Skip to main content

Arculix Device Trust FAQ

This section answers commonly asked questions concerning Arculix device trust. These questions are arranged into two subsections:

Administrators Questions

This section provides answers that specifically address administrators' questions. These include the following questions:


For more information on Arculix Device Trust for administrators, refer to the Arculix Device Trust administrator guide.

What is Arculix Device Trust?

Arculix Device Trust (DT) is an application that adds smart MFA to the Windows Remote Desktop and local logins.

Why should I use Arculix Device Trust?

Arculix DT enables you to secure your logins to the Windows workstations and servers through its proprietary AIML and Risk Engine.

Device Trust enables passwordless login, if desired, to track assets and detect security posture. DT establishes a chain of trust starting at the device level, allowing for the passing of trust to all the subsequent cloud applications accessed by the device.

How does Arculix Device Trust work?

Device trust provides a secure and convenient alternative for accessing your devices using your biometric factors and mobile devices. Device trust uses the Arculix's AIML-powered technology to decrease friction and increase security without relying on static usernames and passwords.

What software or other dependencies do I need to install in order to make Device Trust work?

On all supported platforms, device trust is provided as a self-contained software package including all of the required dependencies so you don't have to install any other dependencies or software packages.

What operating systems does Device Trust support?

Device Trust supports Windows 10, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, and Windows Server 2019.

For more on this topic, see the Arculix Device Trust compatibility.

What types of users can I secure with Device Trust?

Device Trust supports three different Windows user types: 

  • Local user: for example, John

  • Domain Account: for example, Arculix\john.smith or

  • Microsoft account: for example,

What are the top Device Trust features and capabilities?

Device trust provides:

  • True password-less experience

  • Significantly reduced friction by getting rid of passwords

  • Smart and dynamic security policies that adopts to your biometric patterns and personal routines

  • An early warning platform to detect and prevent unauthorized access to your device with no extra effort

Can I have a secondary Arculix Device Trust in parallel?

By default Arculix's device trust disables all other device trust applications but you can re-enable them by using the provided ATAgent utility installed on your device.

What type of MFA factors are supported by Arculix Device Trust?

Device Trust supports Push, SMS, Email, TOTP, and Security U2F keys (like Yubikey) as MFA factors.

The last two factors can be used for offline access, too.

What login interfaces can Arculix Device Trust protect?

Device Trust adds MFA for remote and local console sessions as well as Terminal Server, RDP and VDIs.

Which username attribute is sent to Arculix Device Trust?

Device Trust sends your Domain Name, Computer Name, and User Name to the Arculix.

Does Arculix device trust support both BYOD and Managed devices?

Yes, device trust can be deployed on both BYOD and Managed devices.

Does Arculix device trust support offline MFA?

Yes. Both TOTP and Security (U2F) keys can be used as offline MFA factors if a Windows system is unable to reach the Arculix cloud.

What types of policies are supported by Arculix device trust?

You can set both standard and advanced policies based on Device Trust security information and configure them to Automatically approve, Automatically reject, force MFA , or change LOA score.

Does Device Trust enable me to get rid of my passwords?

Yes, you can enjoy the true passwordless experience on supported platforms.

What is the Device Trust passwordless authentication experience?

After an initial prompt for your password on your first login, you can enable the passwordless mode and only use your phone or other biometric devices and hardware keys to log in to your device.

Currently, this feature is only provided on Windows.

Why do we need to eliminate passwords?

Passwords are a huge contributor to enterprise vulnerability. With their high cost and friction, they’re the sore point that continually creates problems. According to the Verizon DBIR 2020, a whopping 75%- 81% of data breaches over the last 5 years are due to vulnerabilities of binary authentication, such as passwords—even when combined with weak two-factor authentication (2FA) and certain multi-factor authentication (MFA). No one believes that they’re the next victim of breach, until they are.

Passwordless workstation secure login is the first step to establishing root of trust and eliminating the vulnerabilities of passwords.

What is the passwordless workstation project?

The passwordless workstation project is a secure login for Windows 10 and Mac workstations that uses an intelligent MFA and is the first step to establish root of trust to elevate platform security.

Do I need to be part of a joint domain for Arculix to use device trust?

