Running the Solution
This section describes the login and authentication flow with the agent.
Windows Logon (without Passwordless)
In case of multiple tokens, the user is presented with the user choice of authenticators screen while logging in to the WLA-agent installed machine.
Following are the login screen for different scenarios:
Single token in Online mode
-
When SafeNet OTP is not exempted, the login window that appears for the user depends on the type of token assigned to the user in STA. For example, if the user is assigned with GrIDsure token in STA, then the user will be presented with a GrIDsure authentication screen.
The following window depicts the user experience enrolled with a single token:
-
Enter the SafeNet OTP and press Enter (or click the forward arrow sign).
For Challenge-Response token, press Enter (or click the forward arrow sign) keeping the Passcode field blank. Depending on the user selected token type, any of the following character passcodes can also be provided:
-
g for GrIDsure
-
e for E-mail
-
s for SMS
-
p for Push OTP
-
-
Enter the Microsoft password.
After providing the Microsoft password, you will be successfully logged in to the Windows machine.
-
Single token in Offline mode
The following window depicts the offline authentication flow of a user enrolled with a single token. In this case, the user is enrolled with a GrIDsure token in STA. Likewise, if a user is assigned with any other token, then the login screen will display the token accordingly.
-
Grid pattern: [Disabled] This option cannot be used in offline mode. Therefore, it is disabled.
-
Emergency password: Allows the user to authenticate a Windows machine using an emergency password that is provided by the administrator.
Multiple tokens in Online mode
The following window depicts the user experience when the user is enrolled with multiple tokens. It displays a list of authenticators that are assigned to a user (for example, John Doe) in STA. Select any of the options to login with the authenticator as per your preference.
Password token cannot be assigned with any other token. It needs to be assigned separately in STA.
-
Following are the multiple tokens that are displayed on the login screen:
-
Send a push to MobilePASS+: Allows to use Push OTP when working with MobilePASS+. Selecting this option will send a push notification to the MP+ application.
-
Send a code by text message and email: This option triggers an OTP via SMS or Email to the end user device.
-
Use your grid pattern: Used to enable the GrIDsure authentication.
-
Enter a code: Allows the user to enter an OTP manually through an authenticator app or a hardware token.
-
Remember for future logins: Select this check box to remember the authenticator for future logins. It is used to remember the initial authenticator of the user that logs in to the WLA-installed machine. On subsequent login, the user will only be presented with the last opted authentication method.
For example, if the user selects Use your grid pattern option, then on next logon, the user will be presented with the GrIDsure authentication screen only. Click Other options to display the multi token window and select a different authentication method.
Default: Disabled
-
-
Enter the second factor authentication as per the selected authentication method.
After providing the authentication password, you will be successfully logged in to the Windows machine.
Multiple tokens in Offline mode
The following window depicts the user experience in offline mode. This is applicable when the Windows machine is unable to communicate with STA at the time of authentication.
The offline login screen displays only those authenticators that are used at least once in online authentication.
-
MobilePASS+: Allows to use Push OTP when working with MobilePASS+.
-
Grid pattern: [Disabled] This option cannot be used in offline mode. Therefore, it is disabled.
-
SMS: Allows the user to manually enter the SMS OTP that is fetched through an authenticator app.
SMS authenticator allows you to login only once using an advance token.
-
Emergency password: Allows the user to authenticate a Windows machine using an emergency password that is provided by the administrator.
-
Hardware token: Allows the user to manually enter the OTP fetched via a hardware token.
Fallback to the login screen
If for any reason, the authentication does not work (for example, if the certificate is expired), then the login flow will fall back to the AD authentication screen, where the user needs to click Other options to display and select the authenticators.
Push with Number Matching
For the users enrolled with MobilePASS+ token in STA, the number matching feature makes push notifications more secure and prevents users from approving push notifications by mistake.
During online authentication, the user:
-
Selects Send a push to MobilePASS+ from the list of authenticators.
-
Matches the two-digit number on their MobilePASS+ authenticator push notification with the number that is displayed on the login screen.
