Mac OS X lock screen doesn't prompt for 2FA

I have Duo Security set up on a MAC. For some reason there is no 2FA prompt when the machine is locked.

When the account is logged out it works fine.

Is there a way to set up it so it enforces 2FA authentication after the machine is logged out or locked out?

1 Like

Hi mohsm, that is expected behavior. As indicated in the documentation, Duo 2FA is only required for new console logons but not when unlocking the computer or when an already logged-on user wakes the system from sleep.

Currently there is no way to prompt for Duo 2FA when unlocking the computer.

Is there a reason for this when it works on Windows 10? and do you know if it is the same with Unix based systems?

I spoke with one of our developers about this. He shared that it is currently a feature request for our macOS integration.

He also stated that one of the top feature requests for our Windows Logon integration was to make it so that 2FA was not required after locking the system, so that guided the development of the initial release of our macOS integration.

Interesting. I personally think it should be a requirement.

Most of the time I lock my laptop or computer so I am able to carry on what I am doing later on. Which is why I would want 2FA on lock screen.

Can always have a compromise where you can specify a time-out when the screen lock forces to use 2FA. That means when you are working at your desk and it locks, no 2FA required but after being locked for X minutes, 2FA kicks in.

I do wonder what will end up being chosen considering both features are being requested.

That may be a common feature request from end users; but, compliance and security teams want 2fa on the screensaver for good reasons.

Put a tick in the feature request column for macOS for me!


Completely agree with Brian here. This is the only thing that stopped us from getting Duo Security.

One more tick from me too for this. It is already possible to configure pam on macOS to use another method of MFA to challenge on lock screen, but I don’t want to promote multiple solutions in an enterprise, but hoping that Duo would implement it.

Another one is offline MFA for Mac OS X. (Great job with the windows one, by the way Announcing offline multi-factor authentication for Windows)


Agree with Brian and Thomas on the comments they added. Hopefully these features will be resolved in the next version of the macos agent.

totally agree. I need 2fa after the screensaver because I use suspension a lot and my MacBook has 189 days of uptime. (So 2fa only on poweron or reconnect is useless).

Is there any betatester slot avaiable for Mac OS Agent?

Agree with the above. MFA must protect all unlock or logon scenarios. The Windows 10 login meets those requirements and further provides offline access codes. Please enable this for MacOS as soon as possible (and please don’t solicit security requirements from “end users” who simply want security out of the way). Good security can be nearly transparent, easy to use, that’s true. Federal government and DoD contractors will need MFA protection at all unlock or logon scenarios. Also please find a way to support “offline” access codes which help for those who want to secure their laptops while traveling or working from a public location. How do I make a formal feature request?

If you would like to submit a new feature request or add your name to an existing one, please contact Duo Support or your Duo Account Executive or Customer Success Manager.


We also looking for this feature, no one reboots computers daily. If it is lost or stolen someone can get into it, by brute forcing password or seeing user typing in password. For people who don’t want this feature it should be available through policy editor.