don’t want to promote multiple solutions in an enterprise, but hoping that Duo would implement it.

Another one is offline MFA for Mac OS X. (Great job with the windows one, by the way Announcing offline multi-factor authentication for Windows)