Skip to main content

End user login experience on Windows

Updated February 10, 2023

This topic describes in detail the Login for Windows experience for your end users to help you decide what configurations are best for your organization.

Important

  • If using a proxy that becomes unavailable, Login for Windows behaves as if it is offline. This issue might impact laptop users who connect their laptops to networks in which the proxy is unavailable.

First login with password only

End users can log in without second-factor authentication for the number of days set by the administrator in the Grace Period option. This allows end users to log in with a password only (without using second-factor authentication), and typically occurs after the Login for Windows installation. End users can then access their device to set up their two-factor authentication methods, such as push-to-accept and answers to Security Questions, before they must authenticate to access their device.

Use case: Password-only login is useful for one or more new employees who have been issued a laptop on their first day of employment. For example, if Login for Windows is already installed on the laptops and the admin has not set the Grace Period option, new employees might not be able to log into their computer if they cannot connect to the SecureAuth Identity Platform realm to register their mobile phone or self-service page to enter a phone number.

Workflow: End users are prompted to log in with their username and password only. The login screen indicates the number of days end users can continue to log in with a password only on the machine, as shown in the following image.

End users who want to log in with a password only enter their password in the field next to number 1. After end users set up their second-factor methods, they are ready to authenticate so they click the message next to number 2, which dismisses the password-only screen and opens the 2FA login screen. Thereafter, the 2FA login screen opens for end users.

60575563.png

Login without connection to Identity Platform

End users can log in when their machine does not have a connection to the Identity Platform if the Install Login for Endpoint without connection to Identity Platform and Grace Period options are set. This allows end users to log in with a password only (without using second-factor authentication).

Use case: Password-only login is useful if a third-party company configures machines for end users and the third-party company does not have connectivity to the Identity Platform. For example, if Login for Windows is installed on machines by a third-party without a connection to the Identity Platform, and the admin has not set the Install Login for Endpoint without connection to Identity Platform and Grace Period options, when new employees get their machine, they will not be able to log in.

Workflow: End users are prompted to log in with their username and password only. The login screen indicates the number of days end users can continue to log in with a password only on the machine, as shown in the following image.

End users whose machines are not connected to the Identity Platform should contact the admin first so they can copy the message next to number 1 and send it to their admin. End users can then log in with a password only in the field next to number 2. After the machine connects to the Identity Platform, the 2FA login screen opens for end users so they can set up their second-factor methods and log in.

69107827.png

Login with VPN client

If you have VPN clients and you enabled a pre-logon access provider by setting the Auto add pre-logon access providers option, end users can connect to your VPN server before logging into Login for Windows. The frequency that end users must log into the VPN client depends on settings completed by the administrator. When end users log into their machine, they will first select the VPN login icon, called Network sign-in, which is shown in the following image surrounded by a red box:

69107756.png

End users can then authenticate with Login for Windows.

First-time login experience

If the administrator has set up a mandatory questionnaire for your organization to fill out prior to logging into Login for Windows, you will log in with a username and then you will be redirected to the questionnaire. After you fill out the questionnaire and submit it, close the browser to display the second-factor authentication screen.

Note that if different end users log into the same machine by using Other User, the Windows Credential Provider causes the end user that has answered the questionnaire to complete an extra step before logging in. The following describes the workflow for this scenario:

  • David logs off the workstation.

  • Maria sits at the same workstation, clicks Other User, and enters her username. Maria sees the "Additional information required" message, clicks the link, and fills out the questionnaire. She submits the form and closes the browser.

  • Maria sees the login screen for David. She must click Other User again, enter her username again, then she will see the 2FA screen where she can enter her password and MFA option to log in.

  1. Enter your username on the Windows login screen.

    To authenticate by using a different primary credential provider, see the Allow other credential providers setting on the Personalization tab of the Login for Endpoints installer configuration in Configure Identity Platform and Login for Endpoints.

    The first time end users log in, Login for Windows shows only OATH-based methods (for example, TOTP, HOTP YubiKey), if at least one method is available to end users. If at least one OATH-based method is not available to end users, they can use any other available method. This could be a method that uses the SecureAuth Authenticate app on your mobile device or another device provisioned with the SecureAuth Identity Platform realm to supply timed passcodes, such as an HOTP YubiKey.

