Skip to main content

Windows Workstation MFA Agent

Overview

1Kosmos integrates adaptive authentication into the Windows login experience, allowing community administrators to set up customized authentication workflows based on users, groups, and machines. The new Windows Workstation MFA agent enhances the security posture of Windows desktop computers by using multifactor authentication methods such as OTP, push notifications, QR codes, and FIDO to authenticate users.

The Windows Workstation MFA agent adds an extra layer of security to the Windows sign-in process by asking users for additional authentication before granting access to the computer. Once configured and deployed, administrators can set up one or more authentication methods to verify their identity.

Authentication can be initiated from either the User tile or the Other User tile. The Windows Workstation MFA agent directly presents the login factors when using the User tile. In contrast, if the Other User tile is selected, the Windows Workstation MFA agent prompts the user to enter their username first, followed by additional authentication factors.

Features and Benefits of the Windows Workstation MFA Agent

The Windows Workstation MFA agent offers the following salient features and benefits:

  • Customizable MFA policies - Administrators can configure the necessary MFA methods tailored to users in specific roles across departments within the organization, requiring minimal intervention from the IT support team.

  • Configure Access Management for Shared Accounts – Windows Workstation MFA displays a list of shared accounts available for authentication based on the user’s authorization level. When a user selects a specific shared account to log in, administrators can easily track which user is accessing that account. This feature simplifies access management and streamlines the login process, making it easier to manage credentials for accounts used collaboratively or across various devices and environments among employees.

  • Local Account for Emergency Access – Administrators can log in using local accounts, providing a break-glass option for configuration or maintenance. Since these local accounts do not support MFA or passwordless authentication through BlockID, administrators must use passwords to log in.

  • Ensure Offline MFA Support – Administrators can log into the system without internet access or when the platform is unavailable. An Account TOTP from the BlockID app is required to facilitate the offline login. 1Kosmos Windows Workstation MFA's support for offline logins allows uninterrupted access without needing a password in offline scenarios.

    Note: The username entered during offline login is case-sensitive. If the username is entered with a different case than it appears in Active Directory, the account OTP will not work.

  • Match MFA Method to Regulations and Risk - Windows Workstation MFA offers the flexibility of supporting different multi-factor authentication (MFA) methods, such as Mobile TOTP, FIDO (single user keys, multi user keys), QR, and Push Notification. As regulations evolve, organizations can quickly adapt to the appropriate MFA strategies without overhauling their entire system.

Before You Begin

Ensure you meet the following system requirements and establish a community setup.

  • RAM : 8 GB
  • Processor : 2.5 GHz (4 CPU cores)
  • Disk Storage : 80 GB
  • .Net Framework : 4.7.2
  • VC++ Redistributable: 2015-2022

Supported Operating Systems

  • Windows Server 2022
  • Windows Server 2019
  • Windows Server 2016
  • Windows 11
  • Windows 10
note

Reach out to your 1Kosmos customer representative to set up a community where the Windows Workstation MFA agent must be run.

Installing BlockID Windows Workstation MFA Agent

The administrator can install the Windows Workstation MFA agent into your machine either manually or automatically through the batch script. The installer package received from 1Kosmos consists of the following files:

  • BlockIDCredentialProvider-<version>.exe
  • BlockIDInstaller.bat
  • config.json
  • REGCONFIG

Manual Installation of the Windows Workstation MFA Agent

You can use the BlockIDCredentialProvider-<version>.exe file to manually install the BlockID Windows Workstation MFA by following these steps:

  1. Update the config.json file with the tenant/community details. You can also add proxy details.

  2. Double-click the BlockIDCredentialProvider-<version.exe> file received from 1Kosmos. The setup wizard is displayed. This requires administrator privileges.

  3. Accept the agreement and click Next.

  4. Check the installation location and click Next.

  5. Click Install to begin the installation of the BlockID Windows Workstation MFA in your system.

  6. After the installation is complete, you will need to restart the workstation. You can choose to restart immediately or later. Click Finish.

Configuring config.json file

The config.json file is included with the installer archive. When an admin updates this file and runs the installer, the installer automatically detects the JSON file and applies its configuration to the installation location.

You can even update the config.json after installation. The path to the file is: C:\Program Files\1Kosmos\BlockIDCredentialProvider\config.json.

The structure of the config file is as follows:

  "tenantUrl":"", 
"communityName":"",
"proxyUrl":"",
"proxyUsername":"",
"proxyPassword":""

The following table provides information on the parameters of the config file:

ParameterDescriptionSample Value
tenantUrlContains the Tenant URL to connect to the 1Kosmos platform.acme@1kosmos.net
communityNameContains the name of the communitydefault
ProxyUrlURL of the proxy serverhttp://12.12.12.12:8083/proxy.pac
proxyUsernameUsername in case of authenticated proxyusername
proxyPasswordPassword in case of authenticated proxyP@ssWorD11

Automatic Installation of the Windows Workstation MFA Agent

The administrator can automatically run the batch script to install the Windows Workstation MFA agent. Additionally, the administrator can use the REGCONFIG file available in the installer package to configure registry settings for the vault or offline login during the installation process.

