Hi RobustMeraki, For this you can go SAML and integrate Duo with Passwordless (if you have the needed requirements for Windows Hello, from hardware and licensing perspectives). Or can you use a phone one button validation (coupled with risk based authentication, to ask for a code only in risky situations). Or you could use DUO with a FIDO2 or U2F device such as yubikey, to validate any auth by simply touching it. ... View more

Hi Gary, Cisco Employee here, from the Security side of the house. Cisco Secure client VPN module on Windows does not mandate existence of a TPM, however it will definitely support TPM if there is one for certificate based authentication. (Independently from the kind of headend, it's terminated on). ... View more