Skip to content

Windows MFA

The InstaSafe Windows MFA feature is essentially a plugin that implements multi-factor authentication (MFA) as part of the Windows login, thereby providing an improved security posture. With the InstaSafe Windows MFA installed, users will be prompted to provide a secondary factor of authentication along with the password while doing a login to their Windows system. This approach adds an additional layer of security beyond just a username and password, making it significantly harder for unauthorized users to gain access.

Users will be provided with the InstaSafe logo in the Windows login screen. When a user selects the login method via Instasafe then the authentication request(for UserName and Password ) is sent to the ZTAA authentication server for verification. Users provisioned in ZTAA via AD/LDAP would then be authenticated by the corporate IAM configured for the tenant, while local users provisioned in ZTAA would be authenticated by the ZTAA authentication server itself.

The InstaSafe Windows MFA utility will prompt the user to perform the secondary authentication with the below two options:

  • authenticate with OTP sent over Email and SMS.

  • authenticate with the 6 digit TOTP from the configured Authenticator app.

Note: It is highly recommended that users configure their ZTAA profile with a third party authenticator app or with the InstaSafe Authenticator app to perform the secondary authentication while login to their Windows system. In case there is a delay in receiving the OTP from the SMS provider or if user do not have an internet connection then they can use the TOTP from the authenticator app to login to their windows machine.

Similar MFA plugin is also available for Ubuntu and Red Hat Enterprise Linux to perform secondary authentication during the login process.

Support for Windows MFA without internet connection

Users can login to their Windows system through the InstaSafe MFA utlitiy even when they do not have an active internet connection. For the MFA, users should have had their InstaSafe profile configured with an Authenticator app.

Prerequisites for Windows MFA without internet connection:

  1. Authenticator App set up: Users must set up an authenticator app with their Instasafe profile. Users can use Instasafe Authenticator, Google Authenticator, Microsoft Authenticator, etc.

  2. One-Time Login to ZTNA agent: Users should log in once to the ZTNA Agent and click the Connect button.

  3. MFA Installation: Windows MFA agent must be installed on the user's system.

Please refer to the below video on how the InstaSafe Windows MFA feature can be installed and configured.

WindowsMFA.gif

By default, the InstaSafe Windows MFA is optional while doing a login to the Windows system. Admins can exclude other credential providers from the Windows login screen so that InstaSafe Windows MFA is the only available sign-in method for users.

To exclude other Windows credential providers, the following steps needs to be performed:

  1. In Windows Explorer, open the Local Group Policy Editor.

  2. Navigate to Computer Configuration > Administrative Templates > System > Logon.

  3. Right-click the Exclude credential providers setting and select Edit.

  4. Select Enabled.

  5. In the Exclude the following credential providers field, enter the comma-separated Class IDs (CLSIDs) for excluding multiple credential providers during authentication.

  6. Select OK to save changes.

  7. Execute gpupdate to enforce the policy change immediately.

Comments