Login for Windows v21.04 configuration guide

Updated April 30, 2021

Login for Windows, available in SecureAuth IdP release 9.3+ and the SecureAuth® Identity Platform release 19.07+, adds SecureAuth’s multi-factor authentication to the Windows desktop and remote server login experience.

Release highlights

Read on to learn more about the new features in Login for Windows version 201.04.xx.

See the Release notes to learn about enhancements and known issues.

New integrated Login for Endpoint configuration page in Identity Platform

Open the new Login for Endpoint page from the Identity Platform user interface to customize your Login for Endpoints user experience. The easy-to-use pages help you set up your operating system, the multi-factor methods, and even personalize your users' experience during authentication. (Existing customers will recognize the options that were manually set in the config.json file in previous releases.)

This feature is supported in Identity Platform version 21.04 or later only.

See Identity Platform and Login for Endpoints configuration for all the details.

New second-factor authentication methods added

You can now choose the following new 2FA methods: PIN and link-to-accept available for both SMS/text and email.

New methods are supported in Identity Platform version 21.04 or later only. See the following sections for details:

Azure AD support

Login for Windows now supports Azure AD domain-joined machines.

This feature is supported in Identity Platform version 21.04 or later only.

Disclaimers

  • The Identity Platform does not currently support duplicate usernames in multiple data stores. Login for Windows will not authenticate end users if their usernames are duplicated across multiple data stores.

  • Customers who want to use the pre-login questionnaire must create the questionnaire themselves. SecureAuth does not host this document; rather, SecureAuth enables customers to integrate their own questionnaire with the Identity Platform version 19.07+ and Login for Windows version 20.09+.

  • Login for Windows does not support non-domain joined devices. Issues pertaining to account synchronization are the responsibility of the customer and not SecureAuth.

If a computer is not domain-joined AND all local users are blocked by Adaptive Authentication OR are not Active Directory (AD) or Azure AD members on SecureAuth Identity Platform, end users receive the following message: Access is denied for all users on this computer.

  • Login for Windows supports the samAccountName login name format if using Microsoft Active Directory or Azure AD; in this use case, userPrincipalName (UPN) is not supported.

UPN is supported at login if running Login for Windows with a non-AD profile store containing OATHSeed/OATHToken/PNToken. In this use case, samAccountName is not supported, so the multi-factor authentication lookup will fail and the user will be unable to use other multi-factor authentication methods.

  • With the exception of the Microsoft-provided credential providers, SecureAuth does not support other third-party credential providers installed on the same computer as the Login for Windows credential provider.

  • SecureAuth did not certify Windows 7 and Windows Server 2008 with Login for Windows release 20.03+ because Microsoft deprecated both operating systems as end-of-life. Be aware of the following:

    • Login for Windows release 20.03+ works on Windows 7, but SecureAuth does not certify that all features are supported.

    • Only Login for Windows security fixes will be released in the near future.

    • SecureAuth recommends upgrading to an officially supported version of Windows.

Prerequisites

Administrator
  • Login for Windows requires SecureAuth IdP version 9.3 or later or SecureAuth® Identity Platform version 19.07 or later.

  • To use biometric fingerprint and face (iOS only) recognition, Login for Windows requires SecureAuth Identity Platform release 19.07 or later, using the 2019 theme (see Setting the default theme for new realms).

  • To use Symbol-to-Accept through SecureAuth Authenticate mobile app, Login for Windows requires SecureAuth Identity Platform release 19.07 or later.

  • To use the Passwordless workflow, Login for Windows requires the following:

    • SecureAuth Identity Platform 9.3 or later running on Windows 10 version 1607 or later

    • Available to sites running the Prevent package

  • You can customize the Login for Windows experience by setting or changing configuration options in Identity Platform and Login for Endpoints configuration.

  • If you use a load balancer:

    When you use Push-to-Accept, Symbol-to-Accept, or Link-to-Accept MFA methods with Login for Windows, you must enable session persistence ("sticky sessions") on the load balancer to maintain state with the Identity Platform. Login for Windows supports cookie-based persistence only.

Setup requirements
  1. Ensure SecureAuth Identity Platform release 9.3 or later is running and is using a SHA2 or later third-party publicly trusted certificate bound to Microsoft Internet Information Services (IIS). For example, in the IIS Management Console's Default Web Site section, check the Site Bindings section to ensure the https/443 type and port settings have a valid and trusted SHA2 certificate selected in the SSL certificate field. The following example shows the SSL connection being terminated on the SecureAuth server.

    60562969.png

    Alternatively, you can also terminate the SSL connection on the load balancer, and then your publicly-trusted certificate will reside on the load balancer.

    Note

    Do not remove the SecureAuth certificates from the certificates console or the SecureAuth appliance will no longer function.

  2. Create a new Login for Endpoints application.

  3. Ensure target end user machines are running on supported OS versions in the SecureAuth compatibility guide.

End user
First-time usage requirements

End users can log in without second-factor authentication for the number of days set by the administrator. This allows end users to log in with a password only so they can set up their two-factor authentication methods before they must authenticate to access their device. After end users set up 2FA, the following is the authentication workflow.

Login for Windows requires end users to use one OATH-based method (i.e., TOTP, HOTP), if at least one method is available to end users. If at least one OATH-based method is not available to end users, they can use any other available method, but offline login will not be available.

To meet this requirement, end users must use one of the following accounts provisioned with the SecureAuth Identity Platform (Internal Application Manager) that enables their device to generate timed passcodes for multi-factor authentication:

Thereafter, end users can use Login for Windows to log in when working online and offline.

