How to implement Multi-Factor Authentication (MFA)
- Ann Johnson Corporate Vice President, SCI Business Development
- Christina Morillo Senior Program Manager, Azure Identity Engineering Product Team
Another day, another data breach. If the regular drumbeat of leaked and phished accounts hasn’t persuaded you to switch to Multi-Factor Authentication (MFA) already, maybe the usual January rush of ‘back to work’ password reset requests is making you reconsider. When such an effective option for protecting accounts is available, why wouldn’t you deploy it straight away?
The problem is that deploying MFA at scale is not always straightforward. There are technical issues that may hold you up, but the people side is where you have to start. The eventual goal of an MFA implementation is to enable it for all your users on all of your systems all of the time, but you won’t be able to do that on day one.
To successfully roll out MFA, start by being clear about what you’re going to protect, decide what MFA technology you’re going to use, and understand what the impact on employees is going to be. Otherwise, your MFA deployment might grind to a halt amid complaints from users who run into problems while trying to get their job done.
Before you start on the technical side, remember that delivering MFA across a business is a job for the entire organization, from the security team to business stakeholders to IT departments to HR and to corporate communications and beyond, because it has to support all the business applications, systems, networks and processes without affecting workflow.
Campaign and train
Treat the transition to MFA like a marketing campaign where you need to sell employees on the idea—as well as provide training opportunities along the way. It’s important for staff to understand that MFA is there to support them and protect their accounts and all the their data, because that may not be their first thought when met with changes to the way they sign in to the tools they use every day. If you run an effective internal communications campaign that makes it clear to users what they need to do and, more importantly, why they need to do it, you’ll avoid them seeing MFA as a nuisance or misunderstanding it as ‘big brother’ company tracking.
The key is focusing on awareness: in addition to sending emails—put up posters in the elevator, hang banner ads in your buildings, all explaining why you’re making the transition to MFA. Focus on informing your users, explaining why you’re making this change—making it very clear what they will need to do and where they can find instructions, documentation, and support.
Also, provide FAQs and training videos, along with optional training sessions or opportunities to opt in to an early pilot group (especially if you can offer them early access to a new software version that will give them features they need). Recognize that MFA is more work for them than just using a password, and that they will very likely be inconvenienced. Unless you are able to use biometrics on every device they will have to get used to carrying a security key or a device with an authenticator app with them all the time, so you need them to understand why MFA is so important.
It’s not surprising that users can be concerned about a move to MFA. After all, MFA has sometimes been done badly in the consumer space. They’ll have seen stories about social networks abusing phone numbers entered for security purposes for marketing or of users locked out of their accounts if they’re travelling and unable to get a text message. You’ll need to reassure users who have had bad experiences with consumer MFA and be open to feedback from employees about the impact of MFA policies. Like all tech rollouts, this is a process.
If you’re part of an international business you have more to do, as you need to account for global operations. That needs wider buy-in and a bigger budget, including language support if you must translate training and support documentation. If you don’t know where to start, Microsoft provides communication templates and user documentation you can customize for your organization.
Start with admin accounts
At a minimum, you want to use MFA for all your admins, so start with privileged users. Administrative accounts are your highest value targets and the most urgent to secure, but you can also treat them as a proof of concept for wider adoption. Review who these users are and what privileges they have—there are probably more accounts than you expect with far more privileges than are really needed.
At the same time, look at key business roles where losing access to email—or having unauthorized emails sent—will have a major security impact. Your CEO, CFO, and other senior leaders need to move to MFA to protect business communications.
Use what you’ve learned to roll out MFA to high value groups to plan a pilot deployment—which includes employees from across the business who require different levels of security access—so your final MFA deployment is optimized for mainstream employees without hampering the productivity of those working with more sensitive information, whether that’s the finance team handling payroll or developers with commit rights. Consider how you will cover contractors and partners who need access as well.
Plan for wider deployment
Start by looking at what systems you have that users need to sign in to that you can secure with MFA. Remember that includes on-premises systems—you can incorporate MFA into your existing remote access options, using Active Directory Federation Services (AD FS), or Network Policy Server and use Azure Active Directory (Azure AD) Application Proxy to publish applications for cloud access.
Concentrate on finding any networks or systems where deploying MFA will take more work (for example, if SAML authentication is used) and especially on discovering vulnerable apps that don’t support anything except passwords because they use legacy or basic authentication . This includes older email systems using MAPI, EWS, IMAP4, POP3, SMTP, internal line of business applications, and elderly client applications. Upgrade or update these to support modern authentication and MFA where you can. Where this isn’t possible, you’ll need to restrict them to use on the corporate network until you can replace them , because critical systems that use legacy authentication will block your MFA deployment.
Be prepared to choose which applications to prioritize. As well as an inventory of applications and networks (including remote access options), look at processes like employee onboarding and approval of new applications. Test how applications work with MFA, even when you expect the impact to be minimal. Create a new user without admin access, use that account to sign in with MFA and go through the process of configuring and using the standard set of applications staff will use to see if there are issues. Look at how users will register for MFA and choose which methods and factors to use, and how you will track and audit registrations. You may be able to combine MFA registration with self-service password reset (SSPR) in a ‘one stop shop,’ but it’s important to get users to register quickly so that attackers can’t take over their account by registering for MFA, especially if it’s for a high-value application they don’t use frequently. For new employees, you should make MFA registration part of the onboarding process.
Make MFA easier on employees
MFA is always going to be an extra step, but you can choose MFA options with less friction, like using biometrics in devices or FIDO2 compliant factors such as Feitan or Yubico security keys. Avoid using SMS if possible. Phone-based authentication apps like the Microsoft Authenticator App are an option, and they don’t require a user to hand over control of their personal device. But if you have employees who travel to locations where they may not have connectivity, choose OATH verification codes , which are automatically generated rather than push notifications that are usually convenient but require the user to be online. You can even use automated voice calls: letting users press a button on the phone keypad is less intrusive than giving them a passcode to type in on screen.
Offer a choice of alternative factors so people can pick the one that best suits them. Biometrics are extremely convenient, but some employees may be uncomfortable using their fingerprint or face for corporate sign-ins and may prefer receiving an automated voice call.
Make sure that you include mobile devices in your MFA solution, managing them through Mobile Device Management (MDM), so you can use conditional and contextual factors for additional security.
Avoid making MFA onerous; choose when the extra authentication is needed to protect sensitive data and critical systems rather than applying it to every single interaction. Consider using conditional access policies and Azure AD Identity Protection , which allows for triggering two-step verification based on risk detections, as well as pass-through authentication and single-sign-on (SSO).
If MFA means that a user accessing a non-critical file share or calendar on the corporate network from a known device that has all the current OS and antimalware updates sees fewer challenges—and no longer faces the burden of 90-day password resets—then you can actually improve the user experience with MFA.
Have a support plan
Spend some time planning how you will handle failed sign-ins and account lockouts. Even with training, some failed sign-ins will be legitimate users getting it wrong and you need to make it easy for them to get help.
Similarly, have a plan for lost devices. If a security key is lost, the process for reporting that needs to be easy and blame free, so that employees will notify you immediately so you can expire their sessions and block the security key, and audit the behavior of their account (going back to before they notified you of the loss). Security keys that use biometrics may be a little more expensive, but if they’re lost or stolen, an attacker can’t use them. If possible, make it a simple, automated workflow, using your service desk tools.
You also need to quickly get them connected another way so they can get back to work. We recommend to register more than one device so your users have an alternative sign-in method. Make that second factor convenient enough to use that they’re not unable to do their job, but not so convenient that they keep using it and don’t report the loss. Similarly, make sure you’re set up to automatically deprovision entitlements and factors when employees change roles or leave the organization.
Measure and monitor
As you deploy MFA, monitor the rollout to see what impact it has on both security and productivity and be prepared to make changes to policies or invest in better hardware to make it successful. Track security metrics for failed login attempts, credential phishing that gets blocked and privilege escalations that are denied.
Your MFA marketing campaign also needs to continue during and after deployment, actively reaching out to staff and asking them to take back in polls or feedback sessions. Start that with the pilot group and continue it once everyone is using MFA.
Even when you ask for it, don’t rely on user feedback to tell you about problems. Check helpdesk tickets, logs, and audit options to see if it’s taking users longer to get into systems, or if they’re postponing key tasks because they’re finding MFA difficult, or if security devices are failing or breaking more than expected. New applications and new teams in the business will also mean that MFA deployment needs to be ongoing, and you’ll need to test software updates to see if they break MFA; you have to make it part of the regular IT process.
Continue to educate users about the importance of MFA, including running phishing training and phishing your own employees (with more training for those who are tricked into clicking through to fake links).
MFA isn’t a switch you flip; it’s part of a move to continuous security and assessment that will take time and commitment to implement. But if you approach it in the right way, it’s also the single most effective step you can take to improve security.
About the authors
Ann Johnson is the Corporate Vice President for Cybersecurity Solutions Group for Microsoft. She is a member of the board of advisors for FS-ISAC (The Financial Services Information Sharing and Analysis Center), an advisory board member for EWF (Executive Women’s Forum on Information Security, Risk Management & Privacy), and an advisory board member for HYPR Corp. Ann recently joined the board of advisors for Cybersecurity Ventures
Christina Morillo is a Senior Program Manager on the Azure Identity Engineering Product team at Microsoft. She is an information security and technology professional with a background in cloud technologies, enterprise security, and identity and access. Christina advocates and is passionate about making technology less scary and more approachable for the masses. When she is not at work, or spending time with her family, you can find her co-leading Women in Security and Privacy’s NYC chapter and supporting others as an advisor and mentor. She lives in New York City with her husband and children.
To find out more about Microsoft’s Cybersecurity Solutions, visit the Microsoft Security site , or follow Microsoft Security on Twitter at Microsoft Security Twitter or Microsoft WDSecurity Twitter .
To learn more about Microsoft Azure Identity Management solutions, visit this Microsoft overview page and follow our Identity blog . You can also follow us @AzureAD on Twitter.
Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.
You may also like these articles
Becoming resilient by understanding cybersecurity risks: Part 2
Understanding influences shaping the cybersecurity landscape, enabling digital transformation, and helping to protect our planet
Unilever CISO on balancing business risks with cybersecurity
- {X-HTML Replaced}
- Best Products
The Best Authenticator Apps for 2023
Mobile authenticator apps make logging in to online accounts and websites more secure with multi-factor authentication. These are the top MFA apps we've tested.
PC hardware is nice, but it’s not much use without innovative software. I’ve been reviewing software for PCMag since 2008, and I still get a kick out of seeing what's new in video and photo editing software, and how operating systems change over time. I was privileged to byline the cover story of the last print issue of PC Magazine , the Windows 7 review, and I’ve witnessed every Microsoft win and misstep up to the latest Windows 11.
- Related Security Picks:
- Best Antivirus
- Best Password Managers
- Best Security Suites
Leaks and hacks from recent years make it clear that passwords alone don't provide enough security to protect your online banking, social media logins, or even accounts for websites where you shop. Multi-factor authentication (MFA, also known as two-factor authentication or 2FA) adds another layer of protection. The security coverage team at PCMag frequently exhorts readers to use MFA.
Authenticator apps, such as Authy, Google Authenticator, and Microsoft Authenticator, enable one of the more secure forms of it. Using one of these apps can even help protect you against stealthy attacks like stalkerware . Enabling MFA is also one of the steps our team recommends to protect yourself from the consequences of a data breach, and it's among the steps you should take if you discover your information has already been involved in a breach.
Our summaries of the best authenticator apps, listed alphabetically, will help you decide which one to use so you can start setting up your accounts to be more secure. If you're looking for the best free authenticator app, you're in luck. They're all free. Below our recommendations, you'll find more information on just how these apps work to keep you safe, as well as criteria you should consider when choosing one.
