Posit: Requiring 2 factor authentication (2FA) to log in to a workstation (and unlock the screensaver) is a fool's endeavor because of lost productivity, high support cost, and user disenfranchisement. 2FA on sensitive apps, databases, etc. makes sense.
Agree or disagree? Why?
I would love this if it was possible with out a support burden. I would love to see something like our Chromebooks behave. Login from login screen is MFA but wake/unlock is not.
To take it a step further, I would like to be able to set similar option as I get to do in Okta for MFA.
Lastly, If i could have some sugar on top, I want to do this all with out reliance on a traditional LAN-bound AD.
@psliequ So long as TouchID remains obscured from the enterprise software, that sounds ok to me. Employer may not have my fingerprint. But we digress.
At the end of the day, the device is mostly irrelevant from a security perspective. Secure data belongs in secure apps and/or cloud services (whether public or private). That's my position anyhow.
I was recently clued into MacID which in my own testing works very well. Sort of giving us biometric authentication on the Mac until such a sensor is baked into the hardware. Major advantage; you can auto lock the computer if the bluetooth signal of your iOS device goes below a certain dBm threshold.