Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo
back

SafeNet Agent for Windows Logon

Running the Solution

search

Running the Solution

Running the Solution

This section describes the login and authentication flow with the agent. In case of multiple tokens, the user is presented with the user choice of authenticators screen while logging in to the WLA-agent installed machine.

Following are the login screen for different scenarios:

Single token in Online mode

  1. When SafeNet OTP is not exempted, the login window that appears for the user depends on the type of token assigned to the user in STA. For example, if the user is assigned with GrIDsure token in STA, then the user will be presented with a GrIDsure authentication screen.

    The following window depicts the user experience enrolled with a single token:

    alt_text

    1. Enter the SafeNet OTP and press Enter (or click the forward arrow sign).

      For Challenge-Response token, press Enter (or click the forward arrow sign) keeping the Passcode field blank. Depending on the user selected token type, any of the following character passcodes can also be provided:

      • g for GrIDsure

      • e for E-mail

      • s for SMS

      • p for Push OTP

    2. Enter the Microsoft password.

    After providing the Microsoft password, you will be successfully logged in to the Windows machine.

Single token in Offline mode

The following window depicts the offline authentication flow of a user enrolled with a single token. In this case, the user is enrolled with a GrIDsure token in STA. Likewise, if a user is assigned with any other token, then the login screen will display the token accordingly.

alt_text

  • Grid pattern: [Disabled] This option cannot be used in offline mode. Therefore, it is disabled.

  • Emergency password: Allows the user to authenticate a Windows machine using an emergency password that is provided by the administrator.

Multiple tokens in Online mode

The following window depicts the user experience when the user is enrolled with multiple tokens. It displays a list of authenticators that are assigned to a user (for example, John Doe) in STA. Select any of the options to login with the authenticator as per your preference.

Password token cannot be assigned with any other token. It needs to be assigned separately in STA.

alt_text

  1. Following are the multiple tokens that are displayed on the login screen:

    • Send a push to MobilePASS+: Allows to use Push OTP when working with MobilePASS+. Selecting this option will send a push notification to the MP+ application.

    • Send a code by text message and email: This option triggers an OTP via SMS or Email to the end user device.

    • Use your grid pattern: Used to enable the GrIDsure authentication.

    • Enter a code: Allows the user to enter an OTP manually through an authenticator app or a hardware token.

    • Remember for future logins: Select this check box to remember the authenticator for future logins. It is used to remember the initial authenticator of the user that logs in to the WLA-installed machine. On subsequent login, the user will only be presented with the last opted authentication method.

    For example, if the user selects Use your grid pattern option, then on next login or unlock, the user will be presented with the GrIDsure authentication screen only. Click Other options to display the multi token window and select a different authentication method.

    Default: Disabled

  2. Enter the second factor authentication as per the selected authentication method.

    After providing the authentication password, you will be successfully logged in to the Windows machine.

Multiple tokens in Offline mode

The following window depicts the user experience in offline mode. This is applicable when the Windows machine is unable to communicate with STA at the time of authentication.

The offline login screen displays only those authenticators that are used at least once in online authentication.

alt_text

  • MobilePASS+: Allows to use Push OTP when working with MobilePASS+.

  • Grid pattern: [Disabled] This option cannot be used in offline mode. Therefore, it is disabled.

  • SMS: Allows the user to manually enter the SMS OTP that is fetched through an authenticator app.

    SMS authenticator allows you to login only once using an advance token.

  • Emergency password: Allows the user to authenticate a Windows machine using an emergency password that is provided by the administrator.

  • Hardware token: Allows the user to manually enter the OTP fetched via a hardware token.

Fallback to the login screen

If for any reason, the authentication does not work (for example, if the certificate is expired), then the login flow will fall back to the AD authentication screen, where the user needs to click Other options to display and select the authenticators.

alt_text

Push with Number Matching

For the users enrolled with MobilePASS+ token in STA, the number matching feature makes push notifications more secure and prevents users from approving push notifications by mistake.

During online authentication, the user:

  1. Selects Send a push to MobilePASS+ from the list of authenticators.

  2. Matches the two-digit number on their MobilePASS+ authenticator push notification with the number that is displayed on the login screen.

    alt_text

    alt_text