    If the end users need to login when their machine is offline, they must choose an OATH-based method during the first login. After end users select a timed authentication option and enter their password, TOTP and HOTP passcode options will be available for them to use when logging on the machine offline.

    End users with more than one mobile phone or YubiKey provisioned can select which device or token to use when online. When logging on the machine offline, any OATH-based method that was used online will be available for use.

    If you do not have an authentication method that provides a timed passcode, then select any other option available to you.

    End users who already use the Authenticate app and want to add the ability to accept biometric push notifications to use face (iOS) or fingerprint recognition must first reconnect the account for their mobile device.

    You can provision either "Approve login" or "Symbol-to-Accept." The following image shows the login screen with the "Approve login notification on mobile" option; if "Symbol-to-Accept" is set, end users will see the "Passcode from Symbol-to-Accept" option in place of the "Approve login notification on mobile" option on the login dropdown. (On the SecureAuth Authenticate mobile app, the icons will be different, but both icons will have a tool tip that reads "Approve login".)

    l4l_all_factors.png

    If you are authenticating through a different primary credential provider (that is, not the SecureAuth credential provider), you will see the login screen offered by that credential provider. The different primary credential provider supports offline mode, for end users who need to login when their machine is offline.

    The following image shows an example of a login screen, but yours will look different.

    58065869.png

    1. Sign in.

      The image shows two sign-in options, a Microsoft credential provider (the key icon) and a Microsoft Smart Card credential provider (the card icon). To sign in, you could click the icon with your preferred method. If your site offers one kind of sign-in option, then only that option will be displayed for you to sign in with.

      Additionally, if you can sign in as "Other user", a multi-user credential login provided by that credential provider will be displayed. After specifying who you are, click the Sign-in options link to choose which multi-user credential you want to use to sign in.

    2. You have completed your authentication login process. You can disregard the remaining end user steps in this section and in "Subsequent login experience." Your login experience will remain the same as the one provided by your primary credential provider.

    3. Notice the placement of the Password Reset icon on the lower left. To update your password, click the icon. Login for Windows is the password reset credential provider, and requires online network access.

  2. Show or hide the passcode so that, as you type, you see characters instead of dots.

    1. Focus on the passcode field and enter characters to see the following "eye" icon displayed.

      58065915.png

    2. Click the icon and hold it until the dots in the field turn to characters.

    3. To hide the passcode, click and hold the icon until the characters turn to dots.

Face recognition (Windows Hello)

Use biometric face recognition to authenticate access to your Windows workstation.

Login fields

Login instructions

l4w_biometrics_first_login.png

Use face recognition (Windows Hello)

  1. In Login for Windows, type your Windows password.

  2. Make sure you have face recognition set up in Windows Hello.

    To learn more, see Set up Windows Hello.

  3. Log out.

  4. Log in again and follow the on screen prompt to provide face recognition to log in.

Fingerprint recognition (Windows Hello)

Use biometric fingerprint recognition to authenticate access to your Windows workstation.

Login fields

Login instructions

l4w_biometrics_first_login.png

Use fingerprint recognition (Windows Hello)

  1. In Login for Windows, type your Windows password.

  2. Make sure you have fingerprint recognition set up in Windows Hello.

    To learn more, see Set up Windows Hello.

  3. Log out.

  4. Log in again and follow the on screen prompt to provide fingerprint recognition to log in.

Push notification

Approve the login notification sent to Authenticate app on your mobile device to log in.

Login fields

Login instructions

58065937.png

Approve login notification on mobile

  1. In Login for Windows, type your Windows password.

  2. Select the mobile device on which the provisioned SecureAuth Authenticate app is installed.

  3. Click the arrow to send a push notification to Authenticate app and approve your log in to Windows.

Email

Use a passcode sent to your email.

Login fields

Login instructions

58065933.png

Passcode from email

  1. In Login for Windows, type your Windows password.

  2. Select the email address if more than one address is included in your user profile.

  3. Click the arrow to send a passcode to your email and complete log in to Windows.

Face on mobile

Use face recognition on your mobile device to log in.

End users must use the Authenticate mobile app to use face recognition. This option is available to users on iOS mobile phones.

Login fields

Login instructions

58065945.png

Use face recognition on mobile

  1. In Login for Windows, type your Windows password.

  2. Select the mobile device on which the provisioned Authenticate app is installed to send a request to the mobile app.

  3. Click the arrow to log in to Windows.

  4. Show your face on the mobile device to approve the request.

    Login for Windows receives the face information and you are authenticated.

Fingerprint on mobile

Use fingerprint recognition on your mobile device to log in.

End users must use the Authenticate mobile app to use fingerprint recognition.

Login fields

Login instructions

58065946.png

Use fingerprint recognition on mobile

  1. In Login for Windows, type your Windows password.

  2. Select the mobile device on which the provisioned Authenticate app is installed to send a request to the mobile app.

  3. Click the arrow to log in to Windows.

  4. Provide a fingerprint on the mobile device to approve the request.

    Login for Windows receives the fingerprint information and you are authenticated.

Help desk

Contact the help desk in your organization to receive a passcode to log in.

Login fields

Login instructions

58065929.png

Contact help desk for passcode

  1. In Login for Windows, type your Windows password.

  2. Select the phone number option to use for contacting the help desk.

  3. Click the arrow to log in to Windows.

Passcode from notification

Use a passcode sent in an Authenticate app notification on your mobile device to log in.

Login fields

Login instructions

58065936.png

Passcode from notification

  1. In Login for Windows, type your Windows password.

  2. Select the mobile device on which the provisioned SecureAuth Authenticate app is installed.

  3. Click the arrow to send a passcode to Authenticate app and complete log in to Windows.

PIN

Use a predefined personal identification number (PIN) to log in. To learn more, see PIN settings.

Login fields

Login instructions

l4w_pin.png

Enter PIN

  1. In Login for Windows, type your Windows password.

  2. Type your predefined personal identification number (PIN).

    You must have a PIN set up in the Authenticate app. See PIN settings.

  3. Click the arrow to log in to Windows.

SMS

Use a passcode sent to your SMS to log in.

Login fields

Login instructions

58065927.png

Passcode from SMS / text

  1. In Login for Windows, type your Windows password.

  2. Select the phone number if more than one mobile phone is included in your user profile.

  3. Click the arrow to get a passcode by SMS to complete log in to Windows.

Timed passcode

Use a time-based one-time passcode (TOTP) from the app on your device to log in.

This method and "Passcode from token" are displayed at first login, if available. If not available, all available methods are displayed.

Login fields

Login instructions

58065881.png

Timed passcode from app

  1. In Login for Windows, type your Windows password.

  2. If there is more than one provisioned OATH OTP app, select the device.

    If you have enrolled more than one device to accept OATH OTP passcodes, select the device from which you copied the passcode.

    If offline, end users can choose an OATH-based method they used when online.

  3. Type the passcode, and click the arrow to log in to Windows.

Token

Use a passcode in a token like a HOTP security key to log in.

This method and "Timed passcode from app" are displayed at first login, if available. If not available, all available methods are displayed.

Login fields

Login instructions

58065879.png

Passcode from token

  1. In Login for Windows, type your Windows password.

  2. If you have enrolled more than one token to accept passcodes, select the token.

    To find your YubiKey version, see Identifying Your YubiKey on the Yubico website.

    If offline, end users can choose an OATH-based method they used when online.

  3. Type the passcode from selected token and click the arrow to log in to Windows.

Voice call

Use a passcode sent in a voice call to your mobile device to log in.

Login fields

Login instructions

58065932.png

Passcode from voice call

  1. In Login for Windows, type your Windows password.

  2. Select the phone number if more than one mobile phone is included in your user profile.

  3. Click the arrow to get a passcode by a voice call and log in to Windows.

YubiKey

Use a YubiKey to log in.

This method and "Timed passcode from app" are displayed at first login, if available. If not available, all available methods are displayed.

Login fields

Login instructions

58065995.png

Passcode from YubiKey

  1. In Login for Windows, type your Windows password.

  2. Plug in the YubiKey and tap it to receive a passcode from the device.

  3. Click the arrow to log in to Windows.

Subsequent login experience

When logging on the same machine in subsequent sessions, the Login for Windows page includes a selection of all multi-factor authentication methods for which you enrolled.

Note

The login screen defaults to the authentication method used in the last login session.

To show characters as you type a passcode instead of seeing dots, refer to step 2.

You can provision either "Approve login" or "Symbol-to-Accept. The following image shows the login screen with the "Approve login" icon; if "Symbol-to-Accept" is set, end users will see the "Symbol-to-Accept" icon in place of the "Approve login" icon on the login screen. (On the SecureAuth Authenticate mobile app, the icons will be different, but both icons will have a tool tip that reads "Approve login".)

l4w_all_factors_icons.png

Face recognition (Windows Hello)

Use biometric face recognition to authenticate access to your Windows workstation.

Login fields

Login instructions

l4w_face_auth.png

Face recognition option shown when only face ID is set up in Windows Hello

l4w_face-and-fingerprint_auth.png

Face or fingerprint options shown when both face and fingerprint are set up in Windows Hello

Use face recognition (Windows Hello)

  • Follow the on screen prompt to provide face recognition to log in to Windows.

Fingerprint recognition (Windows Hello)

Use biometric fingerprint recognition to authenticate access to your Windows workstation.

Login fields

Login instructions

l4w_fingerprint_auth.png

Fingerprint recognition option shown when only fingerprint is set up in Windows Hello

l4w_face-and-fingerprint_auth.png

Face or fingerprint options shown when both face and fingerprint are set up in Windows Hello

Use fingerprint recognition (Windows Hello)

  • Follow the on screen prompt to provide fingerprint recognition to log in to Windows.

Push notification

Approve the login notification sent to Authenticate app on your mobile device to log in.

Login icon

Login fields

Login instructions

58065978.jpg
58065938.png

Approve login notification on mobile

  1. Open the Authenticate app on your mobile device.

  2. View and accept the push notification to access Windows.

Symbol-to-Accept

Tap the matching symbol to log in to Windows.

Login icon

Login fields

Login instructions

58065984.png
58065947.png

Tap symbol-to-accept

End users must use the Authenticate mobile app to receive symbols.

  1. Click the symbol-to-accept login icon to send the set of 4 symbols to Authenticate app on your mobile device.

  2. View the symbol that displays on your Windows workstation.

  3. In the Authenticate mobile app, tap the matching symbol to complete log in to Windows.

Email

Use a passcode sent to your email.

Login icon

Login fields

Login instructions

58065976.jpg
58065934.png

Passcode from email

  1. Open your email to view the passcode.

  2. Type the passcode and click the arrow to log in to Windows.

Email link

Click the link sent to your email to log in.

Login icon

Login fields

Login instructions

l4w_l2a_email_icon.png
l4w_l2a_email_multi.png

Link from email

  1. In Login for Windows, type your Windows password.

  2. Select the email address and click the arrow to send the link to your email.

  3. Open your email and click the link in the email to complete log in to Windows.

Face on mobile

Use face recognition on your mobile device to log in.

End users must use the Authenticate mobile app to use face recognition. This option is available to users on iOS mobile phones.

Login icon

Login fields

Login instructions

58065949.png
58065945.png

Single user credential

58065950.png

Multiple user credentials

Use face recognition on mobile

End users must use the Authenticate mobile app to use fingerprint recognition. This option is available to users on iOS mobile phones.

  1. In Login for Windows, type your Windows password.

  2. Select the mobile device on which the provisioned Authenticate app is installed to send a request to the mobile app.

  3. Click the arrow to log in to Windows.

  4. Show your face on the mobile device to approve the request.

    Login for Windows receives the face information and you are authenticated.

Fingerprint on mobile

Use fingerprint recognition on your mobile device to log in.

End users must use the Authenticate mobile app to use fingerprint recognition.

Login icon

Login fields

Login instructions

58065948.png
58065946.png

Single user credential

58065951.png

Multiple user credentials

Use fingerprint recognition on mobile

End users must use the Authenticate mobile app to use fingerprint recognition.

  1. In Login for Windows, type your Windows password.

  2. Select the mobile device on which the provisioned Authenticate app is installed to send a request to the mobile app.

  3. Click the arrow to log in to Windows.

  4. Provide a fingerprint on the mobile device to approve the request.

    Login for Windows receives the fingerprint information and you are authenticated.

