Duo Authentication for Windows Logon

Duo Authentication for Windows Logon prompts for secondary approval when you log in to your Windows system.

Logging Into Microsoft Windows with Duo

Duo Authentication for Windows Logon defaults to auto push.

After you enter your Microsoft Windows username and password, Duo automatically sends an authentication request to the Duo Mobile app on your phone.

If auto-push is disabled or if you click the Cancel button on the Duo Prompt, you can select a different device from the drop-down at the top (if you've enrolled more than one) or select any available factor to verify your identity to Duo:

• Duo Push: Send a request to your smartphone. You can use Duo Push if you've installed and activated Duo Mobile on your iOS or Android device. Your organization may require you to enter a verification code.
• Phone Call: Perform phone callback authentication.
• Passcode: Log in using a passcode generated with Duo Mobile, received via SMS, generated by your hardware token, or provided by an administrator.
   
  To get new SMS passcodes, click the Send me new codes button. You can then authenticate with one of the newly-delivered passcodes.

Note that Duo Authentication for Windows Logon does not support U2F security keys for online authentication.

Verified Duo Push

Your organization may require you to enter a verification code shown within the Duo for Windows Logon prompt into Duo Mobile when you approve a Duo Push request. This protects you from approving login requests not made by you and helps keep your accounts and information safe.

If your organization requires Duo Push verification, Duo displays a numeric code three to six digits in length on-screen when you choose to use Duo Push to log in to Windows.

Verified Duo Push is supported in Duo Authentication for Windows Logon version 4.3.16 and later. If your installed Duo Authentication for Windows Logon version does not support Verified Duo Push then you will not see a verification code on screen and will receive a standard Duo Push request on your device for approval.

Enter the code shown on your screen into the Duo Push request received on your Android or iOS device. Tap Verify to finish approving the login request.

If you enter an incorrect verification code then click Dismiss in the error message and try Duo Push again to get a new code or select a different available authentication method.

Remembered Devices

When logging into the local Windows console, you may see a Remember me for... option if your administrator enabled Duo's remembered devices feature. If you check this box when authenticating then you won't need to perform Duo second-factor authentication again when you unlock your Windows system for the duration specified on the prompt.

Do not choose the "Remember me..." option when using a public or shared computer! This could make your Duo-protected login session available to other users.

When you unlock your Windows system, Duo authenticates you without asking you to approve another login request until your trusted device session expires.

When your remembered device session ends, or if you log out of Windows, reboot your computer, change networks, or use offline access, then you'll need to complete Duo two-factor authentication again.

User Elevation Approval with Duo

The optional User Elevation configuration adds Duo two-factor authentication to password-protected Windows User Account Control (UAC) elevation attempts. When enabled, you'll see the Duo authentication prompt after you enter your password for a credentialed elevation request. The application you were trying to launch runs after you approve the Duo two-factor request.

Passwordless Operating System (OS) Logon for Windows Logon

When logging into the local Windows console, you will see a Log in without a password option if your administrator enabled Duo's Passwordless OS Logon feature. If you check this box when authenticating then you won't need to provide a password again when you log in to or unlock your Windows system.

Passwordless OS Logon Requirements

• Windows 10 21H2 or later or Windows 11.
• Trusted Platform Module (TPM) v2.0 enabled on the Windows device.
• Duo Authentication for Windows Logon version 5.0.0 installed.
  • Install Duo Authentication for Windows Logon version 5.3.0 or later if your organization allows Offline Access for Passwordless OS Logon.
• Bluetooth v4.0 and later enabled on both the Windows and mobile devices.
• Duo Mobile installed and activated for Duo Push.
  • Android 12 and Duo Mobile version 4.64.0 or later.
  • iOS 16 and Duo Mobile version 4.62.0 or later.

Enroll in Passwordless OS Logon

The option to log in with Passwordless OS Logon appears automatically if your organization allows it.

Duo Mobile cannot restore Passwordless Operating System (OS) Logon for Windows Logon accounts on a new mobile device. If you log on with a different mobile device, you must go through enrollment again to log on to the same or different Windows system without a password.