To install the Windows Workstation MFA agent, follow these steps:

  1. Download the installer zip file into your local drive.
  2. Extract the contents of the zip.
  3. Launch the command prompt and navigate to the path where the zip was extracted.
  4. Run the BlockIDInstaller.bat -install <installer filename> command.

Sample Command:

BlockIDInstaller.bat -install BlockIDCredentialProvider-<version>.exe

To configure the Vault details during the installation, follow these steps:

  1. In the Installer package, open the REGCONFIG file.

  2. Add the appropriate CyberArk connection details in the registry as shown below:

    VaultUrl=sampleurl
    VaultUser=sampleuser
    VaultUserCredential=samplecred

    The following table illustrates sample values:

    Registry KeyRegistry TypeRegistry Sample Value
    VaultUrlREG_SZsampletest.privilegecloud.cyberark.com
    VaultUserREG_SZsvc_account
    VaultUserCredentialREG_SZPa$$worD101#
    CommunitySeed_${DNS}_${CommunityName}REG_SZCommunity seed copied from AdminX to enable offline logins
  3. Save the REGCONFIG file.

  4. Run the following command in the command prompt:

    BlockIDInstaller.bat -configure REGCONFIG

To install the Windows Workstation MFA agent and configure the Vault details simultaneously, run the command as follows:

BlockIDInstaller.bat -install BlockIDCredentialProvider<version>.exe -configure REGCONFIG -restart

Here,

  • The -configure command adds the registry settings from the REGCONFIG file.
  • The -restart flag is to restart the system after installation.
note
  • The batch script will not function if any configurations in the REGCONFIG file include quotes anywhere. For instance, the VaultUserCredential must not contain a quotation mark in the password value.
  • The script can also be executed to upgrade an existing Windows Workstation MFA agent installation.
  • You can include the -restart command when running the script to enable the workstation to restart after the installation or uninstallation process is complete automatically.
  • If the config.json file is in the same folder as the installer during installation, the configuration will be applied automatically. Additionally, uninstall and install commands cannot be executed simultaneously. The input file is automatically deleted once the configuration is completed using the -configure command.

Managing Adaptive Auth Journey For Windows Workstation MFA

The Windows Workstation MFA agent utilizes the Adaptive Authentication framework, allowing administrators to customize the authentication journeys for specific users or groups. Depending on the authentication journey configured, the Windows Workstation MFA displays the appropriate options for multi-factor authentication (MFA).

The following screenshot illustrates the display of the MFA options in the login screen based on the configured auth journey:

The following are the supported MFA options:

  • Login with password and OTP
  • Login with BlockID TOTP
  • Login with QR
  • Login with Push Notification
  • Login with FIDO
  • Login with 1Key

Authentication Matrix

The following table provides details of the supported authentication types and their corresponding MFA methods for Windows Workstation MFA.

Authentication TypeAuthentication SchemeSupported Capability
Workstation LoginPassword + TOTP/FIDO/QR/PushMFA with Password
Workstation LoginTOTP/FIDO/QR/PushPasswordless MFA
Workstation Login using AliasPassword + TOTP/FIDO/QR/PushMFA with Password
RDP LoginPassword + TOTP/FIDO/QR/PushMFA with Password
Run AsPassword + TOTP/FIDO/QR/PushMFA with Password
Offline loginPassword + Account OTPMFA with Password
Offline loginAccount OTPPasswordless
Local Account LoginPasswordPassword

Login Via Password and OTP

The Windows Workstation MFA agent can log in using both password and OTP.

To log in to your system using a password and OTP mechanism, follow these steps:

  1. Click on the username tile on the workstation's login screen (as shown below) and click the BlockID icon.

  2. In the Sign In – Choose an authentication method screen, click Password.

  3. In the Sign In – Enter your password screen, specify your password, and click ->.

  4. In the Sign In – Enter your verification code screen, enter the one-time code received from the BlockID authenticator, and press Enter.

The user will be logged into the system after successful authentication.

Login via QR

The Windows Workstation MFA agent offers the capability to log in using both password and OTP for users and other user tiles. When logging in from the user tile, the Choose Authentication Method page is displayed, where users can opt to log in via QR code.

When the user starts their journey from the other user tile, the QR code pops up, and it can be scanned by any persona from the BlockID mobile application. Users can also select the QR option to log in after entering their username.

To log in using QR, follow these steps:

  1. In the login screen, select a user tile and click Sign-in options.

  2. Click the BlockId option.

  3. In the Sign In – Choose an authentication method screen, click QR.

  4. Scan the QR using the BlockID mobile application.

After successfully authenticating the QR code, the user can log into the system.