Help desk

Contact the help desk in your organization to receive a passcode to log in.

Login icon

Login fields

Login instructions

58065981.jpg
58065928.png

Contact help desk for passcode

  1. Contact the help desk to receive a passcode.

  2. Type the passcode and click the arrow to log in to Windows.

Passcode from notification

Use a passcode sent in an Authenticate app notification on your mobile device to log in.

Login icon

Login fields

Login instructions

58065977.jpg
58065935.png

Passcode from notification

  1. Open the Authenticate app on your mobile device to view the passcode.

  2. Type th passcode and click the arrow to log in to Windows.

PIN

Use a predefined personal identification number (PIN) to log in. To learn more, see PIN settings.

Login icon

Login fields

Login instructions

l4w_pin_icon.png
l4w_pin_multi.png

Passcode from PIN

  1. In Login for Windows, type your Windows password.

  2. Type your predefined personal identification number associated in your Authenticate app.

  3. Click the arrow to log in to Windows.

Security question

Use security questions to authenticate your log in to Windows.

Login icon

Login fields

Login instructions

58065943.jpg
58065942.png

Answers to Security questions

  1. In Login for Windows, answer both questions with your predefined answers.

    You must answer both questions.

  2. Click the arrow to log in to Windows.

SMS

Use a passcode sent to your SMS to log in.

Login icon

Login fields

Login instructions

58065974.jpg
58065931.png

Passcode from SMS / text

  1. Enter the passcode sent via SMS to your mobile phone.

  2. Click the arrow to log in to Windows.

SMS link

Tap the link sent to your SMS to log in.

Login icon

Login fields

Login instructions

l4w_l2a_text_icon.png
l4w_l2a_text_multi.png

Link from SMS

  1. In Login for Windows, type your Windows password.

  2. Select the phone number and click the arrow to send the link to your SMS.

  3. Open your SMS and tap the link to complete log in to Windows.

Timed passcode

Use a time-based one-time passcode (TOTP) from the app on your device to log in.

Login icon

Login fields

Login instructions

58065979.jpg
58065941.png

Single user credential

58065881.png

Multiple user credentials

Timed passcode from app

  1. In Login for Windows, type your Windows password.

  2. In the Enter passcode field, type the OATH OTP from your authenticator app.

    If online, end users with multiple mobile devices enrolled can choose any MFA method available, including multiple mobile devices. (End users with multiple provisioned mobile devices will have the extra step of selecting the appropriate mobile device.)

    If offline, end users can choose an OATH-based method they used when online.

  3. Click the arrow to log in to Windows.

Token

Use a passcode in a token like a HOTP security key to log in.

Login icon

Login fields

Login instructions

58065980.jpg
58065880.png

Single user credential

58065879.png

Multiple user credentials

Passcode from token

  1. In Login for Windows, type your Windows password.

  2. Select the token.

    If offline, end users can choose an OATH-based method they used when online.

  3. Type the passcode from the selected token and click the arrow to log in to Windows.

Voice call

Use a passcode sent in a voice call to your mobile device to log in.

Login icon

Login fields

Login instructions

58065975.jpg
58065930.png

Passcode from voice call

  1. Type the passcode received by a voice call to your mobile phone.

  2. Click the arrow to log in to Windows.

YubiKey

Use a YubiKey to log in.

Login icon

Login fields

Login instructions

58065980.jpg
58065973.png

Passcode from YubiKey

  1. In Login for Windows, type your Windows password.

  2. Plug in the YubiKey and tap it to receive a passcode from the device.

  3. Click the arrow to log in to Windows.

Admin login experience

Login for Windows requires you to enter a multi-factor authentication method when you log in to a privileged account as an administrator (with "Run as administrator") on the same machine used to log into a regular user account. See the options by right-clicking over an executable.

58065886.png

Select one of the options and then enter the admin password.

58065939.png

Note

Users with access to privileged accounts are not prompted for additional MFA when logging into their normal user accounts; however, it is possible to configure UAC policies to prompt administrators for password or MFA when they log into their normal user accounts. See UAC - Require a Password for Administrator.

To show characters as you type a passcode instead of seeing dots, click and hold the "eye" icon to the right of the characters.

In this section: