5.2 Securing Windows Workstation with Multi-Factor Authentication

Let us assume Reltic Data, Inc. wants to implement multi-factor authentication for all Windows workstations to secure the data and provide authorized access to their employees.

This section explains the prerequisites, flow of actions, and step-by-step configuration details to achieve this.

This example refers to the following user profiles:

  • Clarie Lee: An administrator of Reltic Data, Inc.

  • Sussane Ross: An employee of Reltic Data, Inc.

Clarie, an administrator wants to enforce multi-factor authentication with the U2F and SMS OTP methods for the Windows login. After multi-factor authentication is implemented, employees must authenticate to both methods successfully to access the Windows workstation.

Clarie must perform the following tasks to implement multi-factor authentication for the Windows logon:

To understand the sequential flow of configuration in the Advanced Authentication Administration portal, see Configuration Flow in Advanced Authentication for Windows Logon Event.

For information about how an end user enrolls the configured methods and authenticates to the Windows workstation using Advanced Authentication, see End User Tasks.

5.2.1 Prerequisites

Ensure that you meet the following prerequisites:

  • An LDAP repository for Reltic Data, Inc is configured and the repository contains the information of all users.

    This example uses Active Directory Domain Services as an LDAP repository.

  • A group named Windows OS is created in Active Directory Domain Services.

  • The Advanced Authentication server is installed. For more information, see Installing Advanced Authentication.

  • The Advanced Authentication Windows Client is installed on Windows workstation. For more information, see Installing Windows Client.

  • A DNS is configured to allow the Windows Client to discover and connect with the Advanced Authentication server. For more information, see Setting a DNS for Advanced Authentication Server Discovery.

  • The Advanced Authentication Device Service is installed on the Windows workstation. For more information, see Installing Device Service on Windows.

  • An account for Reltic Data, Inc is registered with a SMS service provider that can deliver SMS OTP to users during authentication.

    This example uses Twilio as the SMS service provider.

5.2.2 Points to Consider Before Configuration

Consider the following guidelines before you begin implementing multi-factor authentication for the Windows logon:

  1. Identify the authentication methods that you want to configure.

  2. Determine the order of methods in the chain. The methods are displayed to the end user in the order that you have configured.

  3. Determine the policy that must be configured for the identified methods.

  4. Identify the user group for which you want to enforce this authentication chain.

Configuration Flow in Advanced Authentication for Windows Logon Event

The following diagram illustrates the sequential flow of actions required for securing the Windows workstation with multi-factor authentication:

5.2.3 Configure Methods

Perform the following steps to configure the Password and SMS OTP methods:

  1. Click Methods on the Advanced Authentication Administration portal.

  2. Click the Edit icon corresponding to the U2F method.

  3. Perform the following steps to configure the U2F method:

    1. Set Require attestation certificate to ON to enable validation of the attestation certificate.

    2. Select the attestation certificate:

      1. To use a default certificate, click Add Default.

      2. To use a custom certificate instead of predefined device manufacturer certificate, perform the following steps:

        1. Click next to the default attestation certificate to remove the certificate.

        2. Click Add to add a custom certificate.

        3. Click Browse and select the custom certificate and click Upload.

          The certificate must be in the PEM format.

    3. Click Save.

  4. Configure the SMS OTP method.

    1. Click the Edit icon corresponding to SMS OTP method.

    2. Specify the following details to configure SMS OTP method:

      Parameter

      Description

      OTP Period

      The lifetime of an OTP in seconds. The default value is 120 seconds.

      OTP format

      The number of digits in the OTP. The default value is 6.

      Body

      The text in the SMS that is sent to the user. The following structure describes the text in the OTP:

      • {user}: Name of the user.{endpoint}: Device the user is authenticating to.{event}: Name of the event where the user is trying to authenticate to.

      • {otp}: One-Time Password.

      Allow overriding phone number

      Set this option to OFF to prevent users to specify a different phone number during the enrollment. The option is set to ON by default.

