Windows Logon, Will You Remember Me?
Sarah McLachlan, a sage of our time, once opined, “I will remember you. Will you remember me?” and for the longest time Duo for Windows Logon replied, “No.” Today, weep not for the memories of what was, but rejoice because the answer will soon be, “Yes.”
We’re pleased to announce the general availability of Trusted Sessions for Windows laptops and desktops. Trusted Sessions brings the “Remember Me” feature from our browser prompt to Windows Logon, allowing you to trust your local logins with Duo and reduce the amount of times needed to MFA in the future, saving you lots of time, energy and defenestration of Windows endpoints.
Consider the use case that New Hampshire Ball Bearing, Inc. is looking to solve. The IT Security team of this specialized manufacturing producer uses Duo to comply with the DFARS regulation and enforce corporate security policies. They wanted to ensure that security policies do not create user friction and negatively impact productivity. With Duo’s Trusted Sessions feature, the team reduced multi-factor authentication (MFA) fatigue without compromising on security.
"We protect local device logon with Duo’s MFA to comply with DFARS, and our corporate security policy mandates inactivity screen lock of 5 minutes. This scenario increased user frustration, especially at a time when employees are unable to use FaceID to unlock their MFA device due to mask wearing. Duo’s trusted sessions feature for Windows Logon has greatly reduced our end user hesitancy during MFA deployment while increasing voluntary adoption rates. The majority of our users recognized and enabled the trusted sessions feature organically with no notification or instruction from IT. Now our user base finds Duo unobtrusive and we're able to comply with our MFA mandate without push back from users." —Clayton Girouard, Sr. Systems Engineer - Information Technology, New Hampshire Ball Bearing, Inc. (NHBB)
Enable Trusted Sessions in Just a Couple of Clicks
Reducing user friction has never been so easy for administrators. They can easily enable trusted sessions from the admin console under the “Remembered devices” policy section.
“Remember Me” for Windows Logon
With the Remember Devices for Windows Logon policy enabled, the user will be offered a “Remember Me for X Time ” checkbox during login. When users check this box, they will not be challenged for secondary authentication when they log in again from that device for a set period of time unless something changes. Policy is available for a minimum of one hour with a maximum of 90 days, allowing you to find the optimal time frame to meet the security considerations for you and your organization.
One of the core challenges in our research was that logging into an endpoint requires different security properties than logging into a web application. As a result, we had to develop a way to proactively revoke trust when we could no longer assert the user and the device were in a state where it was appropriate to continue trust.
To achieve this, we looked at three properties:
- The operating session state. When invoking Duo, we determine whether the authentication attempt is an unlock or a new session. If it’s a new session, Duo will require MFA, and a subsequent unlock will honor the time duration set for “Remember Me.”
- Network location. At each authentication attempt, Duo will snapshot and compare the network state of the user's device to determine whether it moved off of your network. If it has, we'll prompt for MFA.
- User’s choice. Trusted Sessions give users the choice to end their remembered sessions early by clicking cancel while logging into a trusted session.
Now, a reality check. Duo is going to default to secure, so if there’s uncertainty about network location we’re going to prompt again. The idea is to streamline MFA attempts, not completely eliminate them. Additionally, we’re not delivering this feature for RDP sessions today. Our research highlighted the need for a robust way to assert the same user on the same device with trust, returning back to the same RDP session. That opened the door to a new round of research that was beyond our scope and would have seriously delayed delivery. And finally, Offline MFA sessions will not be remembered, because Duo cannot assert certain things about the device. We must assume it’s outside of normal administrative control and can’t be assumed to be in a trustworthy state.
“Remember Me” Is Available Now to All Duo Customers
Trusted Sessions for Windows is available as part of all Duo product editions (Duo MFA, Duo Access and Duo Beyond) at no extra cost. Administrators decide which groups of users can use “Remember Me” and for how long.
For more information about Duo’s Windows login capability, read our documentation.
Try Duo for Free
Want to test it out before you buy? Try Duo for free using our 30-day trial and get used to being secure from anywhere at any time.