4.0 Logging In to Authentication Agent for Windows

Authentication Agent for Windows enables you to perform multi-factor authentication on one device to get authorized access to another device, where it is not possible to display the user interface or connect any external authentication device. You can install the Authentication Agent for Windows on a workstation or a laptop with Microsoft Windows. When an authentication is initiated from a computer using the chain with OOB method, the Authentication Agent for Windows on another computer prompts a restricted browser where you must perform the authentication to access the Out-of-Band portal. In the Out-of-Band portal, accept the authentication request to authenticate successfully.

Scenario 1: Authenticating to Linux computer using the Authentication Agent for Windows

Mark uses the SSH to access Linux computer. But, the external devices such as FIDO U2F token and card reader are not supported in SSH. He cannot get authenticated to Linux computer because it is not possible to redirect the external devices. In this case, Mark can use Authentication Agent for Windows to perform authentication on Windows computer and get seamless access to Linux computer.

Consider the following setup:

  • Windows computer is installed with the Authentication Agent for Windows and is connected with the external devices such as FIDO U2F token and card reader.

  • Linux computer is not connected with the external devices.

Following sequence describes the authentication process using Authentication Agent for Windows:

  1. Specify user name and select the chain with OOB method in the Linux machine.

    This initiates an authentication request.

  2. Authentication Agent for Windows launches a restricted browser.

  3. Select the chain with FIDO U2F and Card methods in the restricted browser to authenticate to the Out-of-Band portal.

  4. Perform the authentication using the FIDO U2F token and card reader in the restricted browser.

  5. An authentication request with Accept and Decline buttons are displayed on the portal.

  6. Click Accept.

    Mark logs in to Linux computer automatically.

Scenario 2: Authenticating to Windows computer using the Authentication Agent for Windows

Thomas works on two Windows computers simultaneously. However, the external devices such as FIDO U2F token and card reader are connected to one Windows computer. He cannot get authenticated to the other computer because there are no external devices connected to this computer and cannot redirect the external devices. In this case, Thomas can use Authentication Agent for Windows to perform authentication on one Windows computer and get seamless access to another Windows computer that does not have external devices.

Consider the following setup:

  • Windows A is a computer with the Authentication Agent for Windows installed and is connected with the external devices such as FIDO U2F token and card reader.

  • Windows B is computer without the external devices.

The following sequence describes the authentication process using the Authentication Agent:

  1. Specify user name and select the chain with OOB method in Windows B computer.

  2. The Authentication Agent on Windows A computer launches a restricted browser.

  3. Select the chain with FIDO U2F and Card methods in the restricted browser to authenticate to the Out-of-Band portal.

  4. Perform the authentication using the FIDO U2F token and card reader in the restricted browser.

  5. An authentication request with Accept and Decline buttons are displayed on the portal.

  6. Click Accept.

    Thomas is logged in to Windows B computer automatically.

Logging In to Authentication Agent for Windows

You can log in to the Authentication Agent in one of the following ways:

Ensure that you have installed the Authentication Agent for Windows as a pre-requisite.

Single Sign-on Login

If Windows Client is installed along with the Authentication Agent for Windows and when you authenticate to Windows you are automatically logged in to the Authentication Agent for Windows. Else, when Windows is loading, you are prompted with an authentication request to log in manually. You must log in to authorize the Authentication Agent for Windows to receive any authentication request.

Manual Login

To log in to the Authentication Agent for Windows manually, perform the following steps:

  1. Right-click on the Authentication Agent icon in the System Tray.

  2. Select Log on.

  3. Authenticate using the available chain in Windows.

    A prompt to select category might appear, if you have enrolled an authenticator for more than one category.

Advanced Authentication provides the following authenticators for logging in to Authentication Agent for Windows: