Windows Workstation MFA Agent
Overview
1Kosmos integrates adaptive authentication into the Windows login experience, allowing community administrators to set up customized authentication workflows based on users, groups, and machines. The new Windows Workstation MFA agent enhances the security posture of Windows desktop computers by using multifactor authentication methods such as OTP, push notifications, QR codes, and FIDO to authenticate users.
The Windows Workstation MFA agent adds an extra layer of security to the Windows sign-in process by asking users for additional authentication before granting access to the computer. Once configured and deployed, administrators can set up one or more authentication methods to verify their identity.
Authentication can be initiated from either the User tile or the Other User tile. The Windows Workstation MFA agent directly presents the login factors when using the User tile. In contrast, if the Other User tile is selected, the Windows Workstation MFA agent prompts the user to enter their username first, followed by additional authentication factors.
Features and Benefits of the Windows Workstation MFA Agent
The Windows Workstation MFA agent offers the following salient features and benefits:
-
Customizable MFA policies - Administrators can configure the necessary MFA methods tailored to users in specific roles across departments within the organization, requiring minimal intervention from the IT support team.
-
Configure Access Management for Shared Accounts – Windows Workstation MFA displays a list of shared accounts available for authentication based on the user’s authorization level. When a user selects a specific shared account to log in, administrators can easily track which user is accessing that account. This feature simplifies access management and streamlines the login process, making it easier to manage credentials for accounts used collaboratively or across various devices and environments among employees.
-
Local Account for Emergency Access – Administrators can log in using local accounts, providing a break-glass option for configuration or maintenance. Since these local accounts do not support MFA or passwordless authentication through BlockID, administrators must use passwords to log in.
-
Ensure Offline MFA Support – Administrators can log into the system without internet access or when the platform is unavailable. An Account TOTP from the BlockID app is required to facilitate the offline login. 1Kosmos Windows Workstation MFA's support for offline logins allows uninterrupted access without needing a password in offline scenarios.
Note: The username entered during offline login is case-sensitive. If the username is entered with a different case than it appears in Active Directory, the account OTP will not work.
-
Match MFA Method to Regulations and Risk - Windows Workstation MFA offers the flexibility of supporting different multi-factor authentication (MFA) methods, such as Mobile TOTP, FIDO (single user keys, multi user keys), QR, and Push Notification. As regulations evolve, organizations can quickly adapt to the appropriate MFA strategies without overhauling their entire system.
Before You Begin
Ensure you meet the following system requirements and establish a community setup.
- RAM : 8 GB
- Processor : 2.5 GHz (4 CPU cores)
- Disk Storage : 80 GB
- .Net Framework : 4.7.2
- VC++ Redistributable: 2015-2022
Supported Operating Systems
- Windows Server 2022
- Windows Server 2019
- Windows Server 2016
- Windows 11
- Windows 10
Reach out to your 1Kosmos customer representative to set up a community where the Windows Workstation MFA agent must be run.
Installing BlockID Windows Workstation MFA Agent
The administrator can install the Windows Workstation MFA agent into your machine either manually or automatically through the batch script. The installer package received from 1Kosmos consists of the following files:
- BlockIDCredentialProvider-<version>.exe
- BlockIDInstaller.bat
- config.json
- REGCONFIG
Manual Installation of the Windows Workstation MFA Agent
You can use the BlockIDCredentialProvider-<version>.exe file to manually install the BlockID Windows Workstation MFA by following these steps:
-
Update the config.json file with the tenant/community details. You can also add proxy details.
-
Double-click the BlockIDCredentialProvider-<version.exe> file received from 1Kosmos. The setup wizard is displayed. This requires administrator privileges.
-
Accept the agreement and click Next.
-
Check the installation location and click Next.
-
Click Install to begin the installation of the BlockID Windows Workstation MFA in your system.
-
After the installation is complete, you will need to restart the workstation. You can choose to restart immediately or later. Click Finish.
Configuring config.json file
The config.json file is included with the installer archive. When an admin updates this file and runs the installer, the installer automatically detects the JSON file and applies its configuration to the installation location.
You can even update the config.json after installation. The path to the file is: C:\Program Files\1Kosmos\BlockIDCredentialProvider\config.json
.
The structure of the config file is as follows:
"tenantUrl":"",
"communityName":"",
"proxyUrl":"",
"proxyUsername":"",
"proxyPassword":""
The following table provides information on the parameters of the config file:
Parameter | Description | Sample Value |
---|---|---|
tenantUrl | Contains the Tenant URL to connect to the 1Kosmos platform. | acme@1kosmos.net |
communityName | Contains the name of the community | default |
ProxyUrl | URL of the proxy server | http://12.12.12.12:8083/proxy.pac |
proxyUsername | Username in case of authenticated proxy | username |
proxyPassword | Password in case of authenticated proxy | P@ssWorD11 |
Automatic Installation of the Windows Workstation MFA Agent
The administrator can automatically run the batch script to install the Windows Workstation MFA agent. Additionally, the administrator can use the REGCONFIG file available in the installer package to configure registry settings for the vault or offline login during the installation process.