No, device trust can operate in both local and domain networks.

Does the joint domain solution allow for multiple user account registrations on one mac book?

Yes, it does, for domain users and administrators.

Does this solution support more than one IdP, such as a Okta/Azure Active Directory (AD) mix?

Yes, it can.

How does Arculix Device Trust compare with other competitors, such as Okta and Duo?

Here is a chart that will compare and contrast between Arculix device trust and other device trust products.

Also, see Arculix Device Trust vs Okta and Duo Device Trust Overview.

Can we exclude the admin account from MFA on PCs with the Device Trust software?

No, At this time, we cannot exclude a user.

What should we do for a user on vacation when their password expires?

Use certificate-based authentication for login. Certification is valid for two years.

Can multiple users enroll with certificate-based authentication and device trust?

No. The second user is not able to log in and the error message “Invalid username or password” appears.

What are the benefits of passwordless workstations?

Combining the OS credential providers with an intelligent multi-factor authentication (MFA) makes passwords benign for both Windows 10 and Mac OS platforms. The benefits include:

  • Secure passwordless login

  • Reduced help desk cost

  • Minimized friction

  • Wide range of authentication methods including: Push, Offline TOTP, SMS, Email, Offline TOTP, FIDO token (YubiKey), Biometric/Touch ID, and FIDO biometric-PIN

  • Audit trail

  • Risk-based authentication continues even after access is granted

What factors are available for Arculix desktop / workstation MFA?

The available factors are:

  • Push

  • FIDO Push


  • Email TOTP/OTP

  • TOTP (requires a paired phone with Arculix Mobile application installed, or an Arculix token device)

  • FIDO USB Device. For example, YubiKey

  • Windows Hello Biometric (FP/FR)

  • Smart Card (HID)

  • Discrete USB biometric Password/Passphrase (Fallback for pilot only unless passphrases are used. Not recommended.)

What user attributes are sent to Arculix?

Device Trust sends your domain name, computer name, and username to Arculix, as well as a number of device hygiene and attributes to enable tracking device compliance and other important asset tracking statistics.

How can I access the advanced configuration of Device Trust?

By default, the Arculix Device Trust is configured for high security with optimal settings. However, if there are special needs to your organization, these values can be changed using ATAgent, which is installed with the Device Trust.

To see the available options run the %windir%\Arculix\atagent set command from a privileged command prompt.

Can I enable other credential providers after installing Device Trust?

Installing Device Trust disables all other installed credential providers. You can re-enable other providers using ATAgent, which is installed with the Device Trust.

To see the available options run the %windir%\Arculix\atagent set command from a privileged command prompt.

Can I configure Device Trust to protect Remote Desktop Connection only?

Yes, you can disable the EnableLocalMFA option in the Advanced setting of Device Trust. This value can be changed using ATAgent, which is installed with the Device Trust.

To see the available options run the %windir%\Arculix\atagent set command from a privileged command prompt.

Can I configure the timeout for Push, SMS, and Email MFA in Device Trust?

By default, the Arculix Device Trust is configured for high security with optimal settings. However, if there are special needs to your organization these values can be changed using ATAgent, which is installed with the Device Trust.

To see the available options run the %windir%\Arculix\atagent set command from a privileged command prompt.

Where are the Device Trust settings stored in the registry?

Device Trust stores the settings in the registry at HKLM\Software\Arculix\CredentialProvider.

Does Arculix device trust support passwordless authentication?

Yes, you can save your password in Device Trust. This will allow you to simply select Log in on your next login to your workstation instead of needing to input your Windows password.

Does Arculix device trust provide a passwordless authentication option in case the user’s AD password is reset?

Yes, but only when offline.

If online, during the next login when connected to AD, the token will be invalidated and the user will be  prompted to enter the new valid password.

Does device trust collect device security health and security posture?

Yes, Device Trust collects many parameters on the workstation security, like firewall state, antivirus state, Bitlocker state, Public IP, Private IP, Mac Address, Computer Name, User Name, and Operating System.

Does device trust allow me to configure policies for risk-based authentication?

Yes, you can define the various policies of risk-based authentication based on the Arculix Admin Panel.

What system logs does device trust Capture?

