I have a need for dual factor authentication on a windows 10 workstation that is NOT connected to a domain. The user accounts are local. I have not been able to find any solutions that will work without AD, is there any way to use smartcards, yubico keys or biometrics in conjunction with password/pin for logon? Please let me know if more information is needed.
Thanks!
According to this TechNet discussion it is not possible to require two factors for logon using Windows Hello (the logon service for biometrics on Windows) on standalone systems (outside of Active Directory). Factors are all either/or such as fingerprint or PIN.
It might be possible to do this with third party software if it installs itself as a GINA DLL and can read the biometric or other factor and requires a PIN in addition. I'm unsure though if Windows 10 still supports alternative logons via GINA DLLs. You would also need to find a third party GINA DLL program which was able to read your second factor and had the option to require a pin in addition.
There is a third party GINA DLL provider which is open source and may be able to be made to meet your needs called pGINA but it is unclear whether it will work in Windows 10 or is still being actively developed.
This is now possible with Windows Hello for Business. Despite the name, the feature is available to all users with Windows Pro (10 or 11). You'll need to be confident modifying group policy
Yes. I'm using both a fingerprint and a Yubikey with Windows 10. Or you could use password plus Yubikey. Just install the Yubikey logon tool that requires the key be installed when you login for your second factor PIV card.