Recommended by Our Editors
This simple but fully functional app does everything you want in an authenticator. It lets you add online accounts either manually or with a QR code. Unlike Google Authenticator, it can create cloud backups of your registered accounts, either in iCloud for Apple devices or Google Drive for Androids, which is key if you lose your phone or get a new one. The backup is encrypted and only accessible from the 2FAS app. 2FAS doesn't need your phone number or even require you to create an online account, so it's not susceptible to SIM-swapping fraud. You can set a PIN to access the app, and on iPhone it can use FaceID or TouchID. You can add it as a home-screen widget, but there's no Apple Watch app.
Duo Mobile is geared toward corporate apps, especially now that it’s part of Cisco’s portfolio. The app offers enterprise features, such as multi-user deployment options and provisioning, and one-tap push authentication, in addition to one-time passcodes. You can back up Duo Mobile using Google Drive for Android, and using iCloud KeyChain on iPhone.
Google Authenticator
Google’s authenticator app is basic and offers no extra frills. Unlike Microsoft Authenticator, Google Authenticator doesn’t add any special options for its own services. Google Authenticator lacks online backup for your account codes, but you can import them from an old phone to a new one if you have the former on hand. There's no Apple Watch app for Google Authenticator.
LastPass Authenticator (for iPhone)
LastPass Authenticator is separate from the LastPass password manager app, though it offers some synergy with the password manager. Installing LastPass Authenticator is a snap, and if you already have a LastPass account with MFA enabled, you can easily authorize LastPass by tapping a push notification. Also, once the app is set up with your LastPass account, it's easy to create a backup of your authenticator accounts in your LastPass vault, which alleviates some pain when you have to transfer your data to a new phone.
Microsoft Authenticator
Microsoft Authenticator includes secure password generation and lets you log in to Microsoft accounts with a button press. The app also lets schools and workplaces register users’ devices. If you use this app, be sure to turn on account recovery. That way, when you get a new phone, you’ll see an option to recover by signing into your Microsoft account and providing more verifications.
You can require unlocking your phone with PIN or biometric verification to see the codes. Password management options are in a separate tab along the bottom. You can sync with the Microsoft account you associated with the authenticator, and after that, you’ll see the logins you’ve saved and synced from the Edge browser . One problem (and it’s an Apple lock-in issue ) is that if you’ve backed up to iCloud, you can’t transfer your saved MFA accounts to an Android device, though that's the case for most authenticators that offer cloud backup.
Twilio Authy
One of Twilio Authy’s big advantages is encrypted cloud backup. However, it’s somewhat concerning that you can add the account to a new phone using “a PIN code sent via a call or an SMS,” according to Authy’s support pages (Opens in a new window) . There’s also an option to enter a private password or passphrase which Authy uses to encrypt login info for your accounts to the cloud. The password is only known to you, so if you forget it, Authy won’t be able to recover the account. It also means that authorities cannot force Authy to unlock your accounts.
Unlike the other apps listed here, Authy requires your phone number when you first set it up. We're not fans of this requirement, since we’d rather have the app consider our phones to be anonymous pieces of hardware; and some have suggested that requiring a phone number opens the app up to SIM-card-swap fraud . Authy’s Help Center offers a workaround, but we'd prefer it just worked more like other authenticator apps. At least there's an Apple Watch app for those who want it.
What Is Multi-Factor Authentication?
As the name implies, MFA means you use more than one type of authentication to unlock an online account or app. Usually, the first way is your password. MFA means you add another factor in addition to that password. Experts classify authentication factors in three groups:
something you know (a password, for example)
something you have (a physical object)
and something you are (a fingerprint or other biometric trait).
When you use an authenticator app, you bolster the password you know with the token, smartphone, or smartwatch that you have .
What's the Best Kind of Multi-Factor Authentication?
Using an authenticator app is one of the better types of MFA. The top option in safety, however, is to use a dedicated key-type MFA device (our favorite at the moment is the YubiKey 5C NFC ). These keys produce codes that are transmitted via NFC, Bluetooth, or when you plug them in directly into a USB port. Unlike smartphones, they have the advantage of being single-purpose and security-hardened devices. Why are they more secure? Though not a common threat, a malware-infested app running on your phone could intercept the authentication codes produced by a phone’s authenticator app. Security keys have no batteries, no moving parts, and are extremely durable—but they’re not as convenient to use as your phone. You can now use these devices to secure your Apple ID and your Google account .
There's another common way to do it that's not so good, however: authentication code by text message. Yes, you can implement MFA by having your bank send you a text message with a code that you enter into the site to gain access. But getting codes by phone turns out not to be not very secure at all. A vulnerability in SMS messaging is that crooks can reroute text messages (Opens in a new window) . An authenticator app on your smartphone generates codes that never travel through your mobile network, so there's less potential for exposure and compromise. Plus, if your text messages are visible on your lock screen, anyone with your phone can get the code.
How to Set Up an Authenticator App With Your Online Accounts
To set up MFA by app instead of text message, go to your banking site's security settings and look for the multi-factor or two-factor authentication section. Nearly every financial site offers it. Most sites list the simple SMS code option first, but go past that and look for authenticator app support.
Setting up MFA usually involves scanning a QR code on the site with your phone's authenticator app. Note that you can scan the code to more than one phone, if you want a backup. Financial sites usually give you account recovery codes as an additional backup. They're usually long strings of letters and numbers. Save those account recovery codes somewhere safe, such as in a password manager . These codes work in place of a MFA code on your phone, which means they let you still log in to the site if your phone is lost, stolen, or busted.
How Do Authenticator Apps Work?
Authenticator apps generate time-based, one-time passcodes (TOTP or OTP), which are usually six digits that refresh every 30 seconds. Once you set up MFA, every time you want to log in to a site, you open the app and copy the code into the secured login page. Voilà , you’re in. The time limit means that if a malefactor manages to get your one-time passcode, it won’t work for them after that 30 seconds.
The codes are generated by doing some math on a long code transmitted by that QR scan and the current time, using a standard HMAC-based one-time password (HOTP) algorithm, sanctioned by the Internet Engineering Task Force. Authenticator apps don’t have any access to your accounts, and after the initial code transfer, they don’t communicate with the site; they simply and dumbly generate codes. You don’t even need phone service for them to work.
Since the protocol used by these products is usually based on the same standard, you can mix and match brands, for example, using Microsoft Authenticator to get into your Google Account or vice versa.
What Should I Look for in an Authenticator App?
Backups of account info. Something to look for when choosing an authenticator app is whether it backs up the account info (encrypted) in case you no longer have the same phone where you originally set it up. Authy, Duo Mobile, LastPass Authenticator, and Microsoft Authenticator offer this, while Google Authenticator does not.
Watch apps. Authy and Microsoft Authenticator offer Apple Watch apps, which makes using an authenticator app even more convenient. Google Authenticator and LastPass don't have Apple Watch apps. With about 100 million (Opens in a new window) of these WatchOS devices in use, it's a convenience that quite a few folks can take advantage of.
No SMS codes. As mentioned, we prefer that authenticator apps do not use codes sent by SMS during setup to authenticate you or your device. Most authenticator apps don't. Twilio is the only app on this list that does it, and as mentioned, there's a workaround.
What's the Safest Third-Party Authenticator App?
The safety of these apps stems from the underlying principles and protocols rather than any implementation by the individual software makers. That said, all those listed here are extremely safe, with a minor point off for Authy; as mentioned in the summary above, it's the only one that requires your phone number and that can be set up using SMS verification—which these apps are supposed to be an improvement over. Safest of all are hardware security keys, like the YubiKey mentioned above.
Be sure not to install an unknown, unrecommended authenticator app that may look good: Malicious impersonators have shown up on app stores. Stick with the recommended ones here from well-known companies.
Like What You're Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy . You may unsubscribe from the newsletters at any time.
Your subscription has been confirmed. Keep an eye on your inbox!
Dig Deeper With Related Stories
Pcmag stories you’ll like, about michael muchmore, lead software analyst.
Prior to my current role, I covered software and apps for ExtremeTech, and before that I headed up PCMag’s enterprise software team, but I’m happy to be back in the more accessible realm of consumer software. I’ve attended trade shows of Microsoft, Google, and Apple and written about all of them and their products.
I’m an avid bird photographer and traveler—I’ve been to 40 countries, many with great birds! Because I’m also a classical fan and former performer, I’ve reviewed streaming services that emphasize classical music.
Read Michael's full bio
Read the latest from Michael Muchmore
- The Best Video Editing Software for 2023
- The Best Adobe Photoshop Alternatives for 2023
- The Best Mobile Photo Editing Apps for 2023
- The Best Apps in the Windows 11 Store for 2023
- The Best Cloud Storage and File-Sharing Services for 2023
- More from Michael Muchmore
Top 10 Multi-Factor Authentication Software Solutions for 2021
A multi-factor authentication (MFA) solution enables multiple layers of user authentication to gain access to an application, account, or device.
Multi-factor authentication (MFA) is defined as an authentication method that requires more than just the traditional username and password to gain access to an application, account, or device. Other layers of authentication can include one-time passwords (OTPs), key fobs, USB-based key generators, smart cards, and biometric identification. This article lists the top 10 MFA software solutions in 2021.
Table of Contents
What is a multi-factor authentication solution, key must-have features of a multi-factor authentication solution.
Multi-factor authentication (MFA) is an authentication method that requires more than just the traditional username and password to gain access to an application, account, or device. Other layers of authentication may include one-time passwords (OTPs), key fobs, USB USB-based key generators, smart cards, and biometric identification.
When systems rely on just passwords for authentication, the onus of security is on the user and how good their password hygiene is. In fact, according to Verizon’s 2020 DBIR report, 80% of security breaches in 2020 involved compromised passwords. To ensure increased security, companies can incorporate MFA at two points: employee-facing and customer-facing.
There are many factors to consider while integrating an MFA solution with your business. Here are some of the key features to look for:
Essential Features of a Multi-Factor Authentication Solution
1. Granular policies
Access policies are the core of MFA solutions. The MFA solution must support policies at the user, role, and application level. This also ensures that the solution is scalable and consistent.
2. Self-service capabilities
MFA solutions walk a fine line between security and usability. A higher frequency of authentication may result in lower employee productivity and may cause end users to drop off the application . One way to mitigate this problem is to give users more control over which authentication factors they can engage in. Users must be able to pick and modify the login types based on accessibility to tokens.
3. Third-party integrations
At the workforce level, company networks are integrated with multiple third-party solutions such as Dropbox and cloud-based SaaS services. At the user level, payment apps such as Stripe lead the integration arena. The more equipped the MFA solution is to connect with these applications, the easier it will be to adopt. It is also a plus if the MFA software can work well with existing security implementations.
4. Comprehensive dashboard
While a dashboard is something we take for granted in every software solution, it is particularly essential for MFA solutions where authentication and access policies can quickly get complicated. A single dashboard for policy administration and maintenance would go a long way in improving admin response time and productivity.
Also Read: What Is Multi-Factor Authentication? Definition, Key Components, and Best Practices
5. Reports and logs
Some industries require MFA implementation to meet compliance regulations , such as HIPAA and PSD2. In these scenarios, activity logs are required during auditing for compliance reasons. Comprehensive, customizable reports help administrators spot anomalies and breach threats. Good reports and logs play an important role in maintaining security hygiene.
6. Adaptive authentication
All MFA solutions work on three basic factors: knowledge, possession, and inherence. Advanced MFA solutions, however, leverage extra contextual factors. These include the user’s location and time of access request and the health of the device being used.
The MFA software must allow access policies to be tweaked based on these factors, for example, adding an extra authentication step only if the login request comes out of office hours. Users should also be able to access different modes of authentication if the pre-configured tokens are not accessible (e.g., no internet access). This also allows for a smoother user experience.
