Flexible Windows Multifactor Authentication

We used DigitalPersona for MFA logging into Windows. This was to meet the need of protecting sensitive data in legacy applications that did not support MFA, as well as reports and other local files that needed additional security. DigitalPersona was installed on all our user endpoints, which was roughly 230 devices.

We solely used DigitalPersona for Windows logon. We primary used 3 different forms of authentication. Bluetooth from a business owned device, fingerprint with a HID reader for biometrics, and smartcard. Having multiple ways to sign in with MFA was very helpful as users would frequently forget one of their factors.

HID having Active Directory integration was a strength and a drawback. The drawback as a System Administrator I don't like to extend my Active Directory schema if I don't have to. It adds additional complexity when needing to upgrade an Active Directory server. It also means all of your authentication is being authorized by a sole source. This can be a strength or a drawback depending on your view of security. Having everything integrated is helpful as there's only one place needed to go to when troubleshooting login issues.

We were protecting Windows desktops and laptops. The idea behind having multifactor authentication at login is to protect local data sitting on each device and adding another layer of security for legacy on-premises applications that do not support multifactor authentication. We only used DigitalPersona with Windows 10 and had no issues upgrading to different major released of Windows 10.

We did not use DigitalPersona with Azure AD.