Is it possible to require a TOTP on Windows Login using existing or custom software?
Solution 1
Microsoft Active Directory currently supports smartcard authentication as a second factor of authentication. This is designed to support the US Department of Defense "Common Access Card".
Some "security dongle" products support the emulation of a Smartcard and thus can be used with Active Directory today (Microsoft are moving towards FIDO2/WebAuthn but that isn't yet available for on-premises Active Directory). As one example, see this extensive deployment guide from YubiKey.
Solution 2
Microsoft have committed to supporting U2F FIDO2 in a update to Windows 10 for Active Directory authentication. (source)
Related videos on Youtube
Comments
-
Sam Weaver over 1 year
I have always been looking for a way to require a Two-Factor Authentication (One Time) Passcode on my Windows Login. Using an algorithm such as TOTP, this should be easy, and require no internet connection, and it could work with something like Google Authenticator to require a 6-digit code generated by my mobile device as I log into my computer. I have been snooping around, and I haven't found any program that can do this, therefore I've come to the conclusion that this is near impossible, and I am looking for validation of that observation.
To be clear, I haven't found any software that can do this, and I'm not looking for a comparison of different products as a recommendation, since that's not what SO is about. I'm simply asking if it is possible, and if so, if there is any software that does it already, or if it is something I'd have to create myself.
-
Thalys about 8 yearsWindows version and account type may be a factor here - you've mentioned windows 10, but is this a local or 'microsoft account' account?
-
Sam Weaver about 8 yearsI'm open to a solution for either of the account types. My personal account is technically a microsoft account, but I wouldn't be adverse to changing it for the additional security this provides. Also, I would strongly like to avoid, but am not totally against, doing this in an Active Directory setting.
-
birdman3131 about 8 yearsNot exactly what you are looking for but if your computer has a smartcard slot you could possibly use something from superuser.com/questions/446969/…
-
-
ojchase about 5 yearsI have tried it. It works and answers OP's question.