7. Varied authentication tokens
The number of authentication tokens that can be used is increasing, especially with improvements in tech. Biometric tokens such as fingerprints (inherence) provide the highest level of authentication, while password and security questions (knowledge) are the least reliable.
A good MFA solution provides multiple options across this spectrum. Some popular tokens are OTPs via SMS and phone calls, authenticator apps, push notifications, hardware tokens, soft tokens, biometric-based tokens, and smart cards.
8. Deployment options
MFA solutions can be deployed on the cloud , on-premise, or individual devices. Most enterprises require a hybrid of these because of the varied use cases involved. It is essential that the MFA’s deployment options cater to the organization’s existing architecture. The most popular deployment options right now are policy server deployment on the cloud and policy-server-as-a-service.
Also Read: What Is Biometric Authentication? Definition, Benefits, and Tools
Now that we have seen the importance of MFA, let’s dive into some of the best multi-factor authentication software solutions available in 2021.
Disclaimer: These listings are based on publicly available information and vendor websites. Readers are advised to conduct their own extended research on each software. Companies have been listed alphabetically.
1. CISCO Duo Security Opens a new window
Core features:
- Granular policies : It allows for policy implementation at the user level, application level, or globally via an admin dashboard.
- Self-service capabilities : It allows users to choose and update authentication controls.
- Third-party integrations : It can be integrated with iPhones, android mobiles, and other devices such as the Apple Watch.
- Comprehensive dashboard : Duo Trust Monitor and Duo Device Insights work in tandem to provide administrators with a bird’s eye view of endpoints and activities surrounding them.
- Reports and logs : It provides multiple reports such as a deployment progress report, administrator actions report, and policy impact report. Duo provides authentication logs, administrator logs, and telephony logs for proof of compliance.
- Adaptive authentication : It offers adaptive security policies such as new user security policies, location-specific access policies, etc.
- Multiple deployment options: The Duo Mobile app provides 2FA capabilities to devices on-premise and on the cloud. Duo Restore provides users with the ability to back up and restore the Duo Mobile app.
Supported authentication methods: TOTP passcodes, Duo push for push notification-based authentication, SMS passcodes and phone callbacks, U2F USB devices such as Yubico’s YubiKey, built-in biometric authenticators such as TouchID via WebAuthn (Web Authentication API), and bypass code if 2FA mechanisms aren’t accessible.
Customer support : Duo Security provides detailed online documentation. Duo Support can be contacted by initiating a case, sending an email, calling, or launching a one-on-one chat. Duo Care Premium Customer Support provides 24×7 support with prioritized issue resolution.
Pricing: Duo provides four subscription packs with varying feature support:
- Duo Free – Free up to 10 users
- Duo MFA – $3 per user per month
- Duo Access – $6 per user per month
- Duo Beyond – $9 per user per month
Editorial comments : Duo Security can be implemented across different types of organizations, from small businesses to enterprises, based on the subscription plan. The setup and configuration experience seems to be heavily dependent on customer support. Some users also report a lag in authentication notifications and policy reflection, especially for larger implementations.
2. Idaptive MFA Opens a new window
- Granular policies : Idaptive allows the creation of finely tuned access policies.
- Self-service capabilities : The Idaptive user portal enables self-service enrollment for users to add and modify authentication factors.
- Third-party integrations : Idaptive MFA can be integrated into cloud apps, legacy apps, endpoints, VPNs , RADIUS servers, virtual desktops, and identity providers. It integrates with SSO using federation standards such as SAML.
- Comprehensive dashboard : It has a streamlined dashboard.
- Reports and logs : It provides reports of authentication activities, such as secondary authentication failures, successful login attempts, and most-used authentication factors.
- Adaptive authenticatio n: It considers the MFA bypass period and dynamically adjusts authentication requirements based on risk.
- Multiple deployment options : Idaptive MFA provides flexible deployment options.
Supported authentication methods: FIDO2 keys, virtual and hardware tokens, OATH-based mobile authenticators, push notifications, SMS messages, emails, interactive phone calls, security messages, and derived credentials.
Customer support: Idaptive provides an online support portal for customers.
Pricing: Idaptive’s standard MFA is priced at $2.50/user/month, while the adaptive MFA is $5/user/month. It also provides an SSO solution between $2-$4/user/month. It offers a 30-day free trial.
Editorial comments: Idaptive is best for SMEs and has excellent integration with HR platforms such as WorkDay. Customers report that the pricing structure is complicated and can quickly inflate to high costs if not considered carefully. It also requires better documentation.
Also Read: What Is Fraud Detection? Definition, Types, Applications, and Best Practices
3. OKTA Adaptive Multi-Factor Authentication Opens a new window
- Granular policies : Policies can be based on a variety of factors such as location, group definitions, and authentication type.
- Self-service capabilitie s: OKTA provides self-service registration (SSR) for users.
- Third-party integrations : OKTA Okta MFA integrates with multiple third-party apps, VPN, servers, VDIs, identity providers, and cloud access security brokers. OKTA Verify Push with biometrics integrates with custom enterprise apps.
- Comprehensive dashboard : It boasts an easy-to-use dashboard.
- Reports and logs : It provides detailed authentication logs and preset reports for audits.
- Adaptive authentication : It supports adaptive MFA by considering location context, device context, and network context.
- Multiple deployment options : It is a cloud-based solution.
Supported authentication methods: Verify OTP, verify push, email, SMS, voice, U2F, and integrations with third-party authenticators, such as Duo, Symantec VIP, RSA, and Yubikey. It also works with Windows Hello and Apple TouchID.
Customer support: The OKTA help center is available on call. It provides five customer support packages: Basic, Premier, Premier Access, Premier Plus, and OKTA For Good.
Pricing: OKTA’s MFA solution is priced at $3 per user per month, and adaptive MFA at $6 per user per month. The minimum annual contract starts at $1,500. It also provides a 30-day free trial.
Editorial comments: OKTA is ideal for medium to large enterprises with a budget to spare. OKTA For Good focuses on providing authentication services for nonprofits. From a user-experience perspective, several users report problems with constant re-logging during the day.
4. OneLogin Opens a new window
- Granular policies : OneLogin allows the configuration of user policies at even password and session levels.
- Self-service capabilities : Users can reset passwords and request access applications.
- Third-party integration s: It can be integrated with other third-party authentication providers such as Symantec, Yubico, RSA, Duo, and OneLogin.
- Comprehensive dashboard : It empowers administrators with an intuitive status dashboard.
- Reports and log s: OneLogin generates analytics and policy reports particularly aligned with compliance auditing.
- Adaptive authentication : OneLogin’s SmartFactor Authentication™ is an adaptive authentication product that calculates the Vigilance AI™ risk score to adjust authentication in real time.
- Multiple deployment options : OneLogin Protect is available for Android, Android Wear, Apple iOS, and Apple watchOS.
Supported authentication methods: Authenticator app, email, SMS, voice, WebAuthn for biometric factors, and third-party options such as Google Authenticator, Yubico, Duo Security, RSA SecurID, etc.
Customer support: OneLogin has online documentation and webinars for onboarding customers. The OneLogin support hotline can be used to reach its support team.
Pricing: Pricing varies depending on the chosen products. OneLogin MFA costs $2 per user per month and requires the mandatory purchase of OneLogin SSO, which costs another $2 per user per month. SmartFactor authentication is priced at $5 per user per month.
Editorial comments: OneLogin does a good job of consolidating all apps that need to be accessed. It works well for organizations that require intuitive, user-facing MFA solutions. The company needs to provide activity logs and a robust admin dashboard, which is essential for maintaining policies.
Also Read: What Is Incident Response? Definition, Process, Lifecycle and Planning Best Practices
5. OneSpan Opens a new window (previously known as Vasco)
Core features:
- Granular policies : OneSpan comes with its own set of comprehensive rules and policies, all customizable and extendable to meet the organization’s needs.
- Self-service capabilities : OneSpan supports self-service processes.
- Third-party integrations : It enables third-party integrations.
- Comprehensive dashboard : It offers an intuitive, web-based interface that provides the administration visibility and features to manage a large number of users.
- Reports and logs : OneSpan supports web-based reporting platforms.
- Adaptive authentication : OneSpan’s Intelligent Adaptive Authentication applies a precise level of security for each unique customer interaction.
- Multiple deployment option s: OneSpan offers seven different authentication products focusing on different platforms such as cloud and mobile. When deployed synchronously, it forms a robust MFA system.
Supported authentication methods : FIDO U2F-, UAF-, and FIDO2-based authenticators such as Digipass hardware authenticators—key tokens and display cards.
- Mobile push notifications, TOTP using a mobile authenticator app, and biometrics.
- OneSpan Sign for digital signatures.
Customer support: OneSpan’s support team can be reached by phone or email. It has an online developer and admin community. Customers can alternatively sign up for its professional services.
Pricing: OneSpan offers yearly licenses for each product, with pricing based on the number of users. It starts at $570.
Editorial comments: OneSpan’s encrypted offerings and compliance-ready solutions make it an ideal solution for finance-based and banking organizations. It also makes sense for apps that require banking transactions. While opting for OneSpan’s products, maintenance costs need to be considered beforehand.
6. Ping Identity Multi-Factor Authentication Opens a new window
- Granular policies : Policies can be configured through the admin console or by using APIs.
- Self-service capabilities : It offers self-service features to administrators, developers, and users to customize.
- Third-party integrations : It provides MFA for web apps, VPN, SSH, Windows login, Mac login, RDP, AD FS, and Azure AD
- Comprehensive dashboar d: It has dashboards for admin insights into MFA usage and SMS costs.
- Reports and logs : Ping Identity generates intuitive reports.
- Adaptive authentication : It leverages risk-based policies and other context-based factors such as IP reputation to determine if the customer requires MFA in different scenarios.
- Multiple deployment options : It is a cloud-based solution that connects to existing systems using web services. PingID’s implementation options include a mobile application for Android and Apple, a desktop app, and PingID APIs.
Supported authentication methods: Fingerprint, facial recognition , swipe, mobile soft token, and Apple watch app, FIDO2 biometrics, security key, desktop soft token, authentication app, OATH token, hard token: YubiKey’s Yubico OTP, email, SMS OTP, and voice OTP.
Customer support: Ping Identity has an online user community. It also has online user documentation and a developer knowledge base. Users can reach the support team by raising tickets. They can alternatively opt for Ping’s professional services.
Pricing: Pricing starts at $3 per user per month for just PingID and SSO. It varies based on which bundle of Ping’s offerings you choose from, such as privacy & consent management, unified customer profiles, and risk management. It offers a 30-day free trial.
Editorial comments: PingID provides a scalable and flexible solution that makes it ideal for large enterprises that primarily run on the cloud. It does seem to lack a comprehensive dashboard to help admins with monitoring and maintenance. Reports are also very basic compared to other solutions in the market.
Also Read: Top 10 Ecommerce Fraud Detection and Prevention Best Practices 2021
7. RSA SecureID Access Opens a new window
- Granular policies : RSA comes pre-configured with token and access policies that can be customized and extended.
- Self-service capabilities : RSA provides self-service capabilities.
- Third-party integrations : It supports connectors and standard agents for SAML- and RADIUS-based applications, as well as for IIS/Apache, Windows, Unix/Linux, and ADFS.
- Comprehensive dashboard : The dashboard uses machine learning for behavioral analytics, business context, and threat intelligence.
- Reports and logs : RSA NetWitness® Platform provides user and entity behavioral analytics (UEBA) to raise alarms of suspicious user activity on the network. RSA Archer® Suite provides insights into how a user’s access could impact the business and its associated compliance posture.
- Adaptive authentication : Admins can set up conditional access policies based on IP address, country, trusted location, network, etc. It also supports risk-based policies such as identity confidence and threat awareness .
