The Front Door Just Got a Lot Harder to Break Into: Announcing Passwordless Authentication for Windows Logon
“The best way to break in is through the front door.”
We’ve heard some version of this phrase many times over, whether it pertains to a bad actor physically breaking into a secured building or socially engineering an unsuspecting victim to provide access to protected information. The cybersecurity landscape is littered with front doors, while modern society’s reliance on digital technologies is only increasing. Inevitably, several times during the workday, employees need to enter their credentials to when they turn on or unlock their device with Windows Logon — the front door. The ability to safely access our computer plays a key role in developing trust in adopting these technologies which do more good than harm.
In the world of access management, we have seen wide deployment of multi-factor authentication (MFA) at the point of the Operating System (OS) to invoke the layer of something you know (i.e., a password) and something you have (i.e., a registered device). This move made it harder for bad actors to gain unauthorized access to the endpoint device and the data on it. Consequently, these adversaries have since adapted and continue to find creative ways to pass through the metaphorical front door of our machines. The latest trends notoriously involve a cocktail of push phishing, password spraying, stolen credentials and many other nasty ingredients.
To address the burden that these attacks place on ‘all those who want to protect their local logins’, Cisco Duo is thrilled to announce that Passwordless Authentication for Windows Logon (PWL OS Logon) is now in Private Preview!
Passwordless for Windows Logon is compatible with Duo Passport, a new capability that we announced at RSAC 2024. Together, the two capabilities deliver a true and secure single sign-on experience for the workforce right when they start their day by logging into a Windows device.
How does this improve the proverbial front door?
Cisco Duo’s approach to a passwordless experience at the OS enables a stronger, usable defense in variety of ways (in addition to not having to enter your password):
Stronger
Duo Mobile Proximity Push |
Driven by Bluetooth Low Energy (BLE), users would automatically receive a biometric push once they are enrolled to PWL OS Logon, which cannot be approved unless they are within proximity of the endpoint machine requesting their approval to logon |
Cryptographic Nonce |
Proof of proximity to mitigate MFA phishing attacks / spoofed network responses / replay attacks in that nonces can only be used once. |
Useable
Works with most Identity providers and supports managed and unmanaged devices |
Active Directory, Entra ID, domain-joined, non-domain joined, etc. – we understand that deployments vary! We intend to meet our customers where they are today, with what they have today. If you have an existing password in your local environment today, PWL OS Logon will work with it. |
Simple Upgrade Path |
If you use Duo Authentication for Windows Logon, upgrading to this solution is as simple as getting on the latest supported version. |
Compatible with Duo Passport |
Given the step-up in security with the proximity push + biometric challenge, Duo Passport can pick up the OS session created by PWL OS Logon. |
Where won’t Passwordless for Windows logon work yet?
This version of Passwordless for Windows logon will not work in RDP (remote desktop) sessions. Given the crossing of the trust boundary, our research shows that a different approach will be needed in the future to assert the trust of the same user on the same device.
Passwordless Offline Mode is coming soon — it is in our roadmap, but not here yet! The current experience will default to the existing Windows Logon Offline mode.
How can I try Duo Passwordless for Windows logon?
For an opportunity to participate in the Private Preview this summer, please reach out to us here! And if you are interested in trying Duo, signup for a free 30-day trial.