Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
632
Views
0
Helpful
4
Replies

Trusted devices?

Simon_Weel
Level 1
Level 1

‎09-22-2022 07:26 AM

This may be an incredible stupid question. But I have to ask. Here’s why.
Some time ago, I tested IsDecicions Userlock as MFA solution. All fine and dandy. But: it only protects access to the pc that has the Userlock client installed. In other words; it does NOT prohibit someone from logging on to a (Windows) domain. So if you happen to know the logon credentials of a domain user, then just bring you own pc, without Userlock client, connect it to the network, browse to a server and when it asks for logon credentials, just type in username and password and you’re in. Not exactly what I had in mind.

So I wonder - does Duo work the same way? There’s a topic in the Duo documentation about Device trust, which is only available with Duo Beyond. This seems to imply the ‘lower’ versions of Duo would allow access to a domain in a similar way as Userlock. Any thoughts about this?

0 Helpful
4 Replies 4

DuoKristina
Cisco Employee
Cisco Employee

‎09-22-2022 08:01 AM

Yes, Duo Authentication for Windows Logon works in the same way as you have described Userlock.

Duo Device Trust is more about verifying a given endpoint can be used to access a protected application (does it meed a minimum security posture, is that endpoint managed by the organization, etc.), and is separate from verifying the identity of the user.

It sounds like your interest lies in a solution that applies protection at the domain controller for any incoming login request, or extends the AD schema to add additional authentication?

Duo, not DUO.
0 Helpful

Simon_Weel
Level 1
Level 1
In response to DuoKristina

‎09-22-2022 08:54 AM

I’m stunned. What I basically expect from any MFA solution is simple - no access to anything if you don’t provide the mandatory credentials. So if you have a login name and password but no extra token or code, then no access. I mean, why bother implementing MFA if you can gain access with any device that doesn’t have the MFA client? To me, this looks like bolting down all the doors in my house with an extra lock. And then a burglar comes around saying: nah, don’t care - I bring my own door.

0 Helpful

DuoKristina
Cisco Employee
Cisco Employee
In response to Simon_Weel

‎09-22-2022 09:05 AM

Thanks for your feedback. I hope you find a solution that meets your organization’s needs.

Duo, not DUO.
0 Helpful

Simon_Weel
Level 1
Level 1
In response to DuoKristina

‎09-24-2022 07:26 AM

It sounds like your interest lies in a solution that applies protection at the domain controller for any incoming login request, or extends the AD schema to add additional authentication?

Yes, that’s indeed what we’re looking for. I thought this to be pretty much a no-brainer, but apparently it isn’t. I want MFA to protect accounts?

0 Helpful
Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents