Duo Authentication for Windows Logon
Duo Authentication for Windows Logon prompts for secondary approval when you log in to your Windows system.
Logging Into Microsoft Windows with Duo
Duo Authentication for Windows Logon defaults to auto push.
After entering your Microsoft Windows username and password, an authentication request will automatically be pushed to the Duo Mobile app on your phone.
If auto-push is disabled or if you click the Cancel button on the Duo Prompt, you can select a different device from the drop-down at the top (if you've enrolled more than one) or select any available factor to verify your identity to Duo:
- Duo Push: Send a request to your smartphone. You can use Duo Push if you've installed and activated Duo Mobile on your iOS or Android device.
- Call Me: Perform phone callback authentication.
- Passcode: Log in using a passcode generated with Duo Mobile, received via SMS, generated by your hardware token, or provided by an administrator.
To have a new batch of SMS passcodes sent to you click the Send me new codes button. You can then authenticate with one of the newly-delivered passcodes.
Note that Duo Authentication for Windows Logon does not support U2F security keys for online authentication.
When logging into the local Windows console, you may see a Remember me for... option if your administrator enabled Duo's remembered devices feature. If you check this box when authenticating then you won't need to perform Duo second-factor authentication again when you unlock your Windows system for the duration specified on the prompt.
Do not choose the "Remember me..." option when using a public or shared computer! This could make your Duo-protected login session available to other users.
When you unlock your Windows system, Duo authenticates you without asking you to approve another login request until your trusted device session expires.
When your remembered device session ends, or if you log out of Windows, reboot your computer, change networks, or use offline access, then you'll need to complete Duo two-factor authentication again.
User Elevation Approval with Duo
The optional User Elevation configuration adds Duo two-factor authentication to password-protected Windows User Account Control (UAC) elevation attempts. When enabled, you'll see the Duo authentication prompt after you enter your password for a credentialed elevation request. The application you were trying to launch runs after you approve the Duo two-factor request.