It does not pass through, you simply 2FA twice. One at CWC login, the other at Windows login. Duo protects both.
Besides, you should be able to use Yubikey with CWC RIGHT NOW. Configure CWC to use TOTP, then have your Yubikey generate said TOTP. Press the gold button with the cursor in the right box during login and presto.
You can use TOTP with CWC so not seeing a problem here still with the lack of smart card. I wouldn't be surprised if the concept of smart cards altogether ends up fading away.
Duo is CHEAP and the value it brings from a security standpoint is impossible to put a price tag on in my opinion. It's use goes far beyond securing CWC; it secures the windows desktop, and all kinds of third party systems.
Regardless, and with all due respect, if you need to comply with 800-171 and are worried about the cost of Duo, your security infrastructure as a whole is likely not going to be good enough. The audits are orders of magnitude more spendy, and your SIEM tool will be $$$$ too.
Citation? All we needed was proper 2FA under 800-171, not necessarily smart cards. We have this working via Duo Push Notification (or basic TOTP) with CWC login now, the desktops protected by Duo as well.
Connectwise as a whole REALLY needs to step up their security game within their products. They do a whole bunch of lip service to us buying products to SELL security products/services, but their own software is lacking in several areas.
I think we're going to just use Duo. It solves all the issues and doesn't have to use a smartcard. I wish SC supported Smartcard Passthrough though, it'd be nice since then we can do this without recurring costs like Duo or other solutions need.
We need this function as well for NIST 800-171 requirements.
Customer support service by UserEcho