Additionally, consider the following requirements for end users:

  • If using Passwordless as a first factor, end users must ensure the following:

    • Run Windows 10 build 1607 or later

    • Connect a fingerprint reader to the computer

  • If using face recognition, available for iOS mobile phones only, end users must complete the following:

    • Enable their iOS mobile phone Face Recognition setting

    • Download and set up the SecureAuth Authenticate app

    • Sites upgrading from SecureAuth release 9.3 to the Identity Platform release 19.07: End users who already use the Authenticate app and want to add the ability to accept biometric push notifications to use face (iOS) or fingerprint recognition must first reconnect the account for their mobile device.

  • If using fingerprint recognition, end users must complete the following:

    • Enable their iOS or Android mobile phone Fingerprint setting

    • Download and set up the SecureAuth Authenticate app

    • End users who already use the Authenticate app and want to add the ability to accept biometric push notifications to use face (iOS) or fingerprint recognition must first reconnect the account for their mobile device.

Note

If end users are using the SecureAuth Credential Provider and the admin upgrades to a later version of Login for Windows, end users do not need to uninstall the SecureAuth Credential Provider before installing Login for Windows.

Identity Platform and Login for Endpoints configuration

Use the following sections to set up your endpoint product with the cloud and hybrid model of SecureAuth Identity Platform version 21.04 or later. You will configure the Identity Platform to use Login for Endpoints.

If your team wants to use biometric identification (face (iOS only) or fingerprint recognition), you must complete the following set up. Only the Identity Platform v19.07 or later supports biometric identification; additionally, you must use the 2019 theme (see Setting the default theme for new realms).

Note

The following instructions are appropriate for the three endpoint products: Login for Windows, Login for Mac, and Login for Linux. Differences will be called out according to operating system.

Prerequisites

The following steps must be completed before you can set up MFA methods; some steps are specific to cloud and they are called out accordingly.

  1. Cloud: Download and install the SecureAuth Connector on your endpoint data store server to begin the Identity Platform deployment.

    See Data Stores for a discussion and prerequisites. See Install the SecureAuth Connector for prerequisites and steps.

  2. Add a data store.

    In your endpoint Data Store Properties, enter adminDescription in an unused ID field—Aux ID 3 for endpoints—and set the data format to plain text. Later in these steps, you will map this field to the OTP Validation Property, which is used for end user authentication.

Set up a policy

Policies in the Identity Platform allow you to define rules to authenticate and block your users to certain applications. See How policies are used in the Identity Platform to learn about policies.

If you have an existing policy or default policy that will meet your security needs, you can use that policy; otherwise, you can set up a new policy specifically for endpoints.

  1. Set up a policy for your endpoint.

    On the left side of the Identity Platform page, click Policies. Click Add new Policy and give the policy a name.

    policy_id_plat_2104.png
  2. Optional: Set up rules to prompt or skip MFA when end users authenticate by comparing rules like their country, group access, and more.

    Select the Authentication Rules tab. See Adaptive authentication rules settings in a policy to learn more about setting rules.

    auth_rules_in_policy.png
  3. In the Multi-Factor Methods tab, select the methods that you want to enable for the new endpoint policy you just created. The MFA methods will be available to your end users as their login workflow experience.

    Set Login Workflow to any workflow that contains "MFA Method" in it; Username & Password | MFA Method works well for most organizations.

    Select the MFA methods. See Define the login workflow and multi-factor methods settings for the policy to learn more about these methods. The following image shows the available MFA methods for the Username & Password | MFA Method workflow.

    l4e_mfa_methods.png
  4. Click Save Policy to save your work.

  5. Optional: Set up dynamic IP blocking rules to define how and when to block IP addresses that fail to log in with username entries. This setting applies to all policies where the rule is enabled.

    Select the Blocking Rules tab. See Dynamic IP Blocking settings to learn more about rules.

    Be sure to save any changes you make.

Set up Login for Endpoints

Use the Endpoint Details page to set up communication between the Identity Platform and your endpoint. You will configure the endpoint authentication and access information. You will then use the Aux ID you set previously to enable communication between the Identity Platform authentication API and the endpoint.

  1. On the left side of the Identity Platform page, click Login for Endpoint, and click the Endpoint Details tab.

    l4e_open.png
  2. On the Endpoint Details screen, set up the endpoint. Click Add Endpoint on the upper right of the page.

    endpoint_details_2104.png
    1. Provide a name for the endpoint.

    2. Optional: Provide a description for the endpoint.

    3. Select the name of the policy you created previously.

    4. Select the data store for this endpoint.

    5. Select the user groups that can access this application. Hint: Admins typically select Allow every group in your selected data stores to access this application. Additionally, you can add specific user groups only; for example, to let a test group use it for a short time period before adding more or all groups.

    6. Set the OTP validation property to the Auxiliary (Aux) ID you set in Data store integrations.

      You must specify an Aux ID to communicate with the Identity Platform to validate one-time passcodes (OTPs) from email, phone calls, SMS, Helpdesk, and Notification Passcode.

    7. Click Save, located on the bottom, right side of the page. Do not close the page.

    8. At the bottom of the page, an API Configuration section appears.

      Copy the Application ID and Application key and save them in a secure location where you can find them when needed.

      You cannot retrieve these API credentials again. If you lose them, you can get new secret keys from this page.

      api_config.png

      You can ignore the Endpoint URL link (in the horizontal red box) for now.