To install the Windows Workstation MFA agent, follow these steps:
- Download the installer zip file into your local drive.
- Extract the contents of the zip.
- Launch the command prompt and navigate to the path where the zip was extracted.
- Run the
BlockIDInstaller.bat -install <installer filename>
command.
Sample Command:
BlockIDInstaller.bat -install BlockIDCredentialProvider-<version>.exe
To configure the Vault details during the installation, follow these steps:
-
In the Installer package, open the REGCONFIG file.
-
Add the appropriate CyberArk connection details in the registry as shown below:
VaultUrl=sampleurl
VaultUser=sampleuser
VaultUserCredential=samplecredThe following table illustrates sample values:
Registry Key Registry Type Registry Sample Value VaultUrl REG_SZ sampletest.privilegecloud.cyberark.com VaultUser REG_SZ svc_account VaultUserCredential REG_SZ Pa$$worD101# CommunitySeed_${DNS}_${CommunityName} REG_SZ Community seed copied from AdminX to enable offline logins -
Save the REGCONFIG file.
-
Run the following command in the command prompt:
BlockIDInstaller.bat -configure REGCONFIG
To install the Windows Workstation MFA agent and configure the Vault details simultaneously, run the command as follows:
BlockIDInstaller.bat -install BlockIDCredentialProvider<version>.exe -configure REGCONFIG -restart
Here,
- The
-configure
command adds the registry settings from the REGCONFIG file. - The
-restart
flag is to restart the system after installation.
- The batch script will not function if any configurations in the REGCONFIG file include quotes anywhere. For instance, the VaultUserCredential must not contain a quotation mark in the password value.
- The script can also be executed to upgrade an existing Windows Workstation MFA agent installation.
- You can include the
-restart
command when running the script to enable the workstation to restart after the installation or uninstallation process is complete automatically. - If the config.json file is in the same folder as the installer during installation, the configuration will be applied automatically. Additionally, uninstall and install commands cannot be executed simultaneously. The input file is automatically deleted once the configuration is completed using the
-configure
command.
Managing Adaptive Auth Journey For Windows Workstation MFA
The Windows Workstation MFA agent utilizes the Adaptive Authentication framework, allowing administrators to customize the authentication journeys for specific users or groups. Depending on the authentication journey configured, the Windows Workstation MFA displays the appropriate options for multi-factor authentication (MFA).
The following screenshot illustrates the display of the MFA options in the login screen based on the configured auth journey:
The following are the supported MFA options:
- Login with password and OTP
- Login with BlockID TOTP
- Login with QR
- Login with Push Notification
- Login with FIDO
- Login with 1Key
Authentication Matrix
The following table provides details of the supported authentication types and their corresponding MFA methods for Windows Workstation MFA.
Authentication Type | Authentication Scheme | Supported Capability |
---|---|---|
Workstation Login | Password + TOTP/FIDO/QR/Push | MFA with Password |
Workstation Login | TOTP/FIDO/QR/Push | Passwordless MFA |
Workstation Login using Alias | Password + TOTP/FIDO/QR/Push | MFA with Password |
RDP Login | Password + TOTP/FIDO/QR/Push | MFA with Password |
Run As | Password + TOTP/FIDO/QR/Push | MFA with Password |
Offline login | Password + Account OTP | MFA with Password |
Offline login | Account OTP | Passwordless |
Local Account Login | Password | Password |
Login Via Password and OTP
The Windows Workstation MFA agent can log in using both password and OTP.
To log in to your system using a password and OTP mechanism, follow these steps:
-
Click on the username tile on the workstation's login screen (as shown below) and click the BlockID icon.
-
In the Sign In – Choose an authentication method screen, click Password.
-
In the Sign In – Enter your password screen, specify your password, and click ->.
-
In the Sign In – Enter your verification code screen, enter the one-time code received from the BlockID authenticator, and press Enter.
The user will be logged into the system after successful authentication.
Login via QR
The Windows Workstation MFA agent offers the capability to log in using both password and OTP for users and other user tiles. When logging in from the user tile, the Choose Authentication Method page is displayed, where users can opt to log in via QR code.
When the user starts their journey from the other user tile, the QR code pops up, and it can be scanned by any persona from the BlockID mobile application. Users can also select the QR option to log in after entering their username.
To log in using QR, follow these steps:
-
In the login screen, select a user tile and click Sign-in options.
-
Click the BlockId option.
