Acceptto Device Trust FAQ
1. Why do we need to eliminate passwords?
Passwords are a huge contributor to enterprise vulnerability. With their high cost and friction, they’re the sore point that continually creates problems. According to the Verizon DBIR 2020, a whopping 75%- 81% of data breaches over the last 5 years are due to vulnerabilities of binary authentication, such as passwords—even when combined with weak Two-Factor Authentication (2FA) and certain Multi-Factor Authentication (MFA). No one believes that they’re the next victim of breach, until they are.
Passwordless Workstation Secure Login is the first step to establish root of trust eliminating the vulnerabilities of passwords.
2. What is the Passwordless Workstation project?
Passwordless Workstation is a secure login for Win 10 and Mac workstations that uses an intelligent multi factor authentication and is the first step to establish root of trust to elevate platform security.
3. What are the benefits of the Workstation Passwordless project?
Combining the OS credential providers with an Intelligent Multi-Factor Authentication (MFA) makes passwords benign for both Mac OS and Win 10 platforms. The benefits include:
Secure passwordless login
Reduced helpdesk cost
Minimized friction
Wide range of authentication methods (PUSH, Offline TOTP, SMS, Email, Offline TOTP, FIDO token(e.g. YubiKey), Biometric/Touch-ID, FIDO biometric-pin)
Audit trail
Risk based continuous authentication
4. Do I need a mobile device to participate?
Yes, you need a mobile device in order to pair your workstation and websites (where applicable) to the It’sMeTM App.
5. What if I don’t want to use my personal mobile device?
You will lose the convenience and safety of a risk-based authentication system.
6. Can I stick to passwords and still do Desktop MFA?
No. The purpose of passwordless intelligent MFA is to eliminate passwords and their vulnerabilities. That said, enterprise IT has the option to enable various first factors, including passwords/passphrases.
7. If I leave my machine unlocked, can I monitor and lock it remotely using my phone?
Using It’sMeTM app you can lock your machine remotely. Navigate to the Workstations tab, then select your workstation and click on “Lock”.
8. What factors are available for Acceptto Desktop/Workstation MFA?
Push
FIDO Push
SMS TOTP/OTP
Email TOTP/OTP
TOTP (requires a paired phone with It’sMe application installed, or an Acceptto token device)
FIDO USB Device (e.g. YubiKey
Windows Hello Biometric (FP/FR)
Smart Card (HID)
Discrete USB biometric Password/Passphrase (Fall back for pilot only unless passphrases are used- Not recommended)
9. What if my phone is out of battery, not available, or misplaced?
Other offline authenticators such as Win Hello Biometrics and FIDO authenticators (like YubiKey) can be provisioned for offline support. In certain instances, enterprise IT may enable password/passphrase factors.
10. What if my workstation is offline?
If you’re offline, you can log in to your machine using the Offline TOTP feature. On the It’sMe interface, navigate to the Workstations tab and input the 6-digit TOTP code to login. Other offline authenticators such as biometrics and YubiKey can be provisioned for offline support.
11. What if my workstation is online, but I don’t have my phone, YubiKey or biometrics (on Windows)?
Contact the helpdesk to unlock your workstation.
12. The offline TOTP mode doesn’t work.
There are a few reasons why your TOTP may not work:
Your workstation clock may be out of sync. Verify that your workstation’s Time and Date setting is set to “Set Time Automatically”.
You may be inputting the incorrect TOTP code. Verify that you are viewing the correct workstation on It’sMe and that you are typing the code in accurately.
13. Can I pair more than one phone?
Yes, multiple pairings are allowed. Note that the first device and proof of identity on claimed identity are required to pair additional mobile devices.
For security reasons, the offline TOTP on secondary device(s) is not automatic and requires manual pairing. This implies that upon replacing devices (lost or stolen device, upgrades) offline TOTP is lost, which puts offline authentication at risk. The unpair-pair procedure of secondary devices needs to be carefully understood by enterprise for this reason.
14. Do I need to pair my device and my workstation every time I upgrade my phone or replace a lost phone?
It’sMe will retain any workstations you currently have when you upgrade or replace your mobile device. However, TOTPs are stored on the device for security reasons; therefore, when you view your workstation in It’sMe on your new device, you will not see a TOTP. Use the ‘Add Offline Authenticator’ feature on the MFA dialog to add a new TOTP code on your new device.
15. Can a user unlock the workstation through their phone via a discrete intent/gesture and eliminate the need for a push and approve?
When on the home screen of your mobile device, press and hold the It’sMe icon to reveal a list of options. There, you will see ‘Unlock Workstation’. Selecting this option means that the next workstation authentication made on your account will be automatically accepted.
16. Can I respond to an Acceptto push notification from a locked screen if my “show previews” notifications are enabled?
Yes, with “show previews” enabled on your device, it is possible to respond to a push notification from the locked screen.
From the locked screen, tap on the preview notification and select “Accept”. This will be followed by a biometric gesture (Face or Touch ID) to approve authentication. If this authentication method is not verified, it will then ask for the next failsafe method, e.g. a passcode.
17. How do I register my enterprise username and pair my phone?
Before It’sMe can be used, it must be paired with eGuardian. After installing and opening the app for the first time, you will see the pairing screen. From this this screen there are two ways to pair:
In Line Pairing – Your organization will provide instructions that guide you to a QR code that will be scanned to pair the device by accessing a secure website.
Email Pairing – Tap the “No QR Code? Sign Up!” and enter your enterprise email to receive an email with instructions to pair. If you are on your workstation, scan the QR code within the body of the email using It’sMe.
For fast pairing on your mobile device, click on universal link icon in the received “Pair your device” email.
However, there is a known Apple issue with universal links. If you encounter this iOS bug, you can scan the QR code from the Workstation “Pair your device” email.
18. How do I pair my workstation and mobile device? How does it all work?
This video explains how the pairing process as well as different authentication factors for online and offline access work.
19. I have received a “pair your device” email, but when I click on the universal link on my mobile device, it doesn’t work.
There is a known Apple issue with Universal Links not working properly on mobile devices. Read more here. You can open the email on your workstation and then scan the pairing QR code that is within the body of the email in order to pair It’sMe.