Windows Workstation (Endpoint) Protection
There are several important points to consider regarding workstations and the protection of logons/data on these endpoints.
Threat Modeling
Unlike remote network resources, workstations (especially mobile laptops) present a greater attack surface. In addition to subverting the OS logon itself, an attacker could choose to pull the hard drive and directly attempt to access the stored data. Therefore, solutions that only protect the OS logon itself may not be sufficient protection. Consideration should be given to the protection of stored data as well.
Full Drive Encryption
Without drive encryption, endpoint protection is not effective against an attacker who steals the system or its hard drive. The attacker does not need to authenticate to the account, they can simply read data off the hard drive.
If you choose to use a third-party FDE solution that “synchronizes” with Windows user credentials (meaning you enter the username and password at boot time) then it will probably not work with AuthLite. AuthLite OTPs affect the Windows logon on workstations. At bestyour FDE will still just use your password. More likely it will stop being able to synchronize properly with password changes and/or prevent AuthLite logons from working. At worst it could prevent you from decrypting your drive. You should contact your FDE vendor and follow whatever solution for strong authentication they support.
Untrusted workstations
Known workstation limitations
If a user's session lasts long enough for their Kerberos ticket-granting ticket to expire, the workstation will attempt to acquire a new ticket in the background using the previously entered credentials. For 2-factor users this operation will fail, because (by design) the workstation does not possess the user's full credentials. Therefore, logon sessions that endure past the expiration of the Kerberos TGT will become unable to access network resources. Upon trying to access a resource without a valid TGT, Windows will automatically show a message to the user instructing them to lock and unlock the workstation to provide domain credentials.
---