    9. Close the screen.

  3. Click the Installer Configuration tab and click Add Configuration to open the Installer Configuration Details page. You can customize the end user login experience in the installer configuration.

  4. Set up the installer configuration for your operating system in the General Settings tab. Fill in the fields with names that match your OS.

    genl_settings_instal_config.png
    1. Add a name for the installer configuration. The name will be displayed in a list that could be long, depending on how many endpoints you set up, so be sure to make the name easy to identify.

    2. Select the endpoint you created on the Endpoint Details page. This connects the endpoint to communicate with the Identity Platform through the API.

    3. Set Allow self-signed certificate only in test or lab environments where the server has a self-signed certificate. When set, all certificate validations will be turned off. The HTTP client then will accept valid certificates, self-signed certificates, expired certificates, certificates with invalid root. certificates without matching common names, etc. to establish communication.

      Do not set this option for production environments. In production, the option introduces critical security risks, namely the potential "Man in the middle" attack which grants users access to a system without validating their credentials, and lets unauthorized users steal OATH seeds. If the option is set in production, a warning message informs you that the option is enabled. 

      After installing an endpoint with this option set, it remains effective until the endpoint is uninstalled and then re-installed using a configuration file with this option cleared.

    4. Set Install Login for Endpoint without connection to Identity Platform, for example, to allow a third-party company to configure machines for your end users. If the third-party company does not have connectivity to the Identity Platform, this option enables them to complete the configuration.

      When set, be sure to set Grace Period and specify the number of days for password-only login. (Grace Period is located in the Multi-Factor Methods tab.)

      Alternatively, to achieve the same results for self-service password reset (SSPR) without a connection to the Identity Platform:

      • Clear Grace Period.

      • Set Enable adaptive authentications.

      • Clear Logging in with physical access.

      • Clear Logging in via remote desktop protocol.

    5. Set the operating system to match your OS.

    6. Set the type of endpoint you are setting up.

  5. Customize the login experience for your end users in the Multi-Factor Methods tab.

    Click Next Step on the bottom right of the page.

    Existing customers might recognize the following options, which were set in the config.json file in previous releases.

    installer_config_mfa.png
    • Self-service password reset-only mode

      Available on Windows OS only

      Use this option to set up a self-service password reset (SSPR) option for end users to select on their login screen.

      win_sspr.png

      Setting this option deactivates all other options on the page. If you want the Password Reset link plus all the Login for Windows features (MFA, adaptive engine, etc.), complete the following:

      • Clear Self-service password reset-only mode.

        This option is located at the top of the Multi-Factor Methods tab.

      • Set Enable update password link on the login interface, with a URL to the SSPR site added in the URL field.

        This option is located on the Personalization tab, in the Password Reset section.

        Specify either the SecureAuth Identity Platform realm or the web page URL the user can access for resetting a password.

    • Ask for second-factor authentication when run as Administrator

      Available on Windows OS only

      When cleared, users who log on as administrator (with "Run as administrator"), on the same machine used to log into a regular user account, will not be required to authenticate again.

      When set, users who log on as administrator (with "Run as administrator"), on the same machine used to log into a regular user account, will be required to authenticate again.

    • Enable passwordless authentication

      Available on Windows OS only

      When set, end users can use a fingerprint reader to authenticate by using any enrolled fingerprint.

      This setting does not enable the second factor biometric identification available to end users through the SecureAuth Authenticate app. On Login for Windows and Login for Mac, see "Use fingerprint recognition on mobile" for instructions; on Login for Linux, see "Approve login notification for fingerprint recognition."

    • Enable offline authentications

      Set this option if you want end users to be able to authenticate when offline.

      SecureAuth uses OATH seeds to validate OATH-based methods (for example, TOTP, HOTP) when end users log in. Most use cases require SecureAuth to store OATH seeds; if seeds are not stored, end users will not be able to log in while offline. In a scenario where, for example, a server is always online, you might not want to cache the OATH seed, to prevent the seed from leaking or being stolen.

    • Enable adaptive authentications

      This setting acts similar to Adaptive Authentication settings in SecureAuth Identity Platform, where you can restrict admins and users from logging in in several ways, for example, by username, group, IP, etc.

    • Suggests use of an OATH-based method on first login regardless of your Adaptive Policy settings

      Set this option to display a message that suggests end users authenticate for the first login by using an OATH-based method, such as TOTP, HOTP, etc. This ensures that they can log in when offline.

      Login for Endpoints requires end users to use one OATH-based method, if at least one method is available to end users. If at least one OATH-based method is not available to end users, they can use any other available method, but offline login will not be available.

    • Grace period

      Set this option to establish the number of days that end users can log into a machine with password-only.

      After end users set up their second-factor methods, they can dismiss the password-only login screen.

      For a detailed description with a use case, see "First login with password only."

    • Bypass interval

      When cleared, end users must authenticate with a second factor each time they log in.

      Set a custom duration in seconds; end users must authenticate with appropriate 2FA for their first log in, but won't need to authenticate again until the defined time period ends.

      For example, the time period is set for 32400 seconds (9 hours) and an end user logs out after working for 8.5 hours. That evening, the end user decides to log in and finish a few tasks. More than 9 hours have passed so the end user will need to authenticate with a second factor.

    • Logging in with physical access

      Login for Windows and Login for Mac: Set this option to require MFA when logging in by using the login screen with a workflow, such as Username | Password | 2FA; that is, not logging in remotely.

      Login for Linux: Set this option to allow a user to log into the same machine as a different user by using su or sudo.

    • Windows: Logging in via remote desktop protocol | Linux/Mac: Logging in via Remote Connection (SSH)

      Windows: Set this option to require multi-factor authentication when users log in via remote desktop protocol.

      Linux/Mac: Set this option to require multi-factor authentication when users log in through a remote console in a Secure Socket Shell (SSH) session.

    • Bypass Multi-factor Authentication when

      Set this option to allow users who need to log in as local admins to log in without being prompted for additional MFA.

      Users must belong to a local or domain group that you specify in the fill-in field. Add local users only to the local group. Group names are case sensitive and need to match AD exactly.

      Login for Windows and Login for Mac: Both endpoints supports the following syntax:

      • group name : For groups of the domain on which the machine is joined; for example, "BypassGroup"

        Note that group names must match Active Directory exactly.

      • domain\\groupname: For groups that are part of a specific domain; for example, "customerDomain\\BypassGroup"

      • .\\groupname: For local machine groups; for example, ".\\Administrators"

      Login for Linux: This endpoint supports the following syntax:

      • group name : For groups of the domain on which the machine is joined; for example, BypassGroup

        Note that group names must match Active Directory exactly.

      • group-name@group-domain: For remote groups, use this UPN format syntax; for example, BypassGroup@customerDomain.local

      • .\\groupname: For local machine groups; for example, .\\Administrators

  6. Personalize more of the user experience in the Personalization tab.

    Click Next Step on the bottom right of the page.

    personalization_tab.png
    • Customize error message

      Set this option to personalize the error message for end users who are locked out of their accounts. In the fill-in field, add your custom message, such as:

      For assistance, please contact Acme helpdesk at 949-555-1212, help@acmeco.com, or https://helpdesk.acmeco.com.

    • Request Timeout

      Set the timeout in seconds, 30 seconds by default, that the Login for Endpoint will wait for HTTP requests to respond. This option is useful to reduce network wait times because the endpoint ends a network connection after it reaches the specified timeout value when communicating through HTTP requests.

      For example, if the endpoint is trying to contact the Identity Platform, but cannot for any reason, the endpoint will end the network connection after the timeout value is reached; if not set, the endpoint will keep trying to reach the Identity Platform.

    • Auto add pre-logon access providers

      Available on Windows OS only

      Set this option to allow a pre-logon access provider so that end users can connect to VPN clients before logging into Login for Windows.

    • Hide retry options

      Available on Windows OS only

      Set this option to hide the button to retry the connection on the login screen when Login for Windows is offline.

    • Enable update password link on the login interface

      Available on Windows OS only

      Use this option to set up a self-service password reset (SSPR) option for end users to select on their login screen. Be sure the following options are set up correctly:

      • Set Enable update password link on the login interface, with a URL to the SSPR site added in the URL field.

        Specify either the SecureAuth Identity Platform realm or the web page URL the user can access for resetting a password.

      • Clear Self-service password reset-only mode.

        This option is located at the top of the Multi-Factor Methods tab.

    • Allow default operating system provider

      Available on Windows OS only

      Set this option to add the default credential provider on the login screen. This allows end users to log in by using a password and second factor with the SecureAuth credential provider or by using a only a password with the default credential provider.

      This option helps new teams starting out with Login for Windows to have a default credential provider option for end users to authenticate as a fallback.

    • Allow other credential providers

      Available on Windows OS only

      Set this option to specify if non-SecureAuth credential providers and other credential providers, such as card scanners, can be used. Be aware of the following items, especially the first bullet:

      • This option is only recommended in test environments, to let testers bypass Login for Windows so they can readily access their machines.

      • Users will be able to log in without using the Login for Windows credential provider, and potentially bypass multi-factor authentication.

      • Users will see their normal login prompt and will have to manually select a different login option to use Login for Windows

  7. Save your changes.

    Saving creates a configuration file, which contains all the customizations that you set.

    config_file_list.png
  8. Download the configuration file, which you will need during installation. The configuration file must reside in the same folder as the installer file that you will download in Installation.

    Click the download icon (in the image above, the left icon in the red box). The downloaded file is called config.json.

    If you open the config.json file, it will look like the following image, depending on the OS you are using and the customizations you set:

    {
        "platform": "linux",
        "version": "v2",
        "conf_version": 6,
        "allow_self_signed": false,
        "adaptive_enabled": true,
        "group_bypass": [],
        "store_seeds": true,
        "custom_error_message": "",
        "install_without_idp": false,
        "suggest_first_login": false,
        "request_timeout": 30,
        "apis": [
            {
                "host": "https://endpoints.secureauth.com/SecureAuth7",
                "id": "6bc7baa94e8e4b168edc8f6da8932175",
                "secret": "c817e6d6e5f7475d8ff801922dbfac409c8d84a39aa9f6973bd5f4a3913bd2e7"
            }
        ],
        "access_level": 0
    }

    Note

    Change any of your customizations in the Installer Configuration Details pages, then complete step 8 again. Any change you make requires an updated config.json file downloaded to your installation folder.

    Do not edit the config.json file directly unless instructed by SecureAuth Support.

  9. Your Login for Endpoint is set up with the Identity Platform. You are now ready to install the endpoint.

Pre-installation steps

Use the following settings to customize the Login for Windows experience.

Optional: Integrate the pre-login assessment service

Set up the pre-login assessment service to create a questionnaire that you can integrate with the Identity Platform and Login for Windows. End users will then see the questionnaire and provide answers prior to logging into Login for Windows.

Set up this option by completing the following instructions in the Login for Windows v20.09.01 configuration guide:

Installation and upgrade steps

The following sections describe how to upgrade and install Login for Windows.

