Zero-client two-factor workstation logons
It is possible but not recommended to log in to workstations with 2-factor credentials even if the workstation has no AuthLite software installed. The DC's with AuthLite installed will still enforce Two-factor Authentication as expected.
Please note that without AuthLite software installed, 2-factor cached (offline) logins will not be possible. You can push this software with Group Policy, and it is recommended at the highest level to install the AuthLite client software if at all possible.
There are several important considerations for zero-client workstations:
You must disable cached logons for the workstation via Group policy. If you don't do this, then any attacker who knows the username and Windows password can log in simply by forcing the machine to go offline first. This is because without AuthLite software, Windows is unaware of the OTP security and continues to protect cached logons using only the Windows password.
Windows will hash the password field, so you must enter the OTP in the username field in order for it to reach the DC. On AuthLite-aware systems, no such limitation exists, because the software can intercept and process the authentication request properly regardless of how credentials are entered.
You should enforce the group policy to prevent the last username from being shown. This setting will ensure you always get a blank, type-able username field during logons and unlocks. If you don't do this, then the unlock screen will only show a password field. To unlock, you'd have to use the “Switch User” functionality and select “other user” so you'd get a new opportunity to enter an OTP into the username field.
Parts of Windows will display the OTP you entered instead of showing the proper username. Although the correct username is returned in the session token, parts of the default Windows software will use the value that was typed in at logon time. This will result in generally cosmetic issues.
- Because of a race condition in Windows, you may find that accessing LAN resources that require 2-factor authentication will be unreliable or sporadic. With the AuthLite client installed, this is resolved.