- Multiple deployment options : RSA SecurID Access can be implemented on VPN, on-prem apps, SaaS, Cloudcloud, and existing SSO. It can be deployed on-premise and on the cloud.
Supported authentication methods: Push notification, one-time password, SMS, voice callback, biometrics, wearables, FIDO and U2F hard tokens, and RSA Soft tokens.
Customer support: RSA SecurID Access provides online tech documentation as well as an online community of users. It also provides personalized support services with a designated support engineer or a technical account manager.
Pricing : RSA SecurID Access has three editions, with pricing depending on the total number of users covered.
- Base – $1 to $4
- Enterprise – $1 to $5
- Premium – $1 to $6
- It also provides a free trial.
Editorial comments : RSA SecurID® Access is a veteran in the MFA industry, especially when it comes to remote work setups. It is ideal for mid-sized to large enterprises. RSA works well for organizations that have a mix of token requirements, with weightage on hard tokens.
8. SecureAuth Identity Platform Opens a new window
- Granular policies : This platform allows for geo-location-based policies, triggering step-up MFA on location anomalies.
- Self-service capabilities : It allows users to auto-enroll their devices/ browsers .
- Third-party integrations : It integrates with third-party risk assessment tools. It also integrates with user directories such as AD, LDAP, or SQL, and streamlines login with Desktop SSO.
- Comprehensive dashboard : SecureAuth provides a unified user management console. It has a simple administrative portal to build, test, and reuse adaptive security policies based on real-time authentication telemetry and analytics.
- Reports and logs : It supports an embedded reporting and logging system.
- Adaptive authentication : It allows for geo-location-based policies, triggering step-up MFA on location anomalies. It also uses behavioral analytics based on time-based policies, failure rates, and attempts at accessing restricted apps.
- Multiple deployment options : SecureAuth offers on-premise, cloud, or hybrid delivery.
Supported authentication methods:
- WebAuthn: Touch ID, Windows Hello, Fingerprint ID, and YubiKey.
- Mobile authenticator apps: SecureAuth Authenticate with push notifications and Symbol-to-Accept.
Customer support: SecureAuth provides a support portal and online documentation for users. It also provides three enhanced support packages: basic, premier plus, and mission-critical.
Pricing: SecureAuth pricing starts at $1 per user per month.
Editorial comments: SecureAuth is best for mid-sized enterprises. Users do report facing some problems when devices cannot access the internet.
Also Read: 10 Best Password Managers for 2021
9. Symantec VIP Opens a new window
- Granular policies: VIP enables granular policy configuration.
- Self-service capabilitie s: It provides a self-service portal.
- Third-party integrations : Symantec Authentication integrates with VPNs, cloud and web apps, and user directories with SAML and RADIUS standards. It also provides an SDK for developers to embed security into their own web, mobile, and IoT apps .
- Comprehensive dashboard : It boasts of dynamic rules that update in real time to match business policies and respond to new threats or user requests. It allows for immediate access to data by presenting feedback on what triggered fraud rules, so that action can be taken to adjust fraud thresholds.
- Reports and logs : It generates reports and logs as proof of regulatory compliance.
- Adaptive authentication : It profiles user behavior by identifying users based on behavior patterns, geo-location, device, time of day, and velocity.
- Multiple deployment options : It is a cloud-based service.
Supported authentication methods: Symantec VIP supports desktop OTP, FIDO support, fingerprint (Touch ID), face ID, security tokens, device ID, OAuth tokens, OTP over email or SMS, push notification, and risk-based authentication.
Customer support: VIP has multiple online self-help learning portals. It provides a 24×7 available technical support team. Issues can also be raised by creating cases in MySymantec.
Pricing: Symantec’s VIP pricing is based on subscription licenses. Prices start from $4,500 per year, depending on the number of users and support plan. Enterprise solutions include Bronze, Gold, and Platinum plans.
Editorial comments: While Symantec is a good option for large enterprises, it can be expensive for small businesses. Since Symantec’s acquisition by Broadcom, non-enterprise users report flaky customer support.
10. WatchGuard’s Authpoint MFA Opens a new window
- Granular policies : Authpoint allows users, groups, resources, and authentication policies to be configured.
- Self-service capabilitie s: It allows for a secure SSO portal.
- Third-party integration s: It supports integration with multiple third-party solutions such as CISCO ISE, Splunk, Citrix, Dropbox, GSuite , AWS, and Salesforce, among others. It also provides automated token provisioning and de-provisioning, and full synchronization with existing user repositories (e.g., Microsoft Active Directory and LDAP).
- Comprehensive dashboard : The AuthPoint management UI provides a bird’s eye view of users, groups, resources, authentication policies, and external identities.
- Reports and log s: WatchGuard Cloud provides multiple views and reports.
- Adaptive authenticatio n: It uses contextual rules to provide adaptive authentication.
- Multiple deployment options : Authpoint is a cloud-based solution.
Supported authentication methods: AuthPoint uses a push message, QR code, or one-time password (OTP) as additional MFA factors. It provides an AuthPoint mobile app and a hardware token as well.
Customer support: WatchGuard provides robust online documentation and a support portal. It provides 24×7 technical support. It also provides three support packages: Standard, Gold, and Platinum.
Pricing: AuthPoint has subscription bundles, with prices based on the subscription duration and number of users. Pricing starts at $20.
Editorial comments: AuthPoint MFA is ideal for SMEs. It is relatively new compared to mammoths such as RSA and Ping, and customers report a few teething problems.
Also Read: Top 10 Customer Identity Management Solutions in 2021
In conclusion
Implementing a layered authentication approach of granting users access to an application, account, or device is the most important step to curb breaches. The MFA market is gaining immense traction, especially with online transactions booming due to the COVID-19 pandemic. Investing in a robust MFA solution is a wise move for organizations in any industry.
Did this article help you shortlist a multi-factor authentication solution for your business? Tell us on LinkedIn Opens a new window , Twitter Opens a new window , or Facebook Opens a new window . We would love to hear from you!
Share This Article:
IT Specialist
Recommended Reads
Can Tech Layoffs Increase Insider Threats?
The Cyber Risks Of Scaling: How To Secure Your Expanding Attack Surfaces
Mobile Two-factor Authentication: Get Ready for the Next Phase
Information Stealing and Digital Extortion: Why Criminals Attack for Future Use
Viewing Data Security Through the Lens of Human Impact
Six Predictions for Identity Verification and Anti-fraud Protection
We explain and teach technology, solve tech problems and help you make gadget buying decisions.
Top 3 Windows 10 Apps to Generate 2-Factor Authentication Codes
Two-factor authentication (2FA) is a method of bumping up user account security by requiring two means of identity verification.
Typically when you’re logging into your account, you will have to provide a password. The 2FA requires another piece of information in the form of a code that you must enter before a website grants you access to your user account. This code is usually sent via text message or generated using an app on your phone.
Instead of using an app, you can generate 2FA codes directly on your Windows 10 computer. There are a few apps out there that can accommodate this.
Before we jump into reviewing these apps, let’s take a closer look at why 2FA is essential.
Why Use 2FA?
Many services won’t even let you sign up if you don’t create a strong password containing at least 6 characters which are a mix of lowercase and uppercase letters with symbols and numbers thrown in there as well.
For this reason, you might be wondering why it’s even necessary to go through the hassle of setting up 2FA. Well, the fact is that these days hackers are quite persistent in finding loopholes to steal user credentials. Once they steal the login credentials data, the data dump is usually up for sale in the darker corners of the web.
One of the most common goals of a cyber attack by hackers is to access users’ credit card information. With access to this information, hackers can then use it to go on shopping sprees.
This year alone, some major breaches involving credit card information have occurred. Hackers also get up to other malicious activities like accessing the sensitive information of governments. The point of all of this is to illustrate the need to ensure that we protect our user accounts since there is usually sensitive data stored in them that could be used against us if accessed by a hacker.
2FA puts another barrier of defense, other than your password, between you and hackers. Even if a hacker accesses your password of a 2FA protected account, they will not be able to log in to your account without the 2FA codes. For example, if you are using Google’s Authenticator app on your phone, unless the hacker also has your phone, they will not be able to access the account.
The Google Authenticator is a popular choice for 2FA needs, but some of us don’t always carry our phones. If you use a Windows 10 machine , it might be more practical to have your 2FA code generated directly on the computer.
That said, take a look at the three Windows 10 applications which will let you generate 2FA codes.
Authy is relatively straightforward to use. When setting it up initially, you will need to enter your phone number into the app. You will then be sent a verification code via text message .
After completing the verification process, you can now start adding your services. Simply select the plus sign to get started adding services.
You will now need to access the settings of the user account you want to set up 2FA for. There will be an option in the service’s user account settings area which will guide you through the process. Take Facebook, for example. If you go to Facebook’s settings and select Security and Login, there will be an option called Use two-factor authentication that you can pick. The app will guide you through the setup process.
You will need to enter the secret key provided by the service you’re setting up before you can start generating 2FA codes. After completing the setup process, you will now be able to see generated 2FA codes which are refreshed every few seconds in Authy.
This process is quite similar across all services which allow 2FA. The next time you need to log in to the 2FA-secured accounts, you will be asked to enter your 2FA code. Here is what this looks like with Facebook.
Download Authy
2 Factor Authenticator
To get started with 2 Factor Authenticator, select the add button and enter the name of the account you’re trying to add and the secret key. The Authy section above explains that accessing the secret key for a service is relatively uniform across the board. It is available under the user account settings sections of services under sections related to security and passwords.
Using this app, you can either enter a secret key or scan the QR code if your Windows 10 device can accommodate it.
Download 2 Factor Authenticator
WinAuth is a portable Windows 10 app which comes with options for quickly setting up a few default services. These are Google, Microsoft, Battle.Net, Guild Wars 2, Glyph / Trion, and Steam. It also allows for setting up 2FA codes by importing a previous WinAuth configuration.
If you aren’t using any of the above services/options, after selecting the Add option, select the Authenticator menu option to add other services. You can now enter the secret key provided by the service you’re setting up with 2FA.
After completing the setup process, you will be asked to set up further protection for your 2FA codes within WinAuth, and we recommend setting a password. Alternatively, you can encrypt the 2FA information so that it’s usable only on your computer. There is also the option of locking WinAuth 2FA information with a YubiKey which is a physical device that supports the 2FA process.
Download WinAuth
Final Thoughts
If you are serious about privacy and security of your data, use the 2FA codes for your accounts. WinAuth, 2 Factor Authenticator, and Authy are all excellent options for generating 2FA codes on Windows 10. Note that WinAuth is a portable app, 2 Factor Authenticator is a Microsoft Store app, and Authy is a desktop app. That means that the download and installation process of each of these 3 apps is different.
Hackers stole user account data of nearly 50 million Facebook users by using a loophole in an innocent looking app that wishes on birthdays. So you can imagine how crucial it is to choose 2FA wherever supported to protect your login credentials and data.
Last updated on 03 February, 2022
The above article may contain affiliate links which help support Guiding Tech. However, it does not affect our editorial integrity. The content remains unbiased and authentic.
DID YOU KNOW
Your browser keeps a track of your system’s OS, IP address, browser, and also browser plugins and add-ons.
More in Internet and Social
WhatsApp to Add Live Location and Status Change Notification
Can People See If I Screenshot Their Facebook Profile Picture?
Join the newsletter.
Get Guiding Tech articles delivered to your inbox.
William Elcock
William has been helping friends troubleshoot tech problems for several years and thus made the natural progression into tech blogging. In addition to consumer electronics William also has a vested interest in various renewable energy topics.
- Open Source Software
- Business Software
- Site Documentation
- Support Request
Multi-Factor Authentication (MFA) Apps for Windows
Compare the top multi-factor authentication (mfa) apps for windows of 2023.
- Highest Rated
- Most Reviews
What are Multi-Factor Authentication (MFA) Apps for Windows?
Multi-factor authentication (MFA) software is a security system which requires users to authenticate themselves through multiple credentials. This usually means providing something you know, like a password or PIN, and something you possess, such as a hardware token or biometric data. With this two-factor authentication process, user access can be more securely managed than with traditional single-factor authentication systems. Compare the best Multi-Factor Authentication (MFA) apps for Windows currently available using the table below.
Beyond Identity
GateKeeper Proximity Enterprise
Untethered Labs, Inc.
Secret Double Octopus
1Password Business
Azure Active Directory
LoginRadius
Keyless Authenticator
Keyless Technologies
Quicklaunch
HYPR | The Passwordless Company
ManageEngine ADSelfService Plus
ManageEngine
IS Decisions
- You're on page 1
Related Categories
You seem to have CSS turned off. Please don't fill out this field.
Click URL instructions: Right-click on the ad, choose "Copy Link", then paste here → (This may not be possible with some types of ads)
Please provide the ad click URL, if possible:
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Remote Desktop Services - Multi-Factor Authentication
- 2 minutes to read
- 7 contributors
Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016
Leverage the power of Active Directory with Multi-Factor Authentication to enforce high security protection of your business resources.
For your end-users connecting to their desktops and applications, the experience is similar to what they already face as they perform a second authentication measure to connect to the desired resource:
- Launch a desktop or RemoteApp from an RDP file or through a Remote Desktop client application
- Upon connecting to the RD Gateway for secure, remote access, receive an SMS or mobile application MFA challenge
- Correctly authenticate and get connected to their resource!
For more details on the configuration process, check out Integrate your Remote Desktop Gateway infrastructure using the Network Policy Server (NPS) extension and Azure AD .
Submit and view feedback for
Additional resources
What is: Multifactor Authentication
When you sign into your online accounts - a process we call "authentication" - you're proving to the service that you are who you say you are. Traditionally that's been done with a username and a password. Unfortunately, that's not a very good way to do it. Usernames are often easy to discover; sometimes they're just your email address. Since passwords can be hard to remember, people tend to pick simple ones, or use the same password at many different sites.
That's why almost all online services - banks, social media, shopping and yes, Microsoft 365 too - have added a way for your accounts to be more secure. You may hear it called "Two-Step Verification" or "Multifactor Authentication" but the good ones all operate off the same principle. When you sign into the account for the first time on a new device or app (like a web browser) you need more than just the username and password. You need a second thing - what we call a second "factor" - to prove who you are.
A factor in authentication is a way of confirming your identity when you try to sign in. For example, a password is one kind of factor, it's a thing you know. The three most common kinds of factors are:
Something you know - Like a password, or a memorized PIN.
Something you have - Like a smartphone, or a secure USB key.
Something you are - Like a fingerprint, or facial recognition.
How does multifactor authentication work?
Let's say you're going to sign into your work or school account, and you enter your username and password. If that's all you need then anybody who knows your username and password can sign in as you from anywhere in the world!
But if you have multifactor authentication enabled, things get more interesting. The first time you sign in on a device or app you enter your username and password as usual, then you get prompted to enter your second factor to verify your identity.
Perhaps you're using the free Microsoft Authenticator app as your second factor. You open the app on your smartphone, it shows you a unique, dynamically created 6-digit number that you type into the site and you're in.
If somebody else tries to sign in as you, however, they'll enter your username and password, and when they get prompted for that second factor they're stuck! Unless they have YOUR smartphone, they have no way of getting that 6-digit number to enter. And the 6-digit number in Microsoft Authenticator changes every 30 seconds, so even if they knew the number you used to sign in yesterday, they're still locked out.
Get the free Microsoft Authenticator app
Microsoft Authenticator can be used not only for your Microsoft, work, or school accounts, you can also use it to secure your Facebook, Twitter, Google, Amazon, and many other kinds of accounts. It's free on iOS or Android. Learn more and get it here .
Important things to know
You won't have to do the second step very often . Some people worry that multifactor authentication is going to be really inconvenient, but generally it's only used the first time you sign into an app or device, or the first time you sign in after changing your password. After that you'll just need your primary factor, usually a password, like you do now.
The extra security comes from the fact that somebody trying to break into your account is probably not using your device, so they'll need to have that second factor to get in.
Multifactor authentication is not just for work or school . Almost every online service from your bank, to your personal email, to your social media accounts supports adding a second step of authentication and you should go into the account settings for those services and turn that on.
Click here to turn two-step verification on for your personal Microsoft Account
Click here if you're an IT Pro or administrator and you want to know how to enable multifactor authentication for Microsoft 365
Compromised passwords are one of the most common ways that bad guys can get at your data, your identity, or your money. Using multifactor authentication is one of the easiest ways to make it a lot harder for them.
The keys to the kingdom - securing your devices and accounts
Create and use strong passwords
Need more help?
Expand your skills.
EXPLORE TRAINING >
Get new features first
JOIN MICROSOFT 365 INSIDERS >
Was this information helpful?
Thank you for your feedback.
Documentation
Duo authentication for windows logon and rdp.
- Windows Logon Instructions
- Windows Logon FAQ
- Windows Logon Release Notes
- Windows Logon AD Group Policy
Was this page helpful? Let us know how we can make it better.
Duo integrates with Microsoft Windows client and server operating systems to add two-factor authentication to Remote Desktop and local logons and credentialed UAC elevation prompts.
Duo Authentication for Windows Logon adds Duo two-factor authentication to these Windows and Windows Server logon scenarios:
- Local or domain account logins
- Logins at the local console and/or incoming Remote Desktop (RDP) connections
- Credentialed User Access Control (UAC) elevation requests (e.g. Right-click + "Run as administrator") in v4.1.0 and later
Duo's Windows Logon client does not add a secondary authentication prompt to the following logon types:
- Shift + right-click "Run as different user"
- PowerShell "Enter-PsSession" or "Invoke-Command" cmdlets
- Non-interactive logons (i.e. Log on as a Service, Log on as Batch, Scheduled Tasks, drive mappings, etc.)
- Pre-Logon Access Providers (PLAPs) such as Windows Always On VPN
- RDP Restricted Admin Mode
Important Notes
Please review all these compatibility and installation notes before proceeding.
- Installing Duo Authentication for Windows Logon adds two-factor authentication to all interactive user Windows login attempts, whether via a local console or over RDP, unless you select the "Only prompt for Duo authentication when logging in via RDP" option in the installer. If two-factor is enabled for both RDP and console logons, it may be bypassed by restarting Windows into Safe Mode (e.g. in case of a configuration error). If you wish to protect local console logons with Duo, please see the FAQ for some guidance on securing your Windows installation appropriately.
- Additional configuration may be required to log in using a Microsoft attached account. See Can I Use Duo with a Microsoft Account? for more information.
- Windows users must have passwords to log in to the computer. Users with blank passwords may not login after Duo Authentication installation.
- It's a good idea to have your BitLocker recovery key available in the event you need to boot into safe mode to uninstall Duo.
- This application doesn't support Surface Pro X or other devices with ARM processors. Installing Duo for Windows Logon on these devices may block logins, requiring uninstallation from Safe Mode.
- Duo application features like failmode, offline access, and UAC protection may be configured during installation or post-installation via Regedit or Group Policy. Please see our FAQ for more information.
This application communicates with Duo's service on SSL TCP port 443.
Firewall configurations that restrict outbound access to Duo's service with rules using destination IP addresses or IP address ranges aren't recommended, since these may change over time to maintain our service's high availability. If your organization requires IP-based rules, please review Duo Knowledge Base article 1337 .
Effective June 30, 2023, Duo will no longer accept TLS 1.0 or 1.1 connections or support insecure TLS/SSL cipher suites. See Duo Knowledge Base article 7546 for additional guidance.
TLS Requirements for Australia Region
Due to government restrictions, Duo’s services in Australia no longer support TLS versions prior to 1.2. The current version of the Duo for Windows Authentication installer performs connectivity checks with Duo that use TLS 1.0.
Customers in Australia must perform a silent installation to install this product .
Please refer to the Duo Knowledge Base article Can I silently install or update Duo Authentication for Windows Logon from a command line or PowerShell? for silent installation instructions.
In addition, the Windows systems where you install Duo must also support and use TLS 1.2 or higher. See the Guide to updating to TLS version 1.2 for Windows-based Duo applications for more information.
A future release of Duo for Windows Authentication will include TLS 1.2 support in the installer.
System Requirements
Windows versions.
Duo Authentication for Windows Logon supports both client and server operating systems.
- Windows 8.1 (last release tested on 8.1 is v4.2.0; learn more about the end of 8.1 support )
- Windows 10 (as of v1.1.8)
- Windows 11 (as of v4.2.0)
Servers (GUI and core installs):
- Windows Server 2012
- Windows Server 2012 R2
- Windows Server 2016 (as of v2.1.0)
- Windows Server 2019 (as of v4.0.0)
- Windows Server 2022 (as of v4.2.0)
Ensure your system's time is correct before installing Duo.
System Processor
Duo Authentication for Windows Logon does not support devices with ARM processors, like the Surface Pro X.
Duo Factor Support
Duo for Windows Logon supports these factor types for online two-factor authentication:
- Duo Push (Duo Mobile)
- Duo Mobile Passcodes
- SMS Passcodes
- Hardware Token OTP passcodes (including Yubikey OTP)
- Bypass Codes
U2F security key support is limited to Offline Access only.
Enroll Users Before Installation
Duo Authentication for Windows Logon doesn't support inline self-service enrollment for new Duo users. Unenrolled users, that is, users that do not yet exist in Duo with an attached 2FA device, must be created manually by an administrator , imported by an administrator or self-enrolled through another application which supports Duo’s self-service enrollment (see Test Your Setup ) before those users can log in with Duo for Windows Logon.
The Duo username (or username alias) should match the Windows username. When you create your new RDP application in Duo the username normalization setting defaults to "Simple", which means that the if the application sends the usernames "jsmith," "DOMAIN\jsmith," and "[email protected]" to Duo at login these would all resolve to a single "jsmith" Duo user.
Duo for Windows Logon supports Duo Push, phone callback or SMS passcodes, and passcodes generated by Duo Mobile or a hardware token as authentication methods. Duo users must have one of these methods available to complete 2FA authentication.
If the user logging in to Windows after Duo is installed does not exist in Duo, the user may not be able to log in to the system.
Read the enrollment documentation to learn more about enrolling your users in Duo.
Video Overview
First steps.
Before moving on to the deployment steps, it's a good idea to familiarize yourself with Duo administration concepts and features like options for applications , available methods for enrolling Duo users , and Duo policy settings and how to apply them . See all Duo Administrator documentation .
Sign up for a Duo account .
Log in to the Duo Admin Panel and navigate to Applications .
Click Protect an Application and locate the entry for Microsoft RDP in the applications list. Click Protect to the far-right to configure the application and get your integration key , secret key , and API hostname . You'll need this information to complete your setup. See Protecting Applications for more information about protecting applications in Duo and additional application options.
We recommend setting the New User Policy for your Microsoft RDP application to Deny Access , as no unenrolled user may complete Duo enrollment via this application.
If you'd like to enable offline access with Duo MFA you can do that now in the "Offline Access Settings" section of the Duo application page, or return to the Admin Panel later to configure offline access after first verifying logon success with two-factor authentication.
Download the Duo Authentication for Windows Logon installer package . View checksums for Duo downloads here .
The security of your Duo application is tied to the security of your secret key (skey). Secure it as you would any sensitive credential. Don't share it with unauthorized individuals or email it to anyone under any circumstances!
Remembered Devices for Windows Logon
Duo plan required : Duo MFA, Duo Access, or Duo Beyond
Version 4.2.0 of Duo Authentication for Windows Logon adds support for local trusted sessions, reducing how often users must repeat Duo two-factor authentication. The Remembered Devices policy now includes a setting for Windows logon sessions, which when enabled offers users a "Remember me" checkbox during local console login for the duration specified in the policy.
