We are preparing to deploy a fleet of Windows 10 laptops and we would use Duo RDP on them to protect them with 2FA. So far we have only used push and DUO Tokens which have worked well but this is our first attempt to protect a Windows console logon.
I do like auto push and that would be fine enough however it appears as if Duo 2FA is required each time the system locks. Since we would like an aggressive lock our users would need to complete MFA too many times per day. Even with push notifications it’s too much added work to grab your iOS device and accept the prompt.
To perhaps simplify 2FA we could use YubiKeys so as long as the key is in you can easily complete 2FA. The issue is we feel as if many of our users would just leave the key in the USB port all the time even if we asked them not to defeating the purpose of 2FA.
So, what about some sort of biometric solution? Is there a Duo RDP compatible YubiKey like device that can read a fingerprint real quick? Is hardware fingerprint readers a possible solution? We do not want to go full passwordless we just want an easy and quick way to enforce MFA; easier than push notifications.