MFA for on-prem Windows Domain


I am struggling to find a cost-effective MFA solution for on-prem Windows Domains. I have been testing DUO and it works, but the offline access code does not stay with the user across devices. So every user has to create an offline access token for every device or they won’t be able to login.

I’m also hoping to find something that would provide self-service password resets at the same time.

Does anyone know of anything that would provide these two requirements?


The last time I looked at this Duo seemed the best option. There’s LastPass but I’d rather go without desktop MFA than use any of their products. How Windows does support this out of the box? I have no idea.

1 Like

DUO is still the most common solution I see people using for on prem. I don’t think there is enough demand in that market space for may other companies since many are moving towards web apps that use SSO and or Azure AD environments.

1 Like

Totally agree with you on the LastPass statement. Thankfully, we are using Bitwarden.

“Out of the box” Windows only supports “Windows Hello” which is not really ideal for on-prem solutions. My understanding is that it has to be tied into Azure AD DS to really work well and my smaller clients aren’t on that service.

It’s a challenge that I am trying to figure out. Duo is actually pretty good, but from an administrative aspect, it is a nightmare. I was hoping to find something simpler to manage.

Yeah, that’s what I was afraid you would say. I haven’t been able to find any alternatives that would provide the on-prem aspect that I need. However, I think this market is going to be growing because of the regulatory push for many businesses to utilize MFA for at least privileged accounts. Cyber insurance policies are also requiring it.

I’ve deployed Yubikeys with PIV in our local domain enviroment. If you set the users to smartcard only then you are good, otherwise you have to implement some other controls to lock it down to smartcard only login.

Right now my issue is users forget what their password was when they expire since they don’t use it to login anymore.

Thanks! Right now, I am experimenting with using Azure AD sync with on-prem and then incorporating Microsoft’s MFA app. It looks like this may be the best, least management option for me? It will also provide my client users with self-service password resets, so I don’t have to deal with that either.

It means that my clients will have to buy Azure AD but that seems in line with what it would cost for them to have to purchase DUO so it’s almost a wash in pricing.

Does that sound reasonable to everyone or am I missing something here?

1 Like

Azure AD sync with on-prem is a good solution.


I agree with @LTS_Tom, setting up Azure AD Connect is a good way to go.

JumpCloud should do it.