Skip to main content

End user login experience on Windows 10

This topic describes in detail the Login for Windows experience for your end users to help you decide what configurations are best for your organization.

Important

  • If using a proxy that becomes unavailable, Login for Windows behaves as if it is offline. This issue might impact laptop users who connect their laptops to networks in which the proxy is unavailable.

First login with password only

End users can log in without second-factor authentication for the number of days set by the administrator in the Grace Period option. This allows end users to log in with a password only (without using second-factor authentication), and typically occurs after the Login for Windows installation. End users can then access their device to set up their two-factor authentication methods, such as push-to-accept and answers to Security Questions, before they must authenticate to access their device.

Use case: Password-only login is useful for one or more new employees who have been issued a laptop on their first day of employment. For example, if Login for Windows is already installed on the laptops and the admin has not set the Grace Period option, new employees might not be able to log into their computer if they cannot connect to the SecureAuth Identity Platform realm to register their mobile phone or self-service page to enter a phone number.

Workflow: End users are prompted to log in with their username and password only. The login screen indicates the number of days end users can continue to log in with a password only on the machine, as shown in the following image.

End users who want to log in with a password only enter their password in the field next to number 1. After end users set up their second-factor methods, they are ready to authenticate so they click the message next to number 2, which dismisses the password-only screen and opens the 2FA login screen. Thereafter, the 2FA login screen opens for end users.

60575563.png

Login without connection to Identity Platform

End users can log in when their machine does not have a connection to the Identity Platform if the Install Login for Endpoint without connection to Identity Platform and Grace Period options are set. This allows end users to log in with a password only (without using second-factor authentication).

Use case: Password-only login is useful if a third-party company configures machines for end users and the third-party company does not have connectivity to the Identity Platform. For example, if Login for Windows is installed on machines by a third-party without a connection to the Identity Platform, and the admin has not set the Install Login for Endpoint without connection to Identity Platform and Grace Period options, when new employees get their machine, they will not be able to log in.

Workflow: End users are prompted to log in with their username and password only. The login screen indicates the number of days end users can continue to log in with a password only on the machine, as shown in the following image.

End users whose machines are not connected to the Identity Platform should contact the admin first so they can copy the message next to number 1 and send it to their admin. End users can then log in with a password only in the field next to number 2. After the machine connects to the Identity Platform, the 2FA login screen opens for end users so they can set up their second-factor methods and log in.

69107827.png

Login with VPN client

If you have VPN clients and you enabled a pre-logon access provider by setting the Auto add pre-logon access providers option, end users can connect to your VPN server before logging into Login for Windows. The frequency that end users must log into the VPN client depends on settings completed by the administrator. When end users log into their machine, they will first select the VPN login icon, called Network sign-in, which is shown in the following image surrounded by a red box:

69107756.png

End users can then authenticate with Login for Windows.

First-time login experience

If the administrator has set up a mandatory questionnaire for your organization to fill out prior to logging into Login for Windows, you will log in with a username and then you will be redirected to the questionnaire. After you fill out the questionnaire and submit it, close the browser to display the second-factor authentication screen.

Note that if different end users log into the same machine by using Other User, the Windows Credential Provider causes the end user that has answered the questionnaire to complete an extra step before logging in. The following describes the workflow for this scenario:

  • David logs off the workstation.

  • Maria sits at the same workstation, clicks Other User, and enters her username. Maria sees the "Additional information required" message, clicks the link, and fills out the questionnaire. She submits the form and closes the browser.

  • Maria sees the login screen for David. She must click Other User again, enter her username again, then she will see the 2FA screen where she can enter her password and MFA option to log in.

  1. Enter your username on the Windows login screen.

    To authenticate by using a different primary credential provider, see the Allow other credential providers setting on the Personalization tab of the Login for Endpoints installer configuration in Configure Identity Platform and Login for Endpoints.

    The first time end users log in, Login for Windows shows only OATH-based methods (for example, TOTP, HOTP YubiKey), if at least one method is available to end users. If at least one OATH-based method is not available to end users, they can use any other available method. This could be a method that uses the SecureAuth Authenticate app on your mobile device or another device provisioned with the SecureAuth Identity Platform realm to supply timed passcodes, such as an HOTP YubiKey.

    If the end users need to login when their machine is offline, they must choose an OATH-based method during the first login. After end users select a timed authentication option and enter their password, TOTP and HOTP passcode options will be available for them to use when logging on the machine offline.

    End users with more than one mobile phone or YubiKey provisioned can select which device or token to use when online. When logging on the machine offline, any OATH-based method that was used online will be available for use.

    If you do not have an authentication method that provides a timed passcode, then select any other option available to you.

    End users who already use the Authenticate app and want to add the ability to accept biometric push notifications to use face (iOS) or fingerprint recognition must first reconnect the account for their mobile device.

    You can provision either "Approve login" or "Symbol-to-Accept." The following image shows the login screen with the "Approve login notification on mobile" option; if "Symbol-to-Accept" is set, end users will see the "Passcode from Symbol-to-Accept" option in place of the "Approve login notification on mobile" option on the login dropdown. (On the SecureAuth Authenticate mobile app, the icons will be different, but both icons will have a tool tip that reads "Approve login".)

    l4l_all_factors.png

    If you are authenticating through a different primary credential provider (that is, not the SecureAuth credential provider), you will see the login screen offered by that credential provider. The different primary credential provider supports offline mode, for end users who need to login when their machine is offline.

    The following image shows an example of a login screen, but yours will look different.

    58065869.png
    1. Sign in.

      The image shows two sign-in options, a Microsoft credential provider (the key icon) and a Microsoft Smart Card credential provider (the card icon). To sign in, you could click the icon with your preferred method. If your site offers one kind of sign-in option, then only that option will be displayed for you to sign in with.

      Additionally, if you can sign in as "Other user", a multi-user credential login provided by that credential provider will be displayed. After specifying who you are, click the Sign-in options link to choose which multi-user credential you want to use to sign in.

    2. You have completed your authentication login process. You can disregard the remaining end user steps in this section and in "Subsequent login experience." Your login experience will remain the same as the one provided by your primary credential provider.

    3. Notice the placement of the Password Reset icon on the lower left. To update your password, click the icon. Login for Windows is the password reset credential provider, and requires online network access.

  2. Show or hide the passcode so that, as you type, you see characters instead of dots.

    1. Focus on the passcode field and enter characters to see the following "eye" icon displayed.

      58065915.png
    2. Click the icon and hold it until the dots in the field turn to characters.

    3. To hide the passcode, click and hold the icon until the characters turn to dots.

Fields

Instructions

58065881.png

Timed passcode from app

This method and "Passcode from token" are displayed at first login, if available. If not available, all available methods are displayed.

  1. Log on Login for Windows with your Windows password.

  2. If there is more than one provisioned OATH OTP app, select the device.

    If you have enrolled more than one device to accept OATH OTP passcodes, select the device to send the passcode to.

  3. Click the arrow to log on Windows.

58065932.png

Passcode from voice call

  1. Log on Login for Windows with your Windows password.

  2. Select the phone number if more than one mobile phone is included in your user profile.

  3. Click the arrow to log on Windows.

58065927.png

Passcode from SMS / text

  1. Log on Login for Windows with your Windows password.

  2. Select the phone number if more than one mobile phone is included in your user profile.

  3. Click the arrow to log on Windows.

l4w_l2a_text.png

Link from text

  1. Log on Login for Windows with your Windows password.

  2. Select the phone number if more than one number is included in your user profile.

  3. Click the link on your phone to log on Windows.

  4. Click the arrow to log on Windows.

58065933.png

Passcode from email

  1. Log on Login for Windows with your Windows password.

  2. Select the email address if more than one address is included in your user profile.

  3. Click the arrow to log on Windows.

l4w_l2a_email.png

Link from email

  1. Log on Login for Windows with your Windows password.

  2. Select the email address if more than one address is included in your user profile.

  3. Click the link in your email to log on Windows.

  4. Click the arrow to log on Windows.

58065936.png

Passcode from notification

  1. Log on Login for Windows with your Windows password.

  2. Select the mobile device on which the provisioned SecureAuth Authenticate app is installed.

  3. Click the arrow to log on Windows.

58065937.png

Approve login notification on mobile

  1. Log on Login for Windows with your Windows password.

  2. Select the mobile device on which the provisioned SecureAuth Authenticate app is installed.

  3. Click the arrow to log on Windows.

l4w_pin.png

Enter PIN

  1. Log on Login for Windows with your Windows password.

  2. Enter your predefined personal identification number.

  3. Click the arrow to log on Windows.

58065929.png

Contact help desk for passcode

  1. Log on Login for Windows with your Windows password.

  2. Select the phone number to use for contacting the help desk.

  3. Click the arrow to log on Windows.

58065879.png

Passcode from token

This method and "Timed passcode from app" are displayed at first login, if available. If not available, all available methods are displayed.

  1. Log on Login for Windows with your Windows password.

  2. If there is more than one provisioned token, select the device on which the provisioned SecureAuth passcode app is stored.

    If you have enrolled more than one token to accept passcodes, select the token to send the passcode to.

    To find your YubiKey version, see Identifying Your YubiKey on the Yubico website.

  3. Click the arrow to log on Windows.

58065995.png

Passcode from YubiKey

This method and "Timed passcode from app" are displayed at first login, if available. If not available, all available methods are displayed.

  1. Log on Login for Windows with your Windows password.

  2. Plug in the YubiKey and tap it to receive a passcode from the device.

    If offline, end users can choose an OATH-based method they used when online.

  3. Click the arrow to log on Windows.

58065970.png

Use passwordless as first factor

This method and "Timed passcode from app" are displayed at first login, if available. If not available, all available methods are displayed.

End users must have a fingerprint reader installed on their computer and must enroll at least one fingerprint to use passwordless as a first factor.

For this option:

  1. Log on Login for Windows with your Windows password.

    If offline, end users can choose an OATH-based method they used when online.

  2. The SecureAuth Fingerprint Recognition Setup screen opens so end users can enroll the fingerprints they want to use.

    Thereafter, to add or remove fingerprints, open the enrollment app: Start menu > SecureAuth > Fingerprint Enrollment

    Instructions for enrolling fingerprints is in the SecureAuth Onboarding Toolkit, in theSecureAuth End User Experiencedocument.Preparing end users for 2FA log in

  3. Log out.

  4. Log on Login for Windows with a password.

  5. In subsequent logins, end users can use an enrolled fingerprint (without a password) to authenticate.

End users with external fingerprint readers should not disconnect the reader from their computer before logging out; doing so will cause an error to be displayed: Fingerprint data not found. The error is an "unknown identity" signal that the reader sends to the driver; however, the fingerprint data will be found when the reader is connected to the same computer.

58065946.png

Use fingerprint recognition on mobile

End users must use the Authenticate mobile app to use fingerprint recognition. For this option:

  1. Log on Login for Windows with your Windows password.

  2. Select the mobile phone on which the provisioned SecureAuth Authenticate app is installed to send a request to the mobile app.

  3. Provide a fingerprint on the SecureAuth mobile app to approve the request.

  4. Login for Windows receives the fingerprint information and you are authenticated.

  5. Click the arrow to log on Windows.

58065945.png

Use face recognition on mobile

End users must use the Authenticate mobile app to use face recognition. This option is available to users on iOS mobile phones. For this option:

  1. Log on Login for Windows with your Windows password.

  2. Select the mobile device on which the provisioned SecureAuth Authenticate mobile app is installed to send a request to the mobile app.

  3. Show your face on the SecureAuth mobile app to approve the request.

  4. Login for Windows receives the face information and you are authenticated.

  5. Click the arrow to log on Windows.

Subsequent login experience

When logging on the same machine in subsequent sessions, the Login for Windows page includes a selection of all multi-factor authentication methods for which you enrolled.

Note

The login screen defaults to the authentication method used in the last login session.

To show characters as you type a passcode instead of seeing dots, refer to step 2.

You can provision either "Approve login" or "Symbol-to-Accept. The following image shows the login screen with the "Approve login" icon; if "Symbol-to-Accept" is set, end users will see the "Symbol-to-Accept" icon in place of the "Approve login" icon on the login screen. (On the SecureAuth Authenticate mobile app, the icons will be different, but both icons will have a tool tip that reads "Approve login".)

l4w_all_factors_icons.png

Sign-in option icons

Fields

Instructions

58065943.jpg
58065942.png

Answers to Security questions

  1. Answer both questions with your predefined answers. You must answer both questions.

  2. Click the arrow to log on Windows.

58065979.jpg

Single user credential:

58065941.png

Multiple user credential:

58065881.png

Timed passcode from app

  1. Log on Login for Windows with a password.

  2. In the Enter passcode field, enter the OATH OTP from your One-time Passcode app.

    If online, end users with multiple mobile devices enrolled can choose any MFA method available, including multiple mobile devices. (End users with multiple provisioned mobile devices will have the extra step of selecting the appropriate mobile device.)

    If offline, end users can choose an OATH-based method they used when online.