When users check this box and complete Duo authentication, they aren't prompted for Duo secondary authentication when they unlock the workstation after that initial authentication until the configured trusted session time expires. If the user changes networks, authenticates with offline access while the workstation is disconnected, logs out of Windows, reboots the workstation, or clicks the "Cancel" button during workstation unlock, Duo for Windows Logon invalidates the current trusted session and the next Windows logon or unlock attempt will require Duo authentication again.
To enable remembered devices for Windows Logon:
Create a new custom policy or update an existing policy for remembered devices which enables the Remember devices for Windows Logon option, and enter the number of hours or days you want a trusted Windows logon session to last. Click Save Policy when done.
Apply the custom policy to your Microsoft RDP Duo application as a group or application policy. If you made the change in your global policy then the setting applies to all your Microsoft RDP Duo applications, unless any of them have a policy assigned with conflicting remembered Windows Logon device settings.
The policy setting takes immediate effect — there is no need to reinstall the Duo Authentication for Windows Logon application after updating the remembered device policy as long as clients have already installed v4.2.0 or later. Systems with older versions of Duo for Windows Logon must upgrade to 4.2.0 or later to see the new option.
With this policy setting applied, users who log on to the local Windows console see an additional option on the Duo for Windows Logon prompt for remembering the device . This option will not display for RDP/remote logins to Windows systems with Duo Authentication for Windows Logon installed, regardless of the effective remembered devices policy setting for Windows Logon.
Administrators may revoke the Windows local trusted Duo session by unassigning a remembered devices policy for Windows Logon from a Microsoft RDP application, editing the policy attached to a Microsoft RDP application to disable the Windows Logon remembered devices setting, or by deleting the registry entry for the user session from the Windows client. Learn more about this in the Windows Logon FAQ .
Deployment Tip
To test Duo on your Windows system with a group of pilot users, we suggest setting your application's New User Policy to "Allow Access" while testing. The pilot users that you've enrolled in Duo with an associated 2FA device get prompted to complete Duo authentication, while all other users will be transparently let through.
If you want to deploy Duo to your Windows systems but have no users complete 2FA until a specific date (after all user enrollment is complete), set the New User Policy to "Allow Access" and set the Authentication Policy to "Bypass 2FA". With these two policy settings in place users who have and who have not enrolled in Duo log in to the Windows system as usual without experiencing Duo.
When you're ready to require Duo authentication for all users of the target Windows system, change the "New User Policy" to "Deny access" and change the "Authentication Policy" to "Enforce 2FA". This will prompt all enrolled users to perform Duo 2FA after they type in their usernames and passwords, and prevent users who have not enrolled in Duo from logging in without 2FA.
If you chose to enable offline access on your application, then enrolled users who bypass 2FA due to the effective Authentication Policy would still be prompted to complete offline enrollment. To avoid confusion, we recommend leaving offline access off until you require users to complete Duo 2FA while online.
Run the Installer
Run the Duo Authentication for Windows Logon installer with administrative privileges.
If you receive an "Installation stopped" error from the Duo installer please refer to Duo KB article 6462 for remediation steps.
When prompted, enter your API Hostname from the Microsoft RDP application's details page in the Duo Admin Panel and click Next . The installer verifies that your Windows system has connectivity to the Duo service before proceeding.
If the connectivity check fails, ensure that your Windows system is able to communicate with your Duo API hostname over HTTPS (port 443).
If you need to use an outbound HTTP proxy in order to contact Duo Security's service, enable the Configure manual proxy for Duo traffic option and specify the proxy server's hostname or IP address and port here.
Enter your integration key and secret key from the Microsoft RDP application in the Duo Admin Panel and click Next again.
Select your integration options:
If you plan to use smart cards on the systems where you install Duo, click to Enable Smart Card Support and select your smart card options:
These options only support the Windows native smart card provider. Available in version 3.1.1 and later.
If you'd like to add Duo 2FA protection to account elevation via Windows User Account Control (UAC) , click to Enable UAC Elevation Protection and select your elevation options:
Available in version 4.1.0 and later.
Click Next and then Install to complete Duo installation.
If you need to change any of your chosen options after installation, you can do so by updating the registry. See the Duo for Windows Logon FAQ for instructions on how to update the settings.
Test Your Setup
To test your setup, attempt to log in to your newly-configured system as a user enrolled in Duo.
The Duo authentication prompt appears after you successfully submit your Windows credentials. With automatic push enabled (the default installation option), the prompt indicates that Duo pushed an approval request to your phone. Duo sends the push request to the first phone activated for Duo Push and associated with that Duo user.
With automatic push disabled, or if you click the Cancel button on the Duo authentication prompt after a 2FA request was sent, you can select a different device from the drop-down at the top (if you've enrolled more than one) or select any available factor to verify your identity to Duo:
- Duo Push : Send a request to your smartphone. You can use Duo Push if you've installed and activated Duo Mobile on your device.
- Call Me : Perform phone callback authentication.
- Passcode : Log in using a passcode generated with Duo Mobile, received via SMS, generated by your hardware token, or provided by an administrator. To have a new batch of SMS passcodes sent to you click the Send me new codes button. You can then authenticate with one of the newly-delivered passcodes.
Remembered Device
If you applied a policy to your Microsoft RDP application that enables remembered devices for Windows Logon, then during Duo authentication at the local system's console you'll see the Remember me for... option, reflecting the number of hours or days you set in the policy.
If you check this box when authenticating you won't need to perform Duo second-factor authentication again for the duration specified on the prompt the next time you unlock the workstation to continue the logged-in Windows session.
Duo will prompt you to complete two-factor authentication at the next Windows logon or unlock after the remembered device session ends, and at that time you can choose to begin a new trusted logon session.
UAC Elevation
If you enabled User Elevation in Duo for Windows Logon v4.1.0 or later, you'll see the Duo authentication prompt after you enter your password for a credentialed elevation request. The application you were trying to launch runs after you approve the Duo two-factor request. If you chose to remember the device at the Windows desktop login, then you won't need to approve Duo authentication for UAC elevations made by the same logged-in account either until the trusted Duo session ends.
Remember: if you find that Duo Authentication for Windows Logon has locked you out of your Windows system (e.g. due to a configuration error), you can reboot into Safe Mode to bypass it.
Offline Access
Duo Authentication for Windows Logon v4.0.0 introduces offline access, allowing secure local logons to Windows systems even when unable to contact Duo’s cloud service.
Offline Access Video Overview
Offline Access Requirements
- Duo MFA, Access, or Beyond plan subscription (learn more about Duo's different plans and pricing )
- Disable the Bypass Duo authentication when offline (FailOpen) option. If you enabled FailOpen during installation, you can change it in the registry .
- Disable the Only prompt for Duo authentication when logging in via RDP option to use offline access with laptop or desktop local console logins. If you enabled Duo for RDP logins only during installation, you can change it in the registry .
Users must have either:
- Duo Mobile for Android or iOS version 3.22 or later (no Windows Phone support)
- Yubico brand keys supporting U2F/FIDO2
- Google Titan
- Feitian ePass FIDO
- Thetis FIDO
We strongly suggest you test offline access with one of the security keys you plan to use before purchasing them for all your users.
HyperFIDO tokens are not supported for offline access activation, nor are simple OTP passcode tokens or Duo D-100 hardware tokens.
Note these functional limitations for offline access authentication devices:
- Users may only register one authenticator for offline access, so it is not possible to register backup devices for approving offline login. Registering a second offline device deactivates the first one.
- U2F security keys for offline authentication only work for local system console logins. It is not possible to use a security key attached to your local RDP client system to perform offline authentication at a remote Windows server. You can use a Duo Mobile offline passcode with a remote system.
- Remembered devices policy settings and local trusted sessions do not apply to offline access. If you choose to remember the device when you log in while online, and then unlock the Windows workstation while offline, the previously created trusted session ends and you will need to complete offline access authentication. When the workstation is back online, you will need to complete online Duo authentication to begin a new remembered device session.
Offline Access Configuration
Return to your "Microsoft RDP" application page in the Duo Admin Panel . You may have given the RDP application a different name when you created it, but the "Type" will always be shown as "Microsoft RDP" on the Applications page.
Scroll down to the bottom of the RDP application’s page to locate the Offline Access Settings . Check the box next to Enable offline login and enrollment to turn on offline access.
Check the Only allow offline login from users in certain groups to specify a group or groups of Duo users permitted to use offline access. Users who are not members of the groups you select here won't be able to enroll in offline access or login in with MFA when the Windows system is unable to contact Duo, and instead are subject to your fail mode configuration (let in without MFA if you enabled fail open, or prevented from logging in if you disabled fail open).
After you configure this option, when a user logs into a Windows system while it's online and can reach Duo and it has been greater than 24-30 hours since the last online authentication, Duo for Windows Login will update the offline policies for all users on the system, including deprovisioning them for offline access if they are no longer members of the offline groups selected for offline login in the Duo Admin Panel.
If you also configured permitted groups on your RDP application, users need to be members of both the permitted and the offline login groups to use offline access.
Choose from the two options for expiring offline access in the Prevent offline login after setting:
Enter the maximum number of offline logins allowed to users. With this option, there is no expiration date for offline access.
Users may log on to the Duo-protected Windows workstation while offline the number of times you specify here. They'll need to reconnect their offline computer to the internet upon reaching this limit. The next time they perform an online Duo authentication, the computer’s offline counter resets.
Enter the maximum number of days offline, up to 365. With this option, there is no limit to the number of times a user logs in while offline during the allowed period.
Users need to reconnect their offline computer to the internet upon reaching the end of the period you define here. The next time they perform an online Duo authentication, the computer’s offline expiration date resets. If the user does not perform online Duo authentication before the maximum number of days specified here is reached, they can no longer log in offline , and so must connect to Duo's service in order to log in at all.
Users may activate offline access using either the Duo Mobile application for iOS or Android, or a U2F security key. Both offline authentication methods are allowed unless you uncheck one in the Offline authentication methods setting. You may not uncheck both options.
Any authentication method enabled for offline access is always permitted, overriding any other policy setting restricting authentication methods for the RDP application.
Click the Save button.
Offline Access Logging
No information about logins using offline access is reported in Duo Admin Panel authentication reports while the Windows system is offline. At the next online authentication, login events that occurred while the system was offline are sent to Duo's service. These events show up in the Authentication Log with other user access results, and show the offline authentication method used.
Advanced Configuration
Change how many users may use offline access.
By default, five ( 5 ) users may enroll in offline access. To increase or reduce the number of users that may activate offline access on a given Windows client, use the Registry Editor (regedit.exe) with administrator privileges to create or update the following registry value:
Location: HKLM\SOFTWARE\Duo Security\DuoCredProv :
Once the maximum number of users have activated offline access, the next user receives an error when attempting to enroll in offline access.
Force Offline Reactivation for a User
To force offline reactivation for a previously activated user on a given Windows system, use the Registry Editor (regedit.exe) with administrator privileges to delete the entire registry key that includes the username from HKLM\SOFTWARE\Duo Security\DuoCredProv\Offline .
Prevent Offline Access Use on a Client
You may have Windows systems where no users should log in using offline access, regardless of the application setting in the Duo Admin Panel. To prevent offline authentication for any user on a given Windows client, use the Registry Editor (regedit.exe) with administrator privileges to create or update the following registry value:
Offline Access Activation and Login
The next time you (or your end user) logs in to or unlocks the workstation while it’s online and able to contact Duo, the offline activation prompt displays after successful two-factor authentication.
Step through the guided activation process to configure Duo Mobile or a U2F security key for offline MFA.