Device trust collects certain information on your devices to make sure you can always access your device securely with zero hassle and minimum friction. These information might include:

  • Records of login

  • lock and logout attempts on the device

  • Network configuration setup including IP address and other network related information.

  • Firewall, system auto-update, and BitLocker configuration on the device.

How does Arculix Device Trust adhere to the enterprise employee onboarding/offboarding best practices?

Arculix  augments existing enterprise onboarding/offboarding to deliver best practices as defined by IT, HR, and Information Security.

These definitions are based on enterprise-devised guardrails and policies and is guided by the Statement Of Work in the section Onboarding-Offboarding.

Arculix GUID and Device Binding allows unique identifiers when creating new employee accounts. In this way, enterprise onboarding/offboarding practices and hygiene compliance with Arculix device trust can be fully managed at the authentication layer.

For more on onboarding for Arculix, refer to Arculix user onboarding guide.

Does Arculix support kill pill and role-based access to managed devices, on-prem applications, and federated SaaS applications?

Yes, Arculix incorporates AD group policies and role-based authentication to manage access to both devices and BYOD domain-Joined accounts, as well as all user associated on-prem and enterprise federated SaaS applications.

This capability includes a Kill Pill policy that disables access to all targeted online workstations associated with an offboarded group.

Does device trust support FIDO?

Yes, device trust supports U2F and FIDO2 authenticators as an authentication factor. On supported Windows versions (later than 19.9), you can use BLE and NFC authenticators in addition to physical USB keys (such as YubiKey).

On older Windows versions and all MacOSes, only USB keys are supported.

If a user has unlocked their AD account by resetting their password, can the Arculix device trust allow the user to log in using their new password on the Macbook while unconnected from AD?

No, If the device has not connected to the AD after password reset, the device cannot have any knowledge of the changed password.

The user logs in (either passwordless or password) using offline authenticators when offline and not yet synchronized with the newly changed password. On the next login when connected to AD, the token is invalidated and the user is prompted to enter the new valid password.

Is Arculix device trust compatible with Filevault-encrypted Macs?


Can users still use the Change Password feature on their Mac for changing their password in Filevault and AD? Can admins change passwords as well?


Does Arculix  Device Trust support first startup after shutdown or restart with FileVault?

Arculix locks after reboot if FileVault is enabled.

Does Arculix  device trust support security keys?

Yes, Arculix  supports Titan, Yubikey, Kensington biometric, and Feitian.

Does Arculix device trust support lost device recovery?

Yes. The user can pair a new device, and from there, unpair the old device.

How do I uninstall Device Trust?

You can uninstall the device trust application package by following the standard procedures for your platform. 

On Windows, device trust can be uninstalled this way:

  1. Select the Start button.

  2. Select Settings  > Apps & features.

  3. Select the device trust application to uninstall.

  4. Click Uninstall.

On MacOS, you can uninstall the device trust application this way:

  1. Use Finder and navigate to the Applications icon on the sidebar.

  2. Find the unjinstaller application in Utilities > Arculix folder.

  3. You will be prompted for your password to complete the uninstallation process.

End User Questions

This section provides answers that specifically address end users' questions. These include the following questions:


For more information on Arculix Device Trust for the end user, refer to Arculix Device Trust end user guide.

What if I don’t want to use my personal mobile device?

You will lose the convenience and safety of a risk-based authentication system.

Can I stick to passwords and still do desktop MFA?

No. The purpose of passwordless intelligent MFA is to eliminate passwords and their vulnerabilities. That said, enterprise IT has the option to enable various first factors, including passwords/passphrases.

Do I need a mobile device to participate?

Yes, you need a mobile device in order to pair your workstation and websites (where applicable) to the Arculix Mobile app.

Can I remotely lock my workstation in case of leaving my desk or stolen laptop?

Yes, you can lock or logout your session remotely via Arculix mobile app as explained in the next question.

If I leave my machine unlocked, can I monitor and lock it remotely using my phone?

Using Arculix Mobile app, you can lock your machine remotely. Navigate to the Workstations tab, then select your workstation and click Lock.

Watch the demo video.


I received a “pair your device” email, but when I click on the universal link on my mobile device, it doesn’t work.

