RSA tokens with Duo Auth for Windows Logon

We are looking to implement using Duo Authentication for Windows Logon in order to force 2FA on Windows local console logins only. In my testing it is working fine for us using a mobile push or using YubiKeys. However, we are wanting to know if we can use RSA SecurID Hardware Tokens or similar products instead?

This will only be used for local console access using Duo Authentication for Windows Logon. Thank you for any response.

You can use Yubikeys in OTP mode at Windows console logon for 2FA. We also support OTP hardware tokens from other vendors like Gemalto and Vasco (example. Duo also sells OTP hardware tokens for use with our service in packs of 10. You can order them from the Billing area of your Duo Admin Panel.

RSA tokens use proprietary algorithms, so they can’t be imported into Duo.

Token question aside, there is no way to require Duo Authentication for Windows Logon for only console logins. The available configurations are 2FA for RDP connections only, or 2FA for both RDP and local logins, set with the RdpOnly registry value set to 1 for RDP only and 0 for both.

Can Duo protect Remote Desktop Connection logons only?
Can Duo protect local console logins in Windows?

Thank you for the response. We may end up ordering the OTP tokens from Duo, but in the meantime do you know if this OTP hardware token will work for local console logins using Duo Authentication at Windows Logon? Symantec VIP Hardware Authenticator

I think that token may be pre-configured for the Symantec VIP MFA service? I can’t say that I’m aware that any customer has imported it into Duo. It looks like it might be a TOTP (time-based) token. Duo’s service works best with HOTP (event-based) tokens.

In order to import a third-party OTP token into Duo, the vendor must be able to give you the token seeds for you to import into Duo (often this is a PKCS file).

Yubikeys are self-programmable so you don’t need the vendor to provide the seeds.

Excellent. Thank you for the information. We will test using tokens from Onespan (Vasco) and/or the ones directly from Duo. Appreciate it.