-
In the Sign In – Choose an authentication method screen, click QR.
-
Scan the QR using the BlockID mobile application.
After successfully authenticating the QR code, the user can log into the system.
Login via Push
The Windows Workstation MFA agent allows the usage of push notifications as a factor to log into the workstation. When logging in from the user tile, the Choose Authentication Method page is displayed, where users can opt to log in via QR code. When the user starts their journey from the other user tile, they must enter their username first.
To log in using push, follow these steps:
-
In the login screen, click the username tile and click Sign-in options.
-
Click the BlockId option. The username is displayed, and press Enter.
-
In the Sign In – Choose an authentication method screen, click Push Notification.
The Approve your Sign In page alerts users to accept the push notification on their mobile app to log in.
After the successful authentication through push, the user can log into the system.
Login to Remote Server Through Remote Desktop Connection (RDP)
The Windows Workstation MFA agent provides the capability to authenticate users on the Remote Desktop Connection (RDP) machines without the need to install Windows Workstation MFA, streamlining the login process and enhancing security.
Let us consider a scenario in which John logs into the system and must authenticate as an administrator to a remote Windows server through RDP. In this case, John can use the Login with BlockID option on the host system to log in to the remote server.
To perform the authentication through RDP, follow these steps:
-
From your host machine, start your RDP connection.
-
Enter your IP address into the Computer field as shown below and click Connect.
-
On the RDP window, click the Login with BlockID option.
-
On the Sign In page, enter the username for the account which you want to use to login into the remote server.
-
Select the authentication option – enter password and one-time code from the authenticator (or any other factor enabled for the MFA).
noteFor RDP logins, the password is auto-enforced along with any other MFA method so that the remote user can successfully log in to the system. The above approach does not require installing the BlockID Windows Workstation MFA agent on the remote server. You can also enforce MFA on the remote servers by installing BlockID. The login flow in that case would be:
- Initiate RDP on the laptop/desktop.
- Provide username and password.
- On the remote server screen, BlockID pops up.
- Provide MFA (OTP, Push, or QR) on the remote server. The user gets logged in.
Run As Different User
The Windows Workstation MFA agent allows users to launch an application as a different user with elevated privileges or as an administrator.
For example, if you want to run CMD as a different user:
- Navigate to the Command Prompt application and right-click on it to select Run as different user.
- In the Run as different user window, click More options -> Login with BlockID.
- In the Enter your username screen, enter the username and click submit.
- Select an MFA option from the menu.
- Once done, provide the password for the user account. The application launches with the permissions of the username provided.
Login With 1Key/FIDO
The Windows Workstation MFA agent also allows users to use the 1Key–both multi-user and single-user configuration and FIDO keys to log in. If FIDO has been configured as MFA in the adaptive auth journey, the option to log in using security keys will be displayed for the users during authentication.
To login with 1Key, follow these steps:
-
Select the BlockID option on the login screen.
-
In the Choose an authentication method screen, click Security Key. You will be prompted to connect your 1Key.
-
Provide a registered fingerprint on the 1key. The user has now successfully logged in.
A PIN is not required for biometric keys such as 1Key. However, users will be prompted to enter their security key PIN for other security keys.
Uninstalling Windows Workstation MFA Agent
If you'd like to remove the Windows Workstation MFA agent from your system manually, follow these steps:
- Navigate to the Windows Control Panel > Programs and Features applet.
- Click on the BlockIDCredentialProvider-<version>.exe program in the list and click Uninstall.
To uninstall the Windows Workstation MFA agent through batch script, run the following command:
BlockIDInstaller.bat -uninstall
Frequently Asked Questions
Q. Does the Windows Workstation MFA agent work with third-party disk encryption software or other credential providers?
A. The Windows Workstation MFA agent permits the use of Trellix Drive Encryption (TDE) on workstations as per organizational policies and guidelines. However, you must update your registry settings to whitelist the TDE, as third-party credential providers will be blocked during system startup or restart.
Q. Which Vault does the Windows Workstation MFA agent support?
A. The Windows Workstation MFA agent supports fetching passwords for service accounts only from CyberArk vaults.
Q. Where do I configure the Vault details?
A. You can configure the CyberArk connection details in the Windows Workstation MFA agent registry. This includes the vault URL, vault service account, and vault credentials. On the next launch, after vault details are updated, the 1Kosmos Windows MFA agent will read the data from the registry and encrypt data. Registry Path:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{90576E81-DDF8-4E8E-91E2-CA3A9CE52410}
Q. How do I update the registry?
A. The registry can be updated through SCCM / GPO policy by the organization OR can be handled through the BlockIDInstaller.bat script with the -configure
directive.
Appendix
If you are using the earlier version of Windows Workstation and would like to learn more about it, see Workstation Login for Windows.