      Allow user enrollment without a phone

      Set this option to OFF to ensure that a user does not enroll the SMS OTP authenticator without a phone. The user is prompted with an error message that you can specify in Error message.Set this option to ON to allow the user to enroll the SMS OTP authenticator without a phone.

    3. Click Save.

  5. Continue with Create a Chain.

5.2.4 Create a Chain

Perform the following steps to create a chain with the U2F and SMS OTP methods:

  1. Click Chains > Add in the Advanced Authentication Administration portal.

  2. Specify the following details:

    Field

    Description

    Name

    A name for the chain.

    NOTE:Ensure to remember the name of the chain for further use.

    Short name

    This is not applicable for the Windows Client event. This is applicable only for the RADIUS Server event.

    Is enabled

    Set to ON to enable the chain.

    Methods

    Select the U2F and SMS OTP methods to add to the chain.

    Roles and Groups

    Specify Windows OS users. This enforces all users of this group to use this authentication chain for logging in to the Windows workstation.

  3. Click Save.

  4. Continue with Configure SMS Sender Policy.

5.2.5 Configure SMS Sender Policy

In Advanced Authentication, add Twilio details of Reltic Data, Inc. as a service provider that sends SMS OTP to the end users during authentication.

Perform the following steps to configure the details of Twilio in Advanced Authentication:

  1. Click Policies > SMS Sender in the Advanced Authentication Administration portal.

  2. Select Twilio in Sender service.

  3. Specify the masked value that you want to display for the SMS in Recipient Mask.

    The SMS OTP of the users is masked when users authenticate with the SMS OTP method.

    NOTE:The Recipient Mask value is predefined and if you do not change the value, the default value is considered for masking of the SMS OTP.

  4. Specify the following details:

    • Account sid and Authentication token: In Twilio, the Account SID acts as a username and the Authentication Token acts as a password.

    • Sender phone: Sender’s phone number.

  5. You can test the configurations for the SMS sender policy in the Test section.

    1. Specify the phone number in Phone to which you want to send the SMS OTP.

    2. Specify a message to be sent to the phone in Message.

    3. Click Send test message!.

  6. Click Save.

  7. Continue with Assign Chain to Windows Logon Event.

5.2.6 Assign Chain to Windows Logon Event

Perform the following steps to assign the chain to Windows logon event:

  1. Click Events.

  2. Click Edit next to the Windows Logon event.

  3. Ensure that Is enabled is set to ON.

  4. Select the chains that you have created in Create a Chain.

  5. Click Save.

5.2.7 End User Tasks

Sussane must perform the following tasks to authenticate to the Windows workstation with the configured methods:

Enroll the FIDO U2F Method

  1. Log in to the Advanced Authentication Self-Service portal.

  2. Click the U2F icon in Add Authenticator.

    A message Press button "Save" to begin enrolling. is displayed.

  3. (Optional) Specify a comment related to U2F in Comment.

  4. (Optional) Select the preferred category from Category.

  5. Click Save.

    A message Please touch the flashing U2F device now is displayed. You may be prompted to allow the site permissions to access your security keys.

  6. Touch the FIDO U2F button when there is a flash on the device.

    A message Authenticator "U2F" enrolled is displayed. If there is no flash for more than 10 seconds, reconnect your token and repeat the steps.

Enroll the SMS OTP Methods

NOTE:The SMS OTP method enrolls automatically if a phone number is specified in the user profile in Active Directory.

  1. Click the SMS OTP icon in Add Authenticator.

  2. (Optional) Specify a comment related to SMS OTP authenticator in Comment.

  3. (Optional) Select the preferred category from Category.

  4. Specify the mobile number in Phone number.

  5. Click Save.

    A message Authenticator "SMS OTP" has been added is displayed.

Authenticate to the Windows Workstation Using Advanced Authentication

  1. Switch ON the Windows workstation.

    The Sign in screen is displayed.

  2. Specify Username.

    Ensure the FIDO U2F device is plugged to the workstation.

  3. Touch the FIDO U2F button when there is a flash on the device.

  4. Specify the OTP that is sent to the phone.

    Sussane gets authenticated to the Windows workstation successfully.