Forum Discussion

nikzin's avatar
nikzin
Icon for Altocumulus rankAltocumulus
Dec 08, 2019

APM Edge Client Bypass MFA during Windows Login

Hi community

we secure our Windows 10 clients with MFA (Yubikey). So after enter username and password during windows login process you have to put in your Yubikey and touch him. So far so good.....

If Edge Client is installed you can click in the login screen on the symbol with the two displays in the bottom right corner and choose APM Network Access. After that you ONLY have to enter username and password to login in Windows, without Yubikey.

Does anybody knows how this is possible and how we can solve this problem ? Imho we have to solve this on OS layer and not in Edge Client configuration.

Thanks in advance.

Nick

APM
security

3 Replies

Sort By
  • Dave_W's avatar
    Dave_W
    Icon for Employee rankEmployee
    Dec 10, 2019

    Hello nikzin, if I am following correctly here it sounds like you are using Windows Logon Integration. Widows only supports username/password and certificates here so you would need to use that for a MFA solution in this use case.

     

    https://support.f5.com/csp/article/K40131499

  • nikzin's avatar
    nikzin
    Icon for Altocumulus rankAltocumulus
    Dec 10, 2019

    Hi Dave, thanks. We don't want to use that feature. But we are pretty confused that we can bypass our MFA on that way. Where we have to solve this imho security issue ? Do i have to configure it in Windows or in Edge Client ? Kr, Nick

    • Dave_W's avatar
      Dave_W
      Icon for Employee rankEmployee
      Dec 11, 2019

      Hi Nick, so you mean launching the client from the System Tray? Have you tried setting the Edge Client to use Web Logon Mode?

       

      https://support.f5.com/csp/article/K18820340

       

      • Simple Logon mode—Used by VPN clients that can’t render HTML pages (or when HTML is not desired). This mode only supports username and password authentication, with optional client certificate-based authentication.
      • Web Logon mode—Used by VPN clients that can render HTML pages and support all the advanced authentication methods BIG-IP APM offers, including Security Assertion Markup Language (SAML) and OAuth 2, which provides secure delegated access to third-party clients.