To enroll in Passwordless OS Logon:

1. Enter your Microsoft Windows username and password. The Log in without a password option appears.



2. Click Continue or Skip for Now. If you clicked Continue, the Set up a mobile device for logging in to this computer screen displays a list of the phones that you have previously activated for Duo Mobile push authentication.



3. Click to select the mobile device you want to use. The Set up in just two steps screen displays.



4. Make sure that Bluetooth is active on your mobile device. Click Continue. The Check for a Duo Push window appears.



5. Duo Mobile receives a Bluetooth-enabled Duo Push if your computer and mobile device are in proximity with Bluetooth enabled on both devices.
6. Complete biometric or PIN verification after approving the Duo Push.
7. The Success! Logging you in... message confirms Windows access.

This also automatically enrolls you in Offline Access for Passwordless OS Logon if your organization has enabled that option.

Log in with Passwordless

To log in using Passwordless OS Logon:

1. Have your phone available with Bluetooth enabled.
2. Enter your Windows username at the sign-in screen. If you have completed passwordless enrollment, then the password field disappears.
3. Click Sign in on the Windows OS sign-on screen. The Check for a Duo Push window appears.
4. Duo Mobile receives a Bluetooth-enabled Duo Push if your computer and mobile device are in proximity with Bluetooth enabled on both devices.
5. Complete a biometric or PIN challenge on your mobile device after accepting the Duo Push.
6. The Success! Logging you in... message confirms Windows access.

If you don't have the Bluetooth-enabled phone with Duo Mobile that you used to enroll in Passwordless OS Logon:

1. Click Other options to log in.

   

   On the other options screen you can choose to log in with a password instead, which sends a regular Duo Push request.

2. If you no longer have that mobile device, or if you do not want to keep using passwordless on that computer, click Stop using Bluetooth to log in. This removes enrollment for that device.

Offline Access for Windows Logon

Offline access for Duo Windows Logon helps you log on to Windows systems securely even when unable to contact Duo’s cloud service. Depending on your organization's settings, you can log in passwordlessly with Bluetooth proximity verification or with Duo Mobile on iOS or Android or a U2F security key after entering your Windows password.

Offline Access for Passwordless OS Logon

Offline Access for Passwordless OS Logon Requirements

Offline Access for Passwordless OS Logon has all the same hardware and software requirements as Passwordless OS Logon, except that you need Duo Authentication for Windows Logon version 5.3.0 installed.

Enroll in Offline Access for Passwordless OS Logon

Enrollment in offline access happens automatically when you complete Passwordless OS Logon enrollment if your organization allows it. See Enroll in Passwordless OS Logon for more information.

Log in with Offline Access for Passwordless OS Logon

To log in using Offline Access for Passwordless OS Logon:

1. Have your phone available with Bluetooth enabled.
2. Enter your Windows username at the sign-in screen. If you have completed passwordless enrollment, then the password field disappears.
3. If your Windows system can't contact Duo, a Network can't connect window appears. Click Try again, or click Log in offline to log in without a password if your network is unavailable.



The offline access prompt shows you how many offline logins you have left, or the last day you’ll be allowed to authenticate using offline access. If you exceed the number of login attempts, you will need to reconnect to the network to log in again.

4. If you clicked Log in offline, the Open Duo Mobile prompt displays.



5. Duo Mobile receives a Bluetooth-enabled Duo Push if your computer and mobile device are in proximity with Bluetooth enabled on both devices.
6. Complete a biometric or PIN challenge on your mobile device after accepting the Duo Push.
7. The Success! Logging you in... message confirms Windows access.
8. If you can't connect, the system prompts you for your password.

Password-Based Offline Access for Windows Logon

Password-based offline access for Duo Windows Logon helps you log on to Windows systems securely even when unable to contact Duo’s cloud service. You can activate one method for offline access, either Duo Mobile on iOS or Android or a U2F security key.

If your organization allows you to use this feature, you'll see the offline activation prompt after successful Duo two-factor authentication when you log in to, unlock the workstation, or approve a user elevation request while the system is online and able to contact Duo's service. Check with your organization's Duo administrators or Help Desk to verify availability of Offline Access on your workstation.

