cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
10193
Views
23
Helpful
42
Replies

Protecting Windows login: "remember me" for a day

Eli3
Level 1
Level 1

Below is an email conversation (only slightly edited for sharing publicly) that I had with Stephan from Duo earlier in the year. I am posting it here as I think it would be of interest to the Duo Community and perhaps help garner support for what I think is a missing feature in Duo.

______________________________________________


Duo is truly a very robust and configurable solution. We are current planning a pilot at our company. The one feature that is sorely missing is the existence of a “remember me” feature for Windows login. The same is true for that of RDP logins. As I wrote below, if it’s all or nothing, we have to very reluctantly elect to not at all protect Windows logins with Duo. This is highly disappointing and a glaring omission from Duo’s otherwise comprehensive protection.

I do understand that cookies can’t be saved at that stage of pre-login. [A colleague] said that he spoke to the Duo folks at the recent DattoCon convention. He said that he suggested that Duo could use the IP address to identify a computer and allow it to pass through without Duo challenges on subsequent login attempts. Although it is possible to spoof an IP address, at least give the admins the option to rely on IP addresses to facilitate the “remember me” functionality for Windows logins if they so chose. And if for some reason, this specific approach still wouldn’t work, you have a bunch of clever people over there. I suspect you could figure out a way to make it work.

Although the absence of this functionality probably will not stop us from becoming Duo customers, it has been very close to doing so. Instead of a very strong feeling that we’re comprehensively protecting our users, my feeling would be better described as mediocre. I urge you to prioritize the development of this feature. Duo and its customers – both current and potential – will all benefit.

Thanks,
Eli


Hi Eli,

First, I completely understand your concern and you are far from the only person who has them. I’ll try to technically break down all the reason we are where we are right now here so hopefully everyone has a complete understanding of how this works.

  1. As you mentioned, remembered devices works by setting a cookie, which is not possible in the win logon process (no browser).
  2. No way to whitelist based on IP right now.

The ultimate reason both of these things are impossible is because the winlogon tool lives in something called the Windows Secure Desktop, which by design is a type of desktop that is completely out of scope of other application access. We didn’t necessarily choose to do that, but are somewhat forced into it. As architected by Microsoft, the actual Windows login is a subtype of the Secure Desktop, and to interact with that process, Duo has to live at that same layer, because as mentioned the Secure Desktop has no access to applications that live outside of it.

It is true that even in that space, we do have visibility into the IP of the machine, but only as reported by Windows. This is a problem for a couple reasons. It is sometimes inaccurate, and NAT becomes a problem. In essence, when logging into a local machine we only see the LAN address, or when logging into a machine on the same LAN via RDP we also only see a LAN address because of NAT. We don’t support whitelisting private IPs for security reasons. For example, were I to phish your credentials and stole a company laptop (the common concern behind Duo for winlogon) and you had whitelisted a local IP in a policy, I could accidentally or deliberately bypass 2fa. I could potentially be on an open wifi network and get assigned the same private IP via DHCP (unlikely but possible), or an actual malicious actor could just put the machine on a network with a deliberately small DHCP pool.

Simply summarized, we are a bit hamstrung by Microsoft architecture and we’ve deliberately limited one feature for security.

All that said, we have a dev team solely focused on Microsoft integrations and they are constantly looking for another way to solve for this. I expect that in the future we’ll see more login tools because of webauthn and Windows Hello. This is a bit speculative on my part but I know that our internal teams are investigating these tools as a possible path to solving these issues.

Hopefully this helps makes things a little more clear, and helps ease your concerns that it’s not being addressed. Please let me know if you have any more questions.

Regards,
Stephen


Stephan, instead of crippling Duo’s protection on Windows login, it would be far better to allow the admins to make the determination whether to trust IP addresses as reported by Windows. We would rather enable such a feature, even if its benefit isn’t rock-solid, than completely leave Windows logins unprotected. (And the other extreme of requiring Duo authentication on each and every Windows login / screen unlock would be an unacceptable burden to users.)

By way of analogy, Duo clearly states that SMS authentication isn’t really trustworthy, nonetheless, your documentation says:

We view text messages as better than not having any two-factor authentication, since it still blocks attackers that can’t attack SMS technology.