Once you’ve activated offline access for your account, when your computer isn’t able to contact Duo’s cloud service you’ll automatically be offered the option to login with an offline code or security key after successfully submitting your Windows username and password.
You can also reactivate offline access from the online Duo prompt. Note that only one authentication device — a single phone with Duo Mobile or a single security key — may be activated for offline login. Activating a second device via the reactivation process deactivates the first.
See the full offline activation and login experience in the Duo User Guide for Windows Logon .
Updating Duo Authentication for Windows Logon
You can upgrade your Duo installation over the existing version; there's no need to uninstall first. The installer maintains your existing application information and configuration options.
Download the most recent Duo Authentication for Windows Logon installer package . View checksums for Duo downloads here .
Run the installer with administrator privileges and follow the on-screen prompts to complete the upgrade installation.
If you're upgrading to a version that includes new installer options, the configuration screen for those options won't be shown during an upgrade install. You'll need to configure those new options via Regedit or GPO update. See the Configuration section of the FAQ to learn how to enable and configure Duo for Windows Logon options in the registry, or the Group Policy documentation to learn how to configure options with GPO.
Uninstalling Duo
If you'd like to remove Duo Authentication for Windows Logon from your system, open the Windows Control Panel "Programs and Features" applet, click on the "Duo Authentication for Windows Logon" program in the list, and then click Uninstall .
Do not delete the Microsoft RDP application from the Duo Admin Panel until you have uninstalled the Duo application from all Windows systems using that application. If you delete the Admin Panel application before uninstalling the Duo software you may block users from logging in to Windows.
Advanced Deployment and Configuration using Group Policy
Please see our Duo Authentication for Windows Logon Group Policy documentation .
Troubleshooting
Need some help? Take a look at the Windows Logon Frequently Asked Questions (FAQ) page or try searching our Windows Logon Knowledge Base articles or Community discussions . For further assistance, contact Support .
If the Duo application denies access to your users, ensure that you have enrolled them in Duo with a username or username alias that matches the username they use to log into Windows, and with a 2FA device attached that is activated for Duo Push, can receive phone calls from Duo, or can generate a one-time passcode. If you applied a new user policy that allows access without 2FA and expect it to allow the blocked users through that the blocked users do not exist in Duo. Refer to these articles to learn more about user enrollment states and how they combine with policy settings to affect user logins.
- Why are Duo users being prompted to enroll or denied access when my New User Policy is set to allow access without 2FA?
- Guide to Duo User Enrollment States
Network Diagram
- RDP connection, console logon, or UAC elevation initiated
- Primary authentication of Windows credentials (domain or local user)
- Duo Windows Logon credential provider connection established to Duo Security over TCP port 443
- Secondary authentication via Duo Security’s service
- Duo Windows Logon credential provider receives authentication response
- RDP or console session logged in
How to Use Google Authenticator on Windows 10
In case you don't have a smartphone handy
One of the best ways to protect your online accounts from being compromised is to use two-factor authentication (2FA). This adds a second layer to the sign-in process, requiring you to use a one-use only generated code (usually created on your smartphone) to sign in successfully using tools like Google Authenticator.
That is, of course, if you actually have a smartphone with Google Authenticator installed. If you don’t, then your options are limited, but it is possible to use Google Authenticator on your PC without requiring another device. If you want to know how to use Google Authenticator on Windows 10, here’s what you’ll need.
Generating the Google Authenticator Secret Code
If a username and password is leaked online , your account is at risk. Even using a password manager won’t help you at this point—you’ll need to change any passwords that are compromised by a breach.
To help overcome this issue, you can link your online accounts to a two-factor authentication service like Google Authenticator. This generates a one-time password (OTP) to successfully sign in to Google and other online services.
It doesn’t matter if a password is breached if the hacker doesn’t have your 2FA credentials. 2FA adds another layer of security. To generate the codes, you’ll need to set up Google Authenticator on your Windows PC using a third-party app and insert the secret code that matches your Google account.
The secret code is like a master password—without it, the codes being generated won’t work to complete a 2FA sign in. This code will only work for your Google account sign-in, but you’ll need similar codes to link your other online services with a 2FA app on your Windows PC.
- To find the secret code for your Google account, open the Google account website . In the left-hand menu, select Security .
- In the Security area of the Google account website, scroll down to the Signing in to Google section, then select the 2-Step Verification option. You may need to sign in again at this point.
- If you haven’t already enabled 2FA with a mobile device previously, you’ll need to follow the on-screen instructions to do so on the 2-Step Verification page. Once this is done, scroll down to the Authenticator app section, then select Set Up to begin.
- In the pop-up menu, select either Android or iPhone , as the option doesn’t matter. Select Next to continue.
- At the next stage, you’ll see a QR code that you’d typically need to scan. You won’t be doing this, however, so select the Can’t Scan It? option instead.
- The secret code for your Google account will appear in the box below, in a combination of 32 letters and numbers. Write this down or make a suitable copy of it, then select Next to continue. Keep this page open, as you’ll need it to complete the setup process afterwards.
Once you’ve saved the secret code, you’ll need to install a 2FA app on your PC to proceed.
Installing a Two Factor Authentication App for Windows 10
Unfortunately, there are few apps that exist for extending Google Authenticator support to Windows 10. WinAuth is one exception, and while it remains popular, WinAuth is no longer in active development, so we can’t guarantee that it continues to work as intended as a Google Authenticator alternative.
With few desktop apps available, the best alternatives are found in the Microsoft Store. One example is WinOTP Authenticator , an open-source 2FA app that can be installed officially through the Microsoft Store, although the source code is available for review on the developer’s GitHub page.
- To begin, download and install WinOTP Authenticator from the Microsoft Store. Once installed and opened, select the + (Add) icon at the bottom.
- You’ll need to save your Google account details here. Under Service , type Google. For Username , type your Google account email address. Finally, type your 32-digit secret code (with or without spaces) in the Code section, before selecting Save to save it to the app.
- If successful, a six-digit one-time passcode will appear at the top of the window. Return to the Google Authenticator app setup page (as described in the section above), or open the Google Authenticator App setup page directly, selecting the Set Up option in the Authenticator app section. Enter the six-digit code you see in the WinOTP app in the Google Authenticator app setup box, then select Verify to continue.
- If verified, WinOTP Authenticator will become the default Google Authentication app for your account. You can then use WinOTP to generate the 2FA codes you need to successfully sign in to your Google account (and into other Google services) in the future. If you want to remove the app at any point, press the remove icon next to the Authenticator app option listed in your Google account settings.
Installing a Two Factor Authentication Extension in Google Chrome
While WinOTP Authenticator offers a quick and easy way to sign in to Google services with two-factor authentication enabled, you can also set up a quick and easy-to-use 2FA app using a Google Chrome extension named Authenticator .
- To do this, you’ll need to open Google Chrome in your browser and install the Authenticator extension . As the simple name suggests, this extension allows you to quickly create OTP codes for two-factor authentication.
- Once installed, select the Authenticator extension icon (or select it from the Extensions menu in the top-right). From the drop-down menu, select the pencil icon .
- Press the + (plus) icon that appears in the card below to proceed.
- From the menu, select Manual Entry .
- You’ll need to provide your Google Authenticator secret code and account information here. Under Issuer , type Google . For Secret, type the 32-digit secret code for your Google account (as explained in the steps above). Select Advanced , then place your Google account username in the Username box, before selecting OK at the bottom to save your details.
- Once saved, select the Authenticator extension icon again to view your one-time passcode for your Google account.
Using Google Authenticator on Windows 10
Once a 2FA app is installed on your PC, you’ll be free to use Google Authenticator on Windows to sign into your Google account without needing a smartphone. This gives you a 2FA backup device , offering peace of mind that you won’t be locked out of your Google account, even if you lose your smartphone.
However, you’ll need to bear in mind that only one Authenticator app is allowed for each account. If you want to use Google Authenticator on Windows, you won’t be able to use the Google Authenticator app on Android or iPhone to sign in to your Google account after this point.
If you haven’t already, it’s advisable to set up two-factor authentication on all of your important accounts to help improve your privacy online . This includes setting up 2FA on social media to help keep your accounts free from hackers who could compromise your identity.
Ben Stockton is a freelance technology writer based in the United Kingdom. In a past life, Ben was a college lecturer in the UK, training teens and adults. Since leaving the classroom, Ben has taken his teaching experience and applied it to writing tech how-to guides and tutorials, specialising in Linux, Windows, and Android. He has a degree in History and a postgraduate qualification in Computing. Read Ben's Full Bio
Read More Posts:
Subscribe to Online Tech Tips
Join 25,000+ others who get daily tips, tricks and shortcuts delivered straight to their inbox.
Thanks for subscribing!
We will never spam you, unsubscribe at any time.
- Compatible With Authy
- Most Popular
- Cloud Computing
- Cloud Networking
- Communication
- Cryptocurrencies
- Entertainment
- Powered By Authy
- Remote Access
- Task Management
- Tenant Portal
- Web Services
Install Authy
Capture qr code, finish setup, how to enable 2fa for microsoft.
The best way to manage all your 2FA accounts is to use the Authy app. It enables you to have a single mobile app for all your 2FA accounts and you can sync them across multiple devices, even accessing them on the desktop. Install Authy 2FA on your device by searching for it in your device’s app store.
Important: If any sites prompt you to use Google Authenticator for two-factor authentication, note that you can always substitute the Authy 2FA app instead. Although they work in similar ways, Authy is more feature-rich and allows for multi-device syncing, cloud-backups, and easier account recovery should you change or lose your phone or device. Read more information on the features of Authy here .
Log into your Microsoft Account and choose ‘Security’.
From your Microsoft accounts’ security page choose ‘ More security options’ at the bottom
Verify the account.
- You will have to verify the login once again before accessing the security options page, in case you haven’t visited the page recently.
Using a password-less sign-in?
- If you’d like, here you can enable the password-less sign-in using the Microsoft Authenticator app. But if you’d like to enable 2FA – click on ‘No thanks’ .
Setting up Identity verification app.
- In order to add your account to Authy – please click ‘Set up identity verification app’ on the Additional security options page.
- And then, click on ‘Set up a different Authenticator app’ on the next screen.
The Microsoft QR code automatically pops up.
To capture the QR code, launch Authy on your device. Click ‘Add Account’ at the bottom of the screen.
You’ll be prompted to hold your phone up to your computer to ‘Scan QRCode’ .
Now capture the QR code shown on the Microsoft website.
Once the QR code is successfully captured, Authy will display your Microsoft numeric account key. You can rename this token as you see fit. When ready, click ‘Done.’
Back on your device, an Authy 2FA code is now generated for your Microsoft account. Head over to the Microsoft website and enter the Authy code in the entry space provided under the QR code.
And that’s all, your Microsoft account is now protected with 2FA!
For more information on how Microsoft’s account security practices – please visit: https://support.microsoft.com/en-us/help/12414/microsoft-account-identity-verification-apps-faq
We can text you a link to get started:
- Country Code
- Mobile Number
How can we enable MFA on a Windows 10 login?
Is there a way possible for login process on a Windows 10 domain joined PC to be linked to a second factor authentication process? I.e. through the Authenticator App to approve the login or via an OTP. We're using Azure AD and we are looking at setting up Windows Hello for Business.
I know there are 3rd party apps that can do this but we don't want to look at that.
Any ideas on how to accomplish this.
Use a third party app like duo
You can setup azure ad sync on duo to populate users
Too expensive for 3000 users.
I played with the Duo for Windows 10 add-on, and while it did work, It seemed kind of cheesy. You go to log in to windows and a Duo box pops up asking for authentication, then you can continue on into windows. I feel like while this works, it's not true endpoint protection. If someone knows your credentials, they could potentially still access the device over the network and exfiltrate data.
you are correct in that it doesnt protect shares. thats a permission issue.
I think windows hello is the only option at this time.