Login via Push

The Windows Workstation MFA agent allows the usage of push notifications as a factor to log into the workstation. When logging in from the user tile, the Choose Authentication Method page is displayed, where users can opt to log in via QR code. When the user starts their journey from the other user tile, they must enter their username first.

To log in using push, follow these steps:

  1. In the login screen, click the username tile and click Sign-in options.

  2. Click the BlockId option. The username is displayed, and press Enter.

  3. In the Sign In – Choose an authentication method screen, click Push Notification.

    The Approve your Sign In page alerts users to accept the push notification on their mobile app to log in.

After the successful authentication through push, the user can log into the system.

Login to Remote Server Through Remote Desktop Connection (RDP)

The Windows Workstation MFA agent provides the capability to authenticate users on the Remote Desktop Connection (RDP) machines without the need to install Windows Workstation MFA, streamlining the login process and enhancing security.

Let us consider a scenario in which John logs into the system and must authenticate as an administrator to a remote Windows server through RDP. In this case, John can use the Login with BlockID option on the host system to log in to the remote server.

To perform the authentication through RDP, follow these steps:

  1. From your host machine, start your RDP connection.

  2. Enter your IP address into the Computer field as shown below and click Connect.

  3. On the RDP window, click the Login with BlockID option.

  4. On the Sign In page, enter the username for the account which you want to use to login into the remote server.

  5. Select the authentication option – enter password and one-time code from the authenticator (or any other factor enabled for the MFA).

    note

    For RDP logins, the password is auto-enforced along with any other MFA method so that the remote user can successfully log in to the system. The above approach does not require installing the BlockID Windows Workstation MFA agent on the remote server. You can also enforce MFA on the remote servers by installing BlockID. The login flow in that case would be:

    1. Initiate RDP on the laptop/desktop.
    2. Provide username and password.
    3. On the remote server screen, BlockID pops up.
    4. Provide MFA (OTP, Push, or QR) on the remote server. The user gets logged in.

Run As Different User

The Windows Workstation MFA agent allows users to launch an application as a different user with elevated privileges or as an administrator.

For example, if you want to run CMD as a different user:

  1. Navigate to the Command Prompt application and right-click on it to select Run as different user.
  2. In the Run as different user window, click More options -> Login with BlockID.
  3. In the Enter your username screen, enter the username and click submit.
  4. Select an MFA option from the menu.
  5. Once done, provide the password for the user account. The application launches with the permissions of the username provided.

Login With 1Key/FIDO

The Windows Workstation MFA agent also allows users to use the 1Key–both multi-user and single-user configuration and FIDO keys to log in. If FIDO has been configured as MFA in the adaptive auth journey, the option to log in using security keys will be displayed for the users during authentication.

To login with 1Key, follow these steps:

  1. Select the BlockID option on the login screen.

  2. In the Choose an authentication method screen, click Security Key. You will be prompted to connect your 1Key.

  3. Provide a registered fingerprint on the 1key. The user has now successfully logged in.

A PIN is not required for biometric keys such as 1Key. However, users will be prompted to enter their security key PIN for other security keys.

Uninstalling Windows Workstation MFA Agent

If you'd like to remove the Windows Workstation MFA agent from your system manually, follow these steps:

  1. Navigate to the Windows Control Panel > Programs and Features applet.
  2. Click on the BlockIDCredentialProvider-<version>.exe program in the list and click Uninstall.

To uninstall the Windows Workstation MFA agent through batch script, run the following command:

BlockIDInstaller.bat -uninstall

Frequently Asked Questions

Q. Does the Windows Workstation MFA agent work with third-party disk encryption software or other credential providers?

A. The Windows Workstation MFA agent permits the use of Trellix Drive Encryption (TDE) on workstations as per organizational policies and guidelines. However, you must update your registry settings to whitelist the TDE, as third-party credential providers will be blocked during system startup or restart.

Q. Which Vault does the Windows Workstation MFA agent support?

A. The Windows Workstation MFA agent supports fetching passwords for service accounts only from CyberArk vaults.

Q. Where do I configure the Vault details?

A. You can configure the CyberArk connection details in the Windows Workstation MFA agent registry. This includes the vault URL, vault service account, and vault credentials. On the next launch, after vault details are updated, the 1Kosmos Windows MFA agent will read the data from the registry and encrypt data. Registry Path:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{90576E81-DDF8-4E8E-91E2-CA3A9CE52410}

Q. How do I update the registry?

A. The registry can be updated through SCCM / GPO policy by the organization OR can be handled through the BlockIDInstaller.bat script with the -configure directive.

Appendix

note

If you are using the earlier version of Windows Workstation and would like to learn more about it, see Workstation Login for Windows.