cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7144
Views
15
Helpful
18
Replies

Mac OS X lock screen doesn't prompt for 2FA

mohsm
Level 1
Level 1

I have Duo Security set up on a MAC. For some reason there is no 2FA prompt when the machine is locked.

When the account is logged out it works fine.

Is there a way to set up it so it enforces 2FA authentication after the machine is logged out or locked out?

18 Replies 18

mkorovesisduo
Level 4
Level 4

Hi mohsm, that is expected behavior. As indicated in the documentation, Duo 2FA is only required for new console logons but not when unlocking the computer or when an already logged-on user wakes the system from sleep.

Currently there is no way to prompt for Duo 2FA when unlocking the computer.

Is there a reason for this when it works on Windows 10? and do you know if it is the same with Unix based systems?

mkorovesisduo
Level 4
Level 4

I spoke with one of our developers about this. He shared that it is currently a feature request for our macOS integration.

He also stated that one of the top feature requests for our Windows Logon integration was to make it so that 2FA was not required after locking the system, so that guided the development of the initial release of our macOS integration.

Interesting. I personally think it should be a requirement.

Most of the time I lock my laptop or computer so I am able to carry on what I am doing later on. Which is why I would want 2FA on lock screen.

Can always have a compromise where you can specify a time-out when the screen lock forces to use 2FA. That means when you are working at your desk and it locks, no 2FA required but after being locked for X minutes, 2FA kicks in.

I do wonder what will end up being chosen considering both features are being requested.

That may be a common feature request from end users; but, compliance and security teams want 2fa on the screensaver for good reasons.

Put a tick in the feature request column for macOS for me!

Completely agree with Brian here. This is the only thing that stopped us from getting Duo Security.

thomasdang
Level 1
Level 1

One more tick from me too for this. It is already possible to configure pam on macOS to use another method of MFA to challenge on lock screen, but I don’t want to promote multiple solutions in an enterprise, but hoping that Duo would implement it.

Another one is offline MFA for Mac OS X. (Great job with the windows one, by the way Announcing offline multi-factor authentication for Windows)

srnovak
Level 1
Level 1

Agree with Brian and Thomas on the comments they added. Hopefully these features will be resolved in the next version of the macos agent.

martinorob
Level 1
Level 1

totally agree. I need 2fa after the screensaver because I use suspension a lot and my MacBook has 189 days of uptime. (So 2fa only on poweron or reconnect is useless).

Is there any betatester slot avaiable for Mac OS Agent?

kyle2011
Level 1
Level 1

Agree with the above. MFA must protect all unlock or logon scenarios. The Windows 10 login meets those requirements and further provides offline access codes. Please enable this for MacOS as soon as possible (and please don’t solicit security requirements from “end users” who simply want security out of the way). Good security can be nearly transparent, easy to use, that’s true. Federal government and DoD contractors will need MFA protection at all unlock or logon scenarios. Also please find a way to support “offline” access codes which help for those who want to secure their laptops while traveling or working from a public location. How do I make a formal feature request?

mkorovesisduo
Level 4
Level 4

If you would like to submit a new feature request or add your name to an existing one, please contact Duo Support or your Duo Account Executive or Customer Success Manager.

Hi,
Are there any update for 2FA for lockscreen and offline codes for Mac?

Nikolay_Arbuzov
Level 1
Level 1

Hello,

We also looking for this feature, no one reboots computers daily. If it is lost or stolen someone can get into it, by brute forcing password or seeing user typing in password. For people who don’t want this feature it should be available through policy editor.

Thanks.

nicko1
Level 1
Level 1

Some update? Where is the support?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Quick Links