Flexible Security For Your Peace of Mind

Specops Authentication Client and Duo Authentication for Windows Login

The Specops Authentication Client provides enhancements to the Windows logon experience by wrapping the built-in Windows credential provider (GINA). This includes allowing users to reset their passwords from the login screen, as well as enhancing the feedback users receive when changing their password via CTRL+ALT+DEL. Often our customers will have additional third-party credential providers, and we do support wrapping those credential providers via a registry or GPO ADMX template setting (see https://specopssoft.com/blog/custom-admx-templates-specops-authentication-client-specops-password-reset/ for details). However certain credential providers such as Duo Security’s Authentication for Windows Logon require additional steps in order to allow the Specops Authentication Client to wrap them.

For Duo, we must set a registry key in order to allow wrapping by the Specops Authentication Client.  On a machine with Duo installed, create or update the following registry key:

Key path: HKEY_LOCAL_MACHINE\SOFTWARE\Duo Security\DuoCredProv

Value name: ProvidersWhitelist

Value type: REG_MULTI_SZ

Value data: enter (or add) the following two GUIDs on separate lines:



Next, use the Specops Authentication ADMX Template to specify that we should wrap the Duo credential provider — {44E2ED41-48C7-4712-A3C3-250C5E6D5D84}.

Once the policy has been applied to the affected computers, both Duo login functionality and Specops Password Reset/uReset and Password Policy functionality should work seamlessly together.


Written by

Darren Siegel

Product Specialist, Specops Software

More Articles
Back to Blog