  3. Click the arrow to log on Windows.

58065981.jpg
58065928.png

Contact help desk for passcode

  1. Enter the passcode received by contacting the help desk.

  2. Click the arrow to log on Windows.

58065978.jpg
58065938.png

Approve login notification on mobile

  1. Accept the login notification sent to the SecureAuth Authenticate app on your mobile device.

  2. Access Windows.

58065977.jpg
58065935.png

Passcode from notification

  1. Enter the passcode sent to the SecureAuth Authenticate app on your mobile device.

  2. Click the arrow to log on Windows.

58065976.jpg
58065934.png

Passcode from email

  1. Enter the passcode sent to your email address.

  2. Click the arrow to log on Windows.

l4w_l2a_email_icon.png
l4w_l2a_email_multi.png

Passcode from email link-to-accept

  1. Log on Login for Windows with your Windows password.

  2. Click the link sent to your email address.

  3. Click the arrow to log on Windows.

58065975.jpg
58065930.png

Passcode from voice call

  1. Enter the passcode received by a voice call to your mobile phone.

  2. Click the arrow to log on Windows.

58065974.jpg
58065931.png

Passcode from SMS / text

  1. Enter the passcode sent via SMS to your mobile phone.

  2. Click the arrow to log on Windows.

l4w_l2a_text_icon.png
l4w_l2a_text_multi.png

Passcode from SMS/text link-to-accept

  1. Log on Login for Windows with your Windows password.

  2. Tap the passcode sent via SMS to your mobile phone.

  3. Click the arrow to log on Windows.

58065984.png
58065947.png

Passcode from symbol-to-accept

End users must use the Authenticate mobile app to receive symbols.

  1. Receive the set of 4 symbols sent to the Authenticate mobile app on your mobile device.

  2. One symbol will display on your Windows desktop or laptop.

  3. On the Authenticate mobile app, tap the symbol that matches the one displayed on your desktop or laptop.

58065980.jpg

Single user credential:

58065880.png

Multiple user credential:

58065879.png

Passcode from token

  1. Log on Login for Windows with your Windows password.

  2. Plug in the token and tap or press it to receive a passcode from the device.

    If online, end users with multiple tokens enrolled can choose any MFA method available, including multiple tokens. (End users with multiple provisioned tokens will have the extra step of selecting the appropriate token.)

    If offline, end users can choose an OATH-based method they used when online.

  3. Click the arrow to log on Windows.

l4w_pin_icon.png
l4w_pin_multi.png

Passcode from PIN

  1. Log on Login for Windows with your Windows password.

  2. Enter your predefined personal identification number.

  3. Click the arrow to log on Windows.

58065980.jpg
58065973.png

Passcode from YubiKey

  1. Log on Login for Windows with your Windows password.

  2. Plug in the YubiKey and tap it to receive a passcode from the device.

    If offline, end users can choose an OATH-based method they used when online.

  3. Click the arrow to log on Windows.

58065948.png

Single user credential:

58065946.png

Multiple user credential:

58065951.png

Use fingerprint recognition on mobile

End users must use the Authenticate mobile app to use fingerprint recognition.

  1. Log on Login for Windows with your Windows password.

  2. Select the mobile phone on which the provisioned SecureAuth Authenticate app is installed to send a request to the mobile app.

  3. Provide a fingerprint on the SecureAuth mobile app to approve the request.

  4. Login for Windows receives the fingerprint information and you are authenticated.

  5. Click the arrow to log on Windows.

58065949.png

Single user credential:

58065945.png

Multiple user credential:

58065950.png

Use face recognition on mobile

End users must use the Authenticate mobile app to use fingerprint recognition. This option is available to users on iOS mobile phones.

  1. Log on Login for Windows with your Windows password.

  2. Select the mobile device on which the provisioned SecureAuth Authenticate mobile app is installed to send a request to the mobile app.

  3. Show your face on the SecureAuth mobile app to approve the request.

  4. Login for Windows receives the face information and you are authenticated.

  5. Click the arrow to log on Windows.

Admin login experience

Login for Windows requires you to enter a multi-factor authentication method when you log in to a privileged account as an administrator (with "Run as administrator") on the same machine used to log into a regular user account. See the options by right-clicking over an executable.

58065886.png

Select one of the options and then enter the admin password.

58065939.png

Note

Users with access to privileged accounts are not prompted for additional MFA when logging into their normal user accounts; however, it is possible to configure UAC policies to prompt administrators for password or MFA when they log into their normal user accounts. See UAC - Require a Password for Administrator.

To show characters as you type a passcode instead of seeing dots, click and hold the "eye" icon to the right of the characters.