Activate Password-Based Offline Access with Duo Mobile

To activate Duo Mobile for password-based offline access:

1. Select Duo Mobile Passcode and click Activate Now to begin setting up offline access (or click Enroll later (May prevent offline login) to set it up another time).



2. Scan the activation QR code using the Duo Mobile app installed on your iOS or Android device. Tap Add in the app and then tap Use QR code to begin adding the account by scanning the QR code shown by Duo for Windows.



3. Enter a name for the new offline access account in Duo Mobile and tap Save to continue.



4. Tap the new account you just added for your Windows computer in the Duo Mobile account list to generate a six-digit passcode.



5. Enter the passcode from Duo Mobile (without a space) into the offline activation screen on your computer and then click the Activate Offline Login button to finish setting up offline access.

Activate Password-Based Offline Access with a Security Key

Duo's offline access works with these security keys:

• Yubico brand keys supporting U2F/FIDO2
• Feitian ePass FIDO
• Thetis FIDO

HyperFIDO tokens are not supported for offline access activation, nor are simple OTP passcode tokens or Duo D-100 hardware tokens. If you're not sure whether your security key will work, ask your organization's Duo administrator or your IT Help Desk.

To activate your security key for password-based offline access:

1. Select Security Key (Yubikey) and click Activate Now to begin setting up offline access (or click Enroll later (May prevent offline login) to set it up another time).



2. Duo for Windows Logon attempts to contact your security key. If you don't have it plugged in, go ahead and insert it. You should see the security key begin flashing, and the Duo screen say Security key found - Tap to enroll. Touch your blinking security key to register it.



3. Tap the security key again to verify.



4. If successful, the Duo offline activation window says Security key verified - enrollment complete. Click the Activate Offline Login button to finish setting up offline access.

Log in with Password-Based Offline Access

Once you’ve activated offline access for your account, your computer offers you the option to log in with an offline code or security key when it can’t contact Duo’s cloud service. This option appears after you submit your Windows username and password during system logon, or after you enter your password in a UAC elevation prompt (if User Elevation is enabled).

If you activated Duo Mobile, tap the entry for your Windows computer in Duo Mobile to generate a passcode, enter it into the Duo prompt, and click Log In.

If you activated a security key, you should see it start blinking. Tap your security key to log in.

The offline two-factor authentication prompt shows you how many offline logins you have left, or the last day you can authenticate using offline access (depending on which option your organization's administrator chose when enabling offline access in the Duo Admin Panel).

Once you reach the offline access limit, the Duo prompt informs you that you must complete online authentication to Duo before you can log in again with an offline passcode. Offline access refreshes when you perform an online Duo authentication.

If Duo Authentication for Windows Logon uses the “fail closed” setting, you can't log in while disconnected from the internet unless you activate offline access. Make sure to complete offline activation the next time your computer has internet access.

Reactivate Password-Based Offline Access

If you need to add the Windows Offline account to Duo Mobile on a different phone than you originally used for activation, you can do this from the online Duo MFA prompt.

IMPORTANT: You can only activate one phone for offline access at a time. Activating offline access on another phone invalidates the previously activated phone.

If you restored the Duo Mobile accounts on your phone with Duo Restore, reactivating offline access won't reconnect the offline account that was restored. Instead, Duo Mobile creates a second offline access account. Avoid confusion by deleting the restored offline access account before performing reactivation from the online Duo for Windows MFA prompt.

1. With the Windows computer connected to the internet, log in with your username and password.
2. Click the Replace/Reconnect an offline device link in the Duo prompt to begin. If your Duo for Windows Logon application is configured to automatically send a push request to your phone, cancel the authentication in progress and click the Replace/Reconnect an offline device link instead (don't approve the request on your phone).



3. Next, you’ll need to complete Duo authentication. Click on an available method and approve the login request.



4. Continue the activation process by scanning the QR code with Duo Mobile on the replacement phone and entering the verification code when prompted, just like the first time you activated an offline access device.