Passwordless Windows Logon
This section explains the following:
Passwordless Enrollment
At first logon, the user must enter the passcode followed by the AD password to enroll for passwordless authentication. After logging in, the user will get a notification to enroll for passwordless authentication. After the user is successfully enrolled for passwordless authentication, on subsequent logon attempts, the user will be prompted for a passcode only.
Perform the following steps:
-
Log in as a user in a WLA-installed machine. On the login screen, select any of the options to login with the authenticator as per your preference.
Figure: Login screenIf you select Send a push to MobilePASS+, match and select the two-digit number on the MobilePASS+ authenticator push notification with the number that is displayed on the login screen.
Figure: Number Matching screen -
Enter the AD password and click
.
Figure: AD password screen -
After the successful login, at the bottom right-side of the screen, the user will get a notification of SafeNet Desktop Logon to enroll for passwordless authentication.
Figure: Enrollment WindowClick Snooze to ignore the notification on unlock. Then, at every logon or restart, the user gets the notification to enroll for passwordless authentication (if not enrolled already).
-
Click Set up now.
-
Click Continue.
-
Authenticate using any of the authenticators.
Figure: Authentication Window
Figure: Number Matching screen -
After the successful authentication, the enrollment process will take some time (up to a minute) to configure passwordless.
Ensure that the machine is in the corporate network to communicate with the SCEP server.
Figure: Waiting Window -
After the successful enrollment for passwordless authentication, the following success message will be displayed:
Figure: Success Window -
Click Close to close the window.
In case of a failure, refer to the Troubleshooting section.
-
Now, the user will be successfully enrolled for passwordless authentication. On next logon, the user will be prompted only for the passcode.
Sign in with passwordless credential
The users enrolled with passwordless authentication can now log in to the WLA-installed machine by entering only the passcode. The following login flow describes the user authentication provisioned with passwordless.
Log in by selecting any of the authenticator options as per your preference.
After entering the passcode, the user will be successfully logged in without using the AD password.
Fallback to AD password
If for any reason, the passwordless authentication does not work (for example, if the certificate is expired), then the login flow will fall back to the AD authentication screen and the user needs to enter the AD password.
Figure: Fallback to AD password screen
Passwordless Enrollment Window Expired
After the enrollment window (Default: 10 days) expires, the user is presented with a expiry notification on every logon.
Figure: Enrollment Window Expired
Click Set up now and then perform Step 3 (b) to Step 3 (f).
Passwordless Renewal
Passwordless Authentication about to expire
When the passwordless authentication is about to expire (depending upon the threshold), the user will be presented with the following notification to renew it to continue using the passwordless authentication.
Default: 21
Perform the following steps to renew the passwordless authentication:
-
Click Authenticate.
Use Case 1: If the passwordless authentication is about to expire: The following window will be displayed when the passwordless authentication is going to expire in next 21 days.
Figure: Passwordless authentication about to expire windowUse Case 2: If the passwordless authentication is about to expire (Last Day): The following window will be displayed on the last day of the passwordless authentication expiry.
Figure: Passwordless authentication about to expire window (Last Day) -
Perform the steps mentioned in the Passwordless Enrollment section from Step 3 (b) to Step 3 (f).
Now, the user will be successfully renewed for passwordless authentication. On next logon, the user will only be prompted for passcode.
Passwordless Authentication Expired
When the renewal window threshold is over and the user has not yet renewed the passwordless authentication, the user must enter a passcode followed by their AD password on the next logon. The user is also presented with the following notification to renew the passwordless authentication.
Perform the following steps for the renewal:
-
Click Authenticate.
Figure: Passwordless authentication expired window -
Perform the steps mentioned in the Passwordless Enrollment section from Step 3 (b) to Step 3 (f).
Now, the user will be successfully renewed for passwordless authentication. On the next logon, the user will be prompted only for the passcode.
If you face any problem with the passwordless configuration, refer to the troubleshooting section.
