Skip to main content
  1. Posts/
  2. Tips/

WinAuth - MFA software for Windows and shared PC use case

·365 words·2 mins·
Okta MFA Windows TOTP WinAuth Shared PC Authentication Security RFC 6238
Fabio Grasso
Author
Fabio Grasso
Solutions Engineer specializing in Identity & Access Management (IAM) and cybersecurity.
Table of Contents

I had a customer with very specific requirements for MFA:

  • No app to be installed on employees’ devices
  • No SMS (they cannot use the employees’ personal number)
  • Protect with MFA access to a corporate app
  • Hardware keys are to be avoided due to the cost and risk of losing them
  • Shared PC - included Windows user (more employees use the same session on Windows and share the same password)

Though is not the best in terms of security, it’s very hard for them to change this behaviour.

So, I was looking for a solution to propose. We cannot rely on FastPass because the Windows user is shared. We cannot use SMS, FIDO2 Keys, or other system.

There are a lot of MFA software compatible with TOTP or Google Authenticator, but most of them run without a password or with a master password, making it impossible to use them securely in a shared Windows session.

WinAuth
#

WinAuth is a portable, open-source Authenticator for Windows that provides counter or time-based RFC 6238 authenticators and common implementations, such as the Google Authenticator.

One of the feature is the possibility to protect each Authenticator with a different password. This permit to run the app on a shared PC.

You can download it from Github GitHub source code: (https://github.com/winauth/winauth)

Demo
#

Advantages of WinAuth
#

  • Light (~5Mb)
  • Don’t require installation and run without admin permissions
  • Support multiple MFA and permit to protect each one with a separate code
  • It’s open source. A customer can potentially customize it, remove unnecessary features, add custom branding, etc.

Warning
#

All that glitters is not gold :winking-face: there are some caveats to consider:

  • The app is not maintained anymore. Last release was in 2017, that means that it can have issues with newer version of Windows, unfixed security bugs, etc
  • Though it is possible to have separate passwords, every user can delete every Authenticator
  • You have to educate users on how to add a new Authenticator and protect it with a password
  • It’s a good starting point, but to use it in an Enterprise context, the application must be customized by the customer.

Alternatives to be evaluated
#

GLPI Integration with Okta Mac OS - Resize Window to a specific size
Do you like what you read? Buy Me a Coffee at ko-fi.com

Powered by Hugo Streamline Icon: https://streamlinehq.comHugo Hugo & Blowfish