I pulled this from Windows Technet
"MFA server will not provide Multi-Factor Authentication during Windows Login, only for Applications.
It might not be the MFA solution you are looking for, but the closest solution currently available for MFA on Windows Login is Windows Hello for Business:
"In Windows 10, Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and uses a biometric or PIN."
"Is Windows Hello for Business multifactor authentication? Windows Hello for Business is two-factor authentication based the observed authentication factors of: something you have, something you know, and something part of you. Windows Hello for Business incorporates two of these factors: something you have (the user's private key protected by the device's security module) and something you know (your PIN). With the proper hardware, you can enhance the user experience by introducing biometrics. Using biometrics, you can replace the "something you know" authentication factor with the "something that is part of you" factor, with the assurances that users can fall back to the "something you know factor". "
https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-identity-verification
I read through this before, thanks. I feel that it is not true 'MFA' in the sense that it does not use another device or method to authenticate the user. With the above, if someone knows my PIN they get into the PC.
Third pary apps like miniOrange work well here and are very cost effective too.
About Community
Ranked by Size
- About Salesforce Security
- Security Best Practices
- MFA Requirement Checker
- SSO and MFA
- MFA for Salesforce Products
- MFA Change Management
- MFA Rollout Pack
- Security Advisories
- Engineering Blog
- Trailhead (Training)
- Cybersecurity Learning Hub
- Security Resources
- Responsible Disclosure Policy
- General Data Protection Regulation (GDPR)
- Security Research Contributors
Multi-Factor Authentication for Salesforce
A simple, effective way to increase protection against unauthorized account access
As cyberattacks grow more common, passwords no longer provide sufficient safeguards against unauthorized account access. Multi-factor authentication (or MFA) adds an extra layer of protection against threats like phishing attacks, increasing security for your business and your customers. That’s why, effective February 1, 2022, Salesforce requires customers to use MFA when accessing Salesforce prod ucts. Use the MFA Requirement Checker to see if your implementation satisfies this requirement.
About the MFA Requirement
Be ready for mfa auto-enablement and enforcement.
MFA Enforcement Roadmap
Keep track of when Salesforce will automatically enable and enforce MFA for your Salesforce products.
View Roadmap >
Notifications by Product
Review the MFA auto-enablement and enforcement email notifications that we've sent to customers.
View Notifications >
Everything You Need to Know
For products built on the Salesforce Platform -- Learn how we'll enable and enforce MFA in your org and how your users will be affected.
View Article >
How MFA Works
MFA requires a user to validate their identity with two or more forms of evidence — or factors — when they log in. One factor is something the user knows, such as their username and password combination. Other factors are verification methods that the user has in their possession. While there’s a risk that a password may be compromised, it’s highly unlikely that a bad actor can also gain access to a strong verification method like a security key or authentication app.
Watch Video >
Salesforce MFA for Direct Logins
Salesforce offers simple, innovative MFA solutions that provide a balance between strong security and user convenience. Salesforce products support several types of strong verification methods to satisfy your business and user requirements.
- Salesforce Authenticator Mobile App: A fast, frictionless solution that makes MFA verification easy via simple push notifications that integrate into your Salesforce login process. Use this app in your MFA implementation to increase security while driving a better user experience.
- Third-Party Authenticator Apps: Authenticate with apps that generate temporary codes based on the OATH time-based one-time password (TOTP) algorithm. There are many apps available, including Google Authenticator TM , Microsoft Authenticator TM , and Authy TM .
- Security Keys: These small physical devices are easy to use because there’s nothing to install and no codes to enter. Security keys are a great solution if mobile devices aren’t an option for your users. Salesforce supports USB, Lightning, and NFC keys that support the WebAuthn or U2F standards, including Yubico’s YubiKey TM and Google’s Titan TM Security Key.
- Built-In Authenticators: Easy MFA verification using a desktop or mobile device’s built-in authenticator service, such as Windows Hello TM , Touch ID (R) , or Face ID (R) .
Learn More >
MFA for Single Sign-On (SSO)
Do your users regularly access multiple apps during the course of their day? Your best option is to combine MFA and SSO, so you can deliver enhanced security along with a convenient, simplified login experience.
If you've already integrated your Salesforce products with an SSO solution, ensure that MFA is enabled for all your Salesforce users. You can use your SSO provider’s MFA service. Or, for products that are built on the Salesforce Platform, you can use the free MFA functionality provided in Salesforce instead of enabling MFA at the SSO level.
Shiseido Secures Customer Data with Multi-Factor Authentication
See how Shiseido, an innovative, global beauty brand, implemented MFA for Salesforce to help protect their critical systems and customer data. You'll learn about the importance and benefits of MFA and understand how Salesforce partners with our customers to make it easy to implement MFA.
Learn More About MFA
Your one-stop shop for salesforce mfa.
Meet the Multi-Factor Authentication Assistant for products built on the Salesforce Platform. It’s your hub for all the recommended steps, tools, and resources to roll out MFA to your users. From evaluating requirements to launching MFA and driving adoption, the Assistant has you covered.
MFA Guidance for Salesforce Partners
Looking for guidance on how you and your customers can satisfy the MFA requirement? In addition to the resources on this site, check out the MFA Requirement page in the Partner Community. It's your central place for all partner-related MFA resources, including training courses, discussion groups, partner FAQs, and more. A partner community login is required.
Go to the MFA Partner Community Page >
Report a Security Concern
As a leading software-as-a-service and platform-as-a-service provider, Salesforce is committed to setting the standard in safeguarding our environment and customers’ data. Partner with us by reporting any security concerns.
iOS 16.4 Is Almost Here. You Should Still Download iOS 16.3.1 Now
The iOS 16.3.1 update comes with a number of fixes, including one for an issue that might be used to hack your phone.
Apple has released beta versions of iOS 16.4 to testers , so Apple will likely release that update to the public soon. But you should still download iOS 16.3.1 as soon as possible.
Apple released iOS 16.3.1 on Feb. 13, a few weeks after the release of iOS 16.3 . Though iOS 16.3 included new features like security keys for Apple ID and support for the second-generation HomePod , the latest update fixes some issues that iPhone users might've run into recently, including a bug that Apple said might be actively exploited.
Here's what's included in Apple's iOS 16.3.1 update.
What's in iOS 16.3.1
The latest iOS update includes bug fixes and security updates that address issues with iCloud, Siri, Find My and crash detection.
Apple's security notes say this latest update patches an iPhone bug that may've been actively exploited. Apple writes that the bug may lead to arbitrary code execution, and the bug affects iPhone 8 models and later. According to Okta , arbitrary code execution could allow hackers to steal your data.
The update could also fix an iCloud issue some users ran into after the release of iOS 16.3. Some users on Reddit and Twitter have said they haven't been able to back up to iCloud since the release of the previous update.
Another issue that iOS 16.3.1 could address has to do with crash detection on iPhone 14 and 14 Pro models. Crash detection has helped alert first responders to some car crashes, but it has also been triggered when some users ride roller coasters with their phones .
Here's what Apple says is fixed with iOS 16.3.1.
- iCloud settings may be unresponsive or incorrectly display if apps are using iCloud.
- Siri requests for Find My may not work.
- Crash detection optimizations on iPhone 14 and iPhone 14 Pro models.
For more, check out all the features you missed in iOS 16.3 , what iOS 16.4 beta features testers can try now and how you can sign up to test Apple's iOS beta software .
Get the CNET Now newsletter
IMAGES
VIDEO
COMMENTS
The Microsoft Authenticator app helps you sign in to your accounts when you're using two-step verification. Two-step verification helps you to use your accounts more securely because passwords can be forgotten, stolen, or compromised.
Use strong multifactor authentication (MFA) in Azure Active Directory (Azure AD) to help protect your organization against breaches due to lost or stolen credentials. See plans and pricing Try Azure AD Strengthen security and reduce costs with Microsoft Entra
Test how applications work with MFA, even when you expect the impact to be minimal. Create a new user without admin access, use that account to sign in with MFA and go through the process of configuring and using the standard set of applications staff will use to see if there are issues.
Multi-factor authentication (MFA, also known as two-factor authentication or 2FA) adds another layer of protection. The security coverage team at PCMag frequently exhorts readers to use MFA....
Multi-factor authentication (MFA) is defined as an authentication method that requires more than just the traditional username and password to gain access to an application, account, or device. Other layers of authentication can include one-time passwords (OTPs), key fobs, USB-based key generators, smart cards, and biometric identification.
For Microsoft Authenticator app MFA, we need to download that software on phone. When you want to login in PC, type your username and password into the device, and then copy the associated verification code from the Accounts screen of the Microsoft Authenticator app into login.
Identity & Authentication MFA on Windows 10 login MFA on Windows 10 login Discussion Options Shepadhi Occasional Visitor Aug 17 2020 04:33 AM MFA on Windows 10 login Hi there. We need to include MFA on login screen for Windows 10 PCs and Laptops on our domain. is it possible using only Microsoft Solutions eg Microsoft Authenticator ?
That said, take a look at the three Windows 10 applications which will let you generate 2FA codes. 1. Authy Authy is relatively straightforward to use. When setting it up initially, you will...
Multi-factor authentication (MFA) software is a security system which requires users to authenticate themselves through multiple credentials. This usually means providing something you know, like a password or PIN, and something you possess, such as a hardware token or biometric data.
In reply to SaiVedagiri's post on February 19, 2021. No, that goes against Microsoft's security policies. It will continue asking for MFA. Those settings only apply on a browser level, not on a system level. Perfect that is a good policy, it forces each time you log onto a new/same device on Windows 10 Home with Hotmail account it asks for MFA.
Upon connecting to the RD Gateway for secure, remote access, receive an SMS or mobile application MFA challenge Correctly authenticate and get connected to their resource! For more details on the configuration process, check out Integrate your Remote Desktop Gateway infrastructure using the Network Policy Server (NPS) extension and Azure AD.
Microsoft Authenticator can be used not only for your Microsoft, work, or school accounts, you can also use it to secure your Facebook, Twitter, Google, Amazon, and many other kinds of accounts. It's free on iOS or Android. Learn more and get it here. Important things to know You won't have to do the second step very often.
Windows 10 (as of v1.1.8) Windows 11 (as of v4.2.0) ... Users who are not members of the groups you select here won't be able to enroll in offline access or login in with MFA when the Windows system is ... Do not delete the Microsoft RDP application from the Duo Admin Panel until you have uninstalled the Duo application from all Windows systems ...
Configure a modern MFA solution to access on prem Windows 10 PC Use that solution to protect privileged accounts passwords Eradicate from the domain the password presence for those privileged accounts (make impossible to use a password to log on to domain to prevent some king of password attacks)
Under Service, type Google. For Username, type your Google account email address. Finally, type your 32-digit secret code (with or without spaces) in the Code section, before selecting Save to save it to the app. If successful, a six-digit one-time passcode will appear at the top of the window.
Setting up Identity verification app. In order to add your account to Authy - please click 'Set up identity verification app' on the Additional security options page. And then, click on 'Set up a different Authenticator app' on the next screen. Capture QR Code. The Microsoft QR code automatically pops up.
I pulled this from Windows Technet. "MFA server will not provide Multi-Factor Authentication during Windows Login, only for Applications. It might not be the MFA solution you are looking for, but the closest solution currently available for MFA on Windows Login is Windows Hello for Business: "In Windows 10, Windows Hello for Business replaces ...
Multi-factor authentication (or MFA) adds an extra layer of protection against threats like phishing attacks, increasing security for your business and your customers. That's why, effective February 1, 2022, Salesforce requires customers to use MFA when accessing Salesforce products. Use the MFA Requirement Checker to see if your ...
Security fixes and more land on your iPhone with the latest iOS update. Apple has released beta versions of iOS 16.4 to testers, so Apple will likely release that update to the public soon. But ...