Upgrade Login for Windows

Login for Windows supports upgrading from version 1.0.4 to 21.04.xx without uninstalling before installing the latest version.

  • Upgrading from version 1.0.3 to 21.04.xx is supported but the cache is cleared. After the upgrade, the first available second factor will be selected by default instead of the previous second factor the user entered.

  • Upgrading from 1.0.2 or earlier, first uninstall Login for Windows before installing 21.04.xx. Upgrading from earlier than 1.0.2 to 21.04.xx is not supported.

  • If end users are using the SecureAuth Credential Provider and the admin upgrades to a later version of Login for Windows, end users do not need to uninstall the SecureAuth Credential Provider before installing Login for Windows.

Download and run the Login for Windows MSI package
  1. Download the Login for Windows .zip file to the target machine (laptop, desktop, server, etc.).

  2. Unzip the file.

  3. Within the Login for Windows folder, find the .msi file for your machine, either SecureAuthLogin-21.04.00-x64.msi or SecureAuthLogin-21.04.00-x86.msi. Place the file in the Temp folder.

Install Login for Windows

Important

On a Windows server, SecureAuth Login for Windows should be installed or uninstalled only from a console session and not an RDP session.

  1. Find the config.json file you downloaded at the end of the "Identity Platform and Login for Endpoints configuration" section of this document, and copy that file to the Temp folder on the target machine.

  2. On the target machine, run the following command line with administrator permissions, using the file name of your .msi file and correct path of that file on your machine, as in this example:

    msiexec /i "C:\Temp\SecureAuthLogin-21.04.00-x64.msi" /L*V "C:\Temp\install.log" /qn CONFIG="C:\Temp\config.json"
  3. Log off the target machine.

    After this installation, SecureAuth Login for Windows appears on the next login session.

    Notes:

    • If using Login for Windows in a PCI environment, see Login for Windows SSL configuration requirements if Login for Windows is not installing on a machine.

    • If reinstalling Login for Windows immediately after uninstalling the software, the "Failed to write configuration" message will appear if the installer is not finished performing cleanup tasks, such as removing the C:\ProgramData\SecureAuth directory.

SecureAuth Identity Platform transaction log information

The Login for Windows software issues a User-Agent HTTP Request Header when the Application Programming Interface interacts with SecureAuth Identity Platform. The following items are included in the User-Agent string:

  • Login for Windows software version

  • OS version

  • Computer name (hostname)

  • Time Zone

  • IP address

  • MAC address

For example:

   SecureAuth Login for Windows 21.04.00 (Windows 10 Pro x64 6.2.9200; LT-JSMITH; (UTC-05:00) Eastern Standard Time; 111.22.333.44; 0f:10;35:7a:81:4e)
Login for Windows error logs

Error logs are displayed in the following locations.

  • Information related to installation is written in the install.log file:

    %temp%\install.log
    
  • Information related to logging in is written in the login.log file:

    C:\ProgramData\SecureAuth\login.log
    

The login.log log file displays system information, such as the type and version of the operating system, the version of Login for Windows your organization is running, and more as shown in the following image:

60562968.png

After you view the login.log file, then connect later through RDP, you might see what look like inconsistencies because the log file will have new start lines and threads. This is expected behavior because connecting through RDP causes new instances of the credential provider to be created, which causes the new start lines and threads.

Uninstallation

On the target machine, run the following command line with administrator permissions, using the file name of your .msi file and correct path of that file on your machine:

   msiexec /x "<msi>" /L*V "uninstall.log" /qn

Alternatively, you can manually uninstall using the Windows "Programs and Features" menu.

Log files are not uninstalled; use them to assist with troubleshooting any issues with the uninstallation. After you have worked through any issues, you can delete the log files.

End user login experience on Windows 10

Important

  • If using a proxy that becomes unavailable, Login for Windows behaves as if it is offline. This issue might impact laptop users who connect their laptops to networks in which the proxy is unavailable.

First login with password only

End users can log in without second-factor authentication for the number of days set by the administrator in the Grace Period option. This allows end users to log in with a password only (without using second-factor authentication), and typically occurs after the Login for Windows installation. End users can then access their device to set up their two-factor authentication methods, such as push-to-accept and answers to Security Questions, before they must authenticate to access their device.

Use case: Password-only login is useful for one or more new employees who have been issued a laptop on their first day of employment. For example, if Login for Windows is already installed on the laptops and the admin has not set the Grace Period option, new employees might not be able to log into their computer if they cannot connect to the SecureAuth Identity Platform realm to register their mobile phone or self-service page to enter a phone number.

Workflow: End users are prompted to log in with their username and password only. The login screen indicates the number of days end users can continue to log in with a password only on the machine, as shown in the following image.

End users who want to log in with a password only enter their password in the field next to number 1. After end users set up their second-factor methods, they are ready to authenticate so they click the message next to number 2, which dismisses the password-only screen and opens the 2FA login screen. Thereafter, the 2FA login screen opens for end users.

60575563.png
Login without connection to Identity Platform

End users can log in when their machine does not have a connection to the Identity Platform if the Install Login for Endpoint without connection to Identity Platform and Grace Period options are set. This allows end users to log in with a password only (without using second-factor authentication).

Use case: Password-only login is useful if a third-party company configures machines for end users and the third-party company does not have connectivity to the Identity Platform. For example, if Login for Windows is installed on machines by a third-party without a connection to the Identity Platform, and the admin has not set the Install Login for Endpoint without connection to Identity Platform and Grace Period options, when new employees get their machine, they will not be able to log in.

Workflow: End users are prompted to log in with their username and password only. The login screen indicates the number of days end users can continue to log in with a password only on the machine, as shown in the following image.

End users whose machines are not connected to the Identity Platform should contact the admin first so they can copy the message next to number 1 and send it to their admin. End users can then log in with a password only in the field next to number 2. After the machine connects to the Identity Platform, the 2FA login screen opens for end users so they can set up their second-factor methods and log in.

69107827.png
Login with VPN client

If you have VPN clients and you enabled a pre-logon access provider by setting the Auto add pre-logon access providers option, end users can connect to your VPN server before logging into Login for Windows. The frequency that end users must log into the VPN client depends on settings completed by the administrator. When end users log into their machine, they will first select the VPN login icon, called Network sign-in, which is shown in the following image surrounded by a red box:

69107756.png

End users can then authenticate with Login for Windows.

First-time login experience

If the administrator has set up a mandatory questionnaire for your organization to fill out prior to logging into Login for Windows, you will log in with a username and then you will be redirected to the questionnaire. After you fill out the questionnaire and submit it, close the browser to display the second-factor authentication screen.

Note that if different end users log into the same machine by using Other User, the Windows Credential Provider causes the end user that has answered the questionnaire to complete an extra step before logging in. The following describes the workflow for this scenario:

  • David logs off the workstation.

  • Maria sits at the same workstation, clicks Other User, and enters her username. Maria sees the "Additional information required" message, clicks the link, and fills out the questionnaire. She submits the form and closes the browser.

  • Maria sees the login screen for David. She must click Other User again, enter her username again, then she will see the 2FA screen where she can enter her password and MFA option to log in.

  1. Enter your username on the Windows login screen.

    To authenticate by using a different primary credential provider, see Allow other credential providers.

    The first time end users log in, Login for Windows shows only OATH-based methods (for example, TOTP, HOTP YubiKey), if at least one method is available to end users. If at least one OATH-based method is not available to end users, they can use any other available method. This could be a method that uses the SecureAuth Authenticate app on your mobile device or another device provisioned with the SecureAuth Identity Platform realm to supply timed passcodes, such as an HOTP YubiKey.

    If the end users need to login when their machine is offline, they must choose an OATH-based method during the first login. After end users select a timed authentication option and enter their password, TOTP and HOTP passcode options will be available for them to use when logging on the machine offline.

    End users with more than one mobile phone or YubiKey provisioned can select which device or token to use when online. When logging on the machine offline, any OATH-based method that was used online will be available for use.

    If you do not have an authentication method that provides a timed passcode, then select any other option available to you.

    End users who already use the Authenticate app and want to add the ability to accept biometric push notifications to use face (iOS) or fingerprint recognition must first reconnect the account for their mobile device.

    You can provision either "Approve login" or "Symbol-to-Accept." The following image shows the login screen with the "Approve login notification on mobile" option; if "Symbol-to-Accept" is set, end users will see the "Passcode from Symbol-to-Accept" option in place of the "Approve login notification on mobile" option on the login dropdown. (On the SecureAuth Authenticate mobile app, the icons will be different, but both icons will have a tool tip that reads "Approve login".)

    l4l_all_factors.png

    If you are authenticating through a different primary credential provider (that is, not the SecureAuth credential provider), you will see the login screen offered by that credential provider. The different primary credential provider supports offline mode, for end users who need to login when their machine is offline.

    The following image shows an example of a login screen, but yours will look different.

    58065869.png
    1. Sign in.

      The image shows two sign-in options, a Microsoft credential provider (the key icon) and a Microsoft Smart Card credential provider (the card icon). To sign in, you could click the icon with your preferred method. If your site offers one kind of sign-in option, then only that option will be displayed for you to sign in with.

      Additionally, if you can sign in as "Other user", a multi-user credential login provided by that credential provider will be displayed. After specifying who you are, click the Sign-in options link to choose which multi-user credential you want to use to sign in.

    2. You have completed your authentication login process. You can disregard the remaining end user steps in this section and in "Subsequent login experience." Your login experience will remain the same as the one provided by your primary credential provider.

    3. Notice the placement of the Password Reset icon on the lower left. To update your password, click the icon. Login for Windows is the password reset credential provider, and requires online network access.

  2. Show or hide the passcode so that, as you type, you see characters instead of dots.

    1. Focus on the passcode field and enter characters to see the following "eye" icon displayed.

      58065915.png
    2. Click the icon and hold it until the dots in the field turn to characters.

    3. To hide the passcode, click and hold the icon until the characters turn to dots.

Fields

Instructions

58065881.png

Timed passcode from app

This method and "Passcode from token" are displayed at first login, if available. If not available, all available methods are displayed.

  1. Log on Login for Windows with your Windows password.

  2. If there is more than one provisioned OATH OTP app, select the device.

    If you have enrolled more than one device to accept OATH OTP passcodes, select the device to send the passcode to.

