Trusted devices?

This may be an incredible stupid question. But I have to ask. Here’s why.
Some time ago, I tested IsDecicions Userlock as MFA solution. All fine and dandy. But: it only protects access to the pc that has the Userlock client installed. In other words; it does NOT prohibit someone from logging on to a (Windows) domain. So if you happen to know the logon credentials of a domain user, then just bring you own pc, without Userlock client, connect it to the network, browse to a server and when it asks for logon credentials, just type in username and password and you’re in. Not exactly what I had in mind.

So I wonder - does Duo work the same way? There’s a topic in the Duo documentation about Device trust, which is only available with Duo Beyond. This seems to imply the ‘lower’ versions of Duo would allow access to a domain in a similar way as Userlock. Any thoughts about this?

Yes, Duo Authentication for Windows Logon works in the same way as you have described Userlock.

Duo Device Trust is more about verifying a given endpoint can be used to access a protected application (does it meed a minimum security posture, is that endpoint managed by the organization, etc.), and is separate from verifying the identity of the user.

It sounds like your interest lies in a solution that applies protection at the domain controller for any incoming login request, or extends the AD schema to add additional authentication?

I’m stunned. What I basically expect from any MFA solution is simple - no access to anything if you don’t provide the mandatory credentials. So if you have a login name and password but no extra token or code, then no access. I mean, why bother implementing MFA if you can gain access with any device that doesn’t have the MFA client? To me, this looks like bolting down all the doors in my house with an extra lock. And then a burglar comes around saying: nah, don’t care - I bring my own door.

Thanks for your feedback. I hope you find a solution that meets your organization’s needs.

It sounds like your interest lies in a solution that applies protection at the domain controller for any incoming login request, or extends the AD schema to add additional authentication?

Yes, that’s indeed what we’re looking for. I thought this to be pretty much a no-brainer, but apparently it isn’t. I want MFA to protect accounts?