Skip to main content

Using Arculix Device Trust - MFA methods

This section provides an overview of the available MFA methods, which include push, SMS, email, phone biometric and workstation biometric.


Push notification using the Arculix Mobile app is the default MFA method for all logins. Each workstation login automatically sends a push to the user’s registered Arculix Mobile app. Tap Accept to log in, and Deny to block the login.


Email and SMS

If an authentication method other than push is needed or desired, clicking More Options after entering the username and password present additional MFA options. A one-time passcode can be sent via SMS or email by clicking the corresponding button in the dialogue box (note that the phone number must be registered on the user’s account to receive SMS). Enter the provided 6-digit authentication code in the Offline code entry field.



When registering a Windows or macOS workstation with Arculix, a time-based one-time temporary passcode (TOTP) is created that enables access when the system doesn’t have an internet connection (e.g. on an airplane or outside an internet service area).

The TOTP changes every 30 seconds and is accessible from two locations within Arclux Mobile app:

  • Offline authenticators

  • Workstation

To gain access to the workstation, enter code in the Offline Code field before the number expires (a countdown clock is provided right above the code in Arculix Mobile.

To add the ability to use a TOTP from a second device, click Add Offline Authenticator. Then, you will receive a push notification in Arculix Mobile app on your device to approve the reset. After approving, you will see a QR code. Scan this QR code using your second device in order to add the new TOTP to your list of Offline Authenticators. Be sure to click OK in order to complete the reset.

Security keys

To log in with a security key, you must first register your security key using the bottom-right Register Security Key. This will send you a push that you must accept through the Arculix Mobile app. Once you register by accepting this push, you can use the security key by tapping once you enter the login screen.

Biometric - Windows Hello

The biometric login for Windows Hello is evident by the icon on the top of the Arculix login screen. This option is available once your face or fingerprint has been registered with the system through Windows settings.


Two-way SMS

Two-way SMS can be used by selecting More options from the Arculix login screen and then selecting SMS code. You will receive a code, which you can then reply back with in the chat.


Enabling passwordless

For an end user to enable passwordless authentication on a workstation, select the Go Passwordless option on the MFA login screen and then authenticate normally. Selecting this check box enables the user to select Sign in to receive an automatic Push notification without the input of a password. Note that if passwordless is already configured in the backend by the administrator, this option will not be shown.


Remote workstation lock and logout

Arculix Mobile has the ability for users to lock and log out of protected workstations remotely.

While logged into the workstation, open the Arculix Mobile app and click Workstations in the upper right left corner of the Dashboard screen to open the Workstations page.

  • Clicking Lock locks the current session, requiring re-authentication to gain access. Clicking Logout logs the user out of your active session.

  • Clicking Logout logs the user out of your active session.

Allow TouchID on macOS lock screen

In order to login using TouchID when Arculix Device Trust is installed on a macOS workstation, the setting MFALockEnabled must be set to false. This setting is false by default for macOS devices that have biometric and true for those that do not. When false, the setting allows you to login with TouchID or Password at the lock screen and if the network connection drops then the setting forces the user to a lock screen which requires MFA.

To change the setting run the following commands:

  1. sudo atagent stop

  2. sudo atagent set mfalockenabled true/false

  3. sudo atagent install

  4. Log off the workstation

Unpairing a workstation

Open Arculix Mobile and navigate to the Workstation page. On the right side of the workstation’s name, click on the gear icon to bring up the option to unpair the workstation. Click Unpair to unregister the workstation from Arculix. If you are currently logged in to your workstation when you unpair, you will be logged out and forced to pair when logging on again.


Always access

The architectural diagram below outlines the primary Device Trust subsystems instrumental in delivering the service. The four subsystems involved are as follows.

  1. Enterprise User Directory and the Arculix AD Agent

  2. Arculix Cloud: Policy and Risk Engine

  3. Registered phone with Arculix Mobile app

  4. Workstation (Windows/Mac) Agent


The validation matrix below details the valid authenticators in the different system availability states. All the permutations of this matrix should be tested against the authenticators applicable to the environment being deployed in.


Expected online UX flow

Below is a flow diagram of the expected screen when all systems are online. All enterprise supported authenticators should be tested.

  • Test approval of Push notification from both a locked and unlocked phone.

  • Let the Push expire or select More Options to access the secondary MFA screen. Select and test all available online and offline authenticators.


Expected offline UX flow

Below is a flow diagram of the expected screen when one or more subsystems are offline. Test all available offline authenticators for when workstation, phone, AD and Arculix / AWS are offline.