  3. Click the arrow to log on Windows.

58065932.png

Passcode from voice call

  1. Log on Login for Windows with your Windows password.

  2. Select the phone number if more than one mobile phone is included in your user profile.

  3. Click the arrow to log on Windows.

58065927.png

Passcode from SMS / text

  1. Log on Login for Windows with your Windows password.

  2. Select the phone number if more than one mobile phone is included in your user profile.

  3. Click the arrow to log on Windows.

l4w_l2a_text.png

Link from text

  1. Log on Login for Windows with your Windows password.

  2. Select the phone number if more than one number is included in your user profile.

  3. Click the link on your phone to log on Windows.

  4. Click the arrow to log on Windows.

58065933.png

Passcode from email

  1. Log on Login for Windows with your Windows password.

  2. Select the email address if more than one address is included in your user profile.

  3. Click the arrow to log on Windows.

l4w_l2a_email.png

Link from email

  1. Log on Login for Windows with your Windows password.

  2. Select the email address if more than one address is included in your user profile.

  3. Click the link in your email to log on Windows.

  4. Click the arrow to log on Windows.

58065936.png

Passcode from notification

  1. Log on Login for Windows with your Windows password.

  2. Select the mobile device on which the provisioned SecureAuth Authenticate app is installed.

  3. Click the arrow to log on Windows.

58065937.png

Approve login notification on mobile

  1. Log on Login for Windows with your Windows password.

  2. Select the mobile device on which the provisioned SecureAuth Authenticate app is installed.

  3. Click the arrow to log on Windows.

l4w_pin.png

Enter PIN

  1. Log on Login for Windows with your Windows password.

  2. Enter your predefined personal identification number.

  3. Click the arrow to log on Windows.

58065929.png

Contact help desk for passcode

  1. Log on Login for Windows with your Windows password.

  2. Select the phone number to use for contacting the help desk.

  3. Click the arrow to log on Windows.

58065879.png

Passcode from token

This method and "Timed passcode from app" are displayed at first login, if available. If not available, all available methods are displayed.

  1. Log on Login for Windows with your Windows password.

  2. If there is more than one provisioned token, select the device on which the provisioned SecureAuth passcode app is stored.

    If you have enrolled more than one token to accept passcodes, select the token to send the passcode to.

    To find your YubiKey version, see Identifying Your YubiKey on the Yubico website.

  3. Click the arrow to log on Windows.

58065995.png

Passcode from YubiKey

This method and "Timed passcode from app" are displayed at first login, if available. If not available, all available methods are displayed.

  1. Log on Login for Windows with your Windows password.

  2. Plug in the YubiKey and tap it to receive a passcode from the device.

    If offline, end users can choose an OATH-based method they used when online.

  3. Click the arrow to log on Windows.

58065970.png

Use passwordless as first factor

This method and "Timed passcode from app" are displayed at first login, if available. If not available, all available methods are displayed.

End users must have a fingerprint reader installed on their computer and must enroll at least one fingerprint to use passwordless as a first factor.

For this option:

  1. Log on Login for Windows with your Windows password.

    If offline, end users can choose an OATH-based method they used when online.

  2. The SecureAuth Fingerprint Recognition Setup screen opens so end users can enroll the fingerprints they want to use.

    Thereafter, to add or remove fingerprints, open the enrollment app: Start menu > SecureAuth > Fingerprint Enrollment

    Instructions for enrolling fingerprints is in the SecureAuth Onboarding Toolkit, in theSecureAuth End User Experiencedocument.Preparing end users for 2FA log in

  3. Log out.

  4. Log on Login for Windows with a password.

  5. In subsequent logins, end users can use an enrolled fingerprint (without a password) to authenticate.

End users with external fingerprint readers should not disconnect the reader from their computer before logging out; doing so will cause an error to be displayed: Fingerprint data not found. The error is an "unknown identity" signal that the reader sends to the driver; however, the fingerprint data will be found when the reader is connected to the same computer.

58065946.png

Use fingerprint recognition on mobile

End users must use the Authenticate mobile app to use fingerprint recognition. For this option:

  1. Log on Login for Windows with your Windows password.

  2. Select the mobile phone on which the provisioned SecureAuth Authenticate app is installed to send a request to the mobile app.

  3. Provide a fingerprint on the SecureAuth mobile app to approve the request.

  4. Login for Windows receives the fingerprint information and you are authenticated.

  5. Click the arrow to log on Windows.

58065945.png

Use face recognition on mobile

End users must use the Authenticate mobile app to use face recognition. This option is available to users on iOS mobile phones. For this option:

  1. Log on Login for Windows with your Windows password.

  2. Select the mobile device on which the provisioned SecureAuth Authenticate mobile app is installed to send a request to the mobile app.

  3. Show your face on the SecureAuth mobile app to approve the request.

  4. Login for Windows receives the face information and you are authenticated.

  5. Click the arrow to log on Windows.

Subsequent login experience

When logging on the same machine in subsequent sessions, the Login for Windows page includes a selection of all multi-factor authentication methods for which you enrolled.

Note

The login screen defaults to the authentication method used in the last login session.

To show characters as you type a passcode instead of seeing dots, refer to step 2.

You can provision either "Approve login" or "Symbol-to-Accept. The following image shows the login screen with the "Approve login" icon; if "Symbol-to-Accept" is set, end users will see the "Symbol-to-Accept" icon in place of the "Approve login" icon on the login screen. (On the SecureAuth Authenticate mobile app, the icons will be different, but both icons will have a tool tip that reads "Approve login".)

l4w_all_factors_icons.png

Sign-in option icons

Fields

Instructions

58065943.jpg
58065942.png

Answers to Security questions

  1. Answer both questions with your predefined answers. You must answer both questions.

  2. Click the arrow to log on Windows.

58065979.jpg

Single user credential:

58065941.png

Multiple user credential:

58065881.png

Timed passcode from app

  1. Log on Login for Windows with a password.

  2. In the Enter passcode field, enter the OATH OTP from your One-time Passcode app.

    If online, end users with multiple mobile devices enrolled can choose any MFA method available, including multiple mobile devices. (End users with multiple provisioned mobile devices will have the extra step of selecting the appropriate mobile device.)