There is a known Apple issue with Universal Links not working properly on mobile devices. Read more here. You can open the email on your workstation and then scan the pairing QR code that is within the body of the email to pair Arculix Mobile.

Can I pair more than one phone?

Yes, multiple pairings are allowed. Note that the first device and proof of identity on claimed identity are required to pair additional mobile devices.

For security reasons, the offline TOTP on secondary device(s) is not automatic and requires manual pairing. This implies that upon replacing devices (lost or stolen device, upgrades) offline TOTP is lost, which puts offline authentication at risk. The unpair-pair procedure of secondary devices needs to be carefully understood by enterprise for this reason.

How do I pair my workstation and mobile device? How does it all work?

The video below explains how the pairing process as well as different authentication factors for online and offline access work.

Watch demo video.

Do I need to pair my device and my workstation every time I upgrade my phone or replace a lost phone?

Arculix Mobile will retain any workstations you currently have when you upgrade or replace your mobile device. However, TOTPs are stored on the device for security reasons; therefore, when you view your workstation in Arculix Mobile on your new device, you will not see a TOTP. Use the ‘Add Offline Authenticator’ feature on the MFA dialog to add a new TOTP code on your new device.

How do I register my enterprise username and pair my phone?

Before Arculix Mobile can be used, it must be paired with Arculix. After installing and opening the app for the first time, you will see the pairing screen. From this this screen there are two ways to pair:

  • In Line Pairing – Your organization will provide instructions that guide you to a QR code that will be scanned to pair the device by accessing a secure website.

  • Email Pairing – Tap the “No QR Code? Sign Up!” and enter your enterprise email to receive an email with instructions to pair. If you are on your workstation, scan the QR code within the body of the email using Arculix Mobile.


For fast pairing on your mobile device, click on universal link icon in the received “Pair your device” email.


However, there is a known Apple issue with universal links. If you encounter this iOS bug, you can scan the QR code from the Workstation “Pair your device” email.

Watch the demo video - Pair via Magic Link

Watch the demo video - Pair Via QR Code

Can I respond to an Arculix push notification from a locked screen if my “show previews” notifications are enabled?

Yes, with “show previews” enabled on your device, it is possible to respond to a push notification from the locked screen.

From the locked screen, tap on the preview notification and select “Accept”. This will be followed by a biometric gesture (Face or Touch ID) to approve authentication. If this authentication method is not verified, it will then ask for the next failsafe method, e.g. a passcode.

Mobile app notification

App notification to authenticate

Accept or deny authentication request in app

Accept request

Passcode to unlock mobile app

If app passcode is set, enter passcode to unlock Arculix Mobile app

What if my phone is out of battery, not available, or misplaced?

Other offline authenticators such as Windows Hello biometrics and FIDO authenticators (like YubiKey) can be provisioned for offline support. In certain instances, enterprise IT might enable password/passphrase factors.

Do I always need a phone? What if my phone is inaccessible?

You can also use your registered security key (such as a YubiKey) or biometric device (such as a fingerprint reader) that is present on your machine device to log in.

What if my workstation is offline?

If you’re offline, you can log in to your machine using the Offline TOTP feature. On the Arculix Mobile app, go to the Workstations tab and enter the 6-digit TOTP code to log in. Other offline authenticators such as biometrics and YubiKey can be provisioned for offline support.

Does Device Trust support an offline mode?

Yes, in addition to offline TOTP support, you can also use security keys (such as YubiKey) or biometric devices available on your machine.

What if my workstation is online, but I don’t have my phone, YubiKey, or biometrics (on Windows)?

Contact the help desk to unlock your workstation.

Can a user unlock the workstation through their phone via a discrete intent / gesture and eliminate the need for a push and approve?

On the screen of your mobile device, press and hold the Arculix Mobile icon to reveal a list of options. Tap the Unlock Workstation option. This means that it will automatically accept the next workstation authentication for your account.

Watch demo video.


The offline TOTP mode doesn’t work.

There are a few reasons why your TOTP might not work:

  • Your workstation clock may be out of sync. Verify that the time and date setting on your workstation is set to Set Time Automatically.

  • You might be inputting the incorrect TOTP code. Verify that you are viewing the correct workstation on Arculix Mobile and that you are typing the code in accurately.