Granted, the IP reported by Microsoft might be the local IP, but when the request gets sent to your web servers at Duo, you are definitely getting the public IP of the computer. So you do, in fact, have that information. I would never expect you to whitelist a private IP as you mentioned.

And regarding RDPing into a computer remotely, and it causing the same IP to show up on your servers even though the person (attacker) is remote, I agree that’s a concern, but let the client decide if we want to care about that. For example, if I know that RDP is not enabled on my users laptops, then I am fine requiring Duo when outside the corporate office, but not requiring it when inside. Leave the decision to us.

Instead of making the decision for administrators, empower them – along with a warning – to make their own security choices.

Thanks,
Eli

42 Replies 42

Hi @dgarza, thank you for your continued patience. There is still not an update we can share publicly at this time. However, if you are an existing customer with an NDA in place with us, your account executive, Customer Success Manager, or the Duo Support team may be able to share more details with you before the public announcement.

pcolon
Level 1
Level 1

Any progress or updates on this feature?

I’d also be interested in participating in a working beta, if available. My users aren’t thrilled with having to grab their phone for every login. Would love to have a 4 hour “remember me” window.

Hi @pcolon, still no update we can share publicly yet. The team is working on getting this out as quickly as they can. As soon as we have news I can share, I will be sure to post here and inform everyone in this thread of the latest. Thanks for your interest! I’ll reach out via DM with some questions for you to get on the list for public preview.

Please tell me this feature is close to release.

Hi @dherman I can confirm it is really close to release. We don’t have access to it yet, but I have seen the Demo of it working in a test VM.

The team at Duo have done a fantastic job of covering all the angles with this feature request and their logic on what is classified as a “Trusted Session” is fantastic.
They have also done some fantastic work with the deployment process of this feature and how it it managed within the Admin panel policies.

I’m really looking forward to having this feature released in full GA, however considering just how big of an impact this feature would have on all the clients, I’m also very happy with the final testing that is going on at the moment to ensure a smooth roll out.

Any news on the new update?

Hi @dherman,
We’ve done some of the beta testing on this feature and so far I’ve loved it! The team at have done a great job with this feature.
We have found a couple of bugs in our testing, particularly around NTP and time syncing. Most of the bugs we have encountered have been fixed promptly, and I’m hoping that full GA is right around the corner.
We are very excited to roll this out to our clients and significantly improve their Duo experience.

Checking in for an update on this release.

Thanks!

BabbittJE
Level 1
Level 1

I’m a little confused as to why some people would chose to protect their Windows logon. What I do is protect the Remote Desktop Gateway. So, when people logs in remotely, they’re always prompted for Duo. No way would I trust “remember me for 30 days”, especially if it’s from a dynamic IP address like how most home Internet setups are. And, when someone logs in from within the office, it bypasses the RDG and allows us to log into Windows without Duo. A win/win for us.

If you meant to protect a laptop traveling with the user, I guess that’s a different story. But, that fails even then, if you mark “remember me” and it gets stolen the next hour. I would suggest biometrics and a good, strong password. My drives are all encrypted-at-rest with Bitlocker so it can’t be pulled out and read by another computer.

I need a lesson or example on why it’s important to protect at the Windows logon instead of RDG. Thanks in advance.

@BabbittJE Here are some common reasons someone may prefer to apply Duo for Windows Logon at the RDS session host instead of at RDG:

  • They prioritize use of RDG CAP/RAP - Duo for RDG blocks that.
  • They require use of passcodes - Duo for RDG can’t do that.
  • They want to let users select their phone/push 2FA device from multiple attached devices - Duo for RDG can’t do that.

A general reason for choosing to deploy Duo for Windows Logon is that their use case isn’t RDP access but local console logon. Another might be that they do want to protect RDP access but have no interest in purchasing RDS CALs for their organization.

ETA I don’t disagree that physical access to a system wins over many other security measures an org may implement, just like giving the end user local admin also does.

Duo, not DUO.

Ah, I see that, now. Thank you for the enlightenment.

PatrickKnight
Level 1
Level 1

Yes! This is starting to roll out to customers starting today through the 30th.

Blog post about the feature: https://duo.com/blog/windows-logon-will-you-remember-me

Docs: Duo Authentication for Windows Logon and RDP | Duo Security

Thank you so much for all your hard work on this feature @PatrickKnight!

Quick Links