    If offline, end users can choose an OATH-based method they used when online.

  3. Click the arrow to log on Windows.

58065981.jpg
58065928.png

Contact help desk for passcode

  1. Enter the passcode received by contacting the help desk.

  2. Click the arrow to log on Windows.

58065978.jpg
58065938.png

Approve login notification on mobile

  1. Accept the login notification sent to the SecureAuth Authenticate app on your mobile device.

  2. Access Windows.

58065977.jpg
58065935.png

Passcode from notification

  1. Enter the passcode sent to the SecureAuth Authenticate app on your mobile device.

  2. Click the arrow to log on Windows.

58065976.jpg
58065934.png

Passcode from email

  1. Enter the passcode sent to your email address.

  2. Click the arrow to log on Windows.

l4w_l2a_email_icon.png
l4w_l2a_email_multi.png

Passcode from email link-to-accept

  1. Log on Login for Windows with your Windows password.

  2. Click the link sent to your email address.

  3. Click the arrow to log on Windows.

58065975.jpg
58065930.png

Passcode from voice call

  1. Enter the passcode received by a voice call to your mobile phone.

  2. Click the arrow to log on Windows.

58065974.jpg
58065931.png

Passcode from SMS / text

  1. Enter the passcode sent via SMS to your mobile phone.

  2. Click the arrow to log on Windows.

l4w_l2a_text_icon.png
l4w_l2a_text_multi.png

Passcode from SMS/text link-to-accept

  1. Log on Login for Windows with your Windows password.

  2. Tap the passcode sent via SMS to your mobile phone.

  3. Click the arrow to log on Windows.

58065984.png
58065947.png

Passcode from symbol-to-accept

End users must use the Authenticate mobile app to receive symbols.

  1. Receive the set of 4 symbols sent to the Authenticate mobile app on your mobile device.

  2. One symbol will display on your Windows desktop or laptop.

  3. On the Authenticate mobile app, tap the symbol that matches the one displayed on your desktop or laptop.

58065980.jpg

Single user credential:

58065880.png

Multiple user credential:

58065879.png

Passcode from token

  1. Log on Login for Windows with your Windows password.

  2. Plug in the token and tap or press it to receive a passcode from the device.

    If online, end users with multiple tokens enrolled can choose any MFA method available, including multiple tokens. (End users with multiple provisioned tokens will have the extra step of selecting the appropriate token.)

    If offline, end users can choose an OATH-based method they used when online.

  3. Click the arrow to log on Windows.

l4w_pin_icon.png
l4w_pin_multi.png

Passcode from PIN

  1. Log on Login for Windows with your Windows password.

  2. Enter your predefined personal identification number.

  3. Click the arrow to log on Windows.

58065980.jpg
58065973.png

Passcode from YubiKey

  1. Log on Login for Windows with your Windows password.

  2. Plug in the YubiKey and tap it to receive a passcode from the device.

    If offline, end users can choose an OATH-based method they used when online.

  3. Click the arrow to log on Windows.

58065948.png

Single user credential:

58065946.png

Multiple user credential:

58065951.png

Use fingerprint recognition on mobile

End users must use the Authenticate mobile app to use fingerprint recognition.

  1. Log on Login for Windows with your Windows password.

  2. Select the mobile phone on which the provisioned SecureAuth Authenticate app is installed to send a request to the mobile app.

  3. Provide a fingerprint on the SecureAuth mobile app to approve the request.

  4. Login for Windows receives the fingerprint information and you are authenticated.

  5. Click the arrow to log on Windows.

58065949.png

Single user credential:

58065945.png

Multiple user credential:

58065950.png

Use face recognition on mobile

End users must use the Authenticate mobile app to use fingerprint recognition. This option is available to users on iOS mobile phones.

  1. Log on Login for Windows with your Windows password.

  2. Select the mobile device on which the provisioned SecureAuth Authenticate mobile app is installed to send a request to the mobile app.

  3. Show your face on the SecureAuth mobile app to approve the request.

  4. Login for Windows receives the face information and you are authenticated.

  5. Click the arrow to log on Windows.

Admin login experience

Login for Windows requires you to enter a multi-factor authentication method when you log in to a privileged account as an administrator (with "Run as administrator") on the same machine used to log into a regular user account. See the options by right-clicking over an executable.

58065886.png

Select one of the options and then enter the admin password.

58065939.png

Note

Users with access to privileged accounts are not prompted for additional MFA when logging into their normal user accounts; however, it is possible to configure UAC policies to prompt administrators for password or MFA when they log into their normal user accounts. See UAC - Require a Password for Administrator.

To show characters as you type a passcode instead of seeing dots, click and hold the "eye" icon to the right of the characters.

Troubleshooting

Use the topics in this section to help you problem-solve.

Admin needs to view logs in Event Viewer

End users receive a message that Login for Windows encountered an error and are guided to try a different login method. Admins are guided to check the Event Viewer. The following steps describe how to open the Event Viewer to read the event logs.

  1. In the Windows Search bar, type eventvwr.msc.

  2. Open the Application folder. In Windows Logs > Application, select Filter Current Log, as shown in the following image.

    60569801.png
  3. In the Filter screen, in the Event sources field, type LoginForWindows.

    60569800.png
  4. View the event information to troubleshoot the issue, as shown in the following example.

    To export information, for example, to send to SecureAuth Support, click Save Filtered Log File As.

    60569798.png