Securing YubiKey with Biometrics

We are preparing to deploy a fleet of Windows 10 laptops and we would use Duo RDP on them to protect them with 2FA. So far we have only used push and DUO Tokens which have worked well but this is our first attempt to protect a Windows console logon.

I do like auto push and that would be fine enough however it appears as if Duo 2FA is required each time the system locks. Since we would like an aggressive lock our users would need to complete MFA too many times per day. Even with push notifications it’s too much added work to grab your iOS device and accept the prompt.

To perhaps simplify 2FA we could use YubiKeys so as long as the key is in you can easily complete 2FA. The issue is we feel as if many of our users would just leave the key in the USB port all the time even if we asked them not to defeating the purpose of 2FA.

So, what about some sort of biometric solution? Is there a Duo RDP compatible YubiKey like device that can read a fingerprint real quick? Is hardware fingerprint readers a possible solution? We do not want to go full passwordless we just want an easy and quick way to enforce MFA; easier than push notifications.

Hi @bryanm, thanks for your question! Also, welcome to the Duo Community. We’re glad to have you here.
Unfortunately there is not a biometric solution that is compatible with Duo for Windows Logon RDP today (see the help article Does Duo support Windows Hello? for more info on that). Also, a fingerprint scanner will not work with Duo for RDP either, because both replace the same credential provider dynamic link library in Windows.

Your best bet here really is to use a security key such as Yubikey. Generally speaking, the risk of compromise with leaving a security key in is low, because the attacker would need both primary credentials and access to your physical machine in order to get in.
I also found this statement from Yubikey’s website (this is a quote from their Product Finder quiz) which says:

Yubikeys that you leave in the computer are meant to be stationary.

Full quote in the screen capture below:

Granted you know your own environment better than anyone, so please take my advice for what it is - just a friendly recommendation. I hope this answer helps you!

1 Like

Try the YUBIKEY Nano (USB A or USB C). Buy YubiKeys at | Shop hardware authentication security keys
These are designed to stay in the laptop and work good for devices assigned to a single user or single logon. If you have a YUBICO sales rep then ask them for one to evaluate. They are usually pretty good with providing one or two for T/E.