Authentication Provider

Select this check box to display the Digipass Authentication tile in the Sign-in options in the Windows logon screen:

Select this check box to display the Push Notification Authentication tile in the Sign-in options in the Windows logon screen:

This option allows you to block specific credential providers from being used for authentication.

This option is only available if you enable Enable Digipass authentication or Enable push notification authentication.

Select one of the following:

• Allow any credential provider. This allows any credential provider available. A user is not restricted to OTP authentication, even if a Digipass authenticator is assigned to that user.

• Block weak credential providers. If you select this option, the system credential providers that are considered to be weak or untrusted are actively blocked and cannot be used for authentication (see Blocked credential providers considered weak).

  Digipass Authentication for Windows Logon only blocks system credentials considered to be weak! Microsoft Windows Smartcard Credential Provider, NPProvider, or third-party custom credential providers will not be blocked.

   

    Blocked credential providers considered weak

  Credential Provider	CLSID
  FaceCredentialProvider	{8AF662BF-65A0-4D0A-A540-A338A999D36F}
  GenericProvider	{25CBB996-92ED-457E-B28C-4774084BD562}
  IrisCredentialProvider	{C885AA15-1764-4293-B82A-0586ADD46B35}
  NGC Credential Provider	{D6886603-9D2F-4EB2-B667-1971041FA96B}
  PasswordProvider	{60B78E88-EAD8-445C-9CFD-0B87F74EA6CD}
  PasswordProvider\LogonPasswordReset	{8841D728-1A76-4682-BB6F-A9EA53B4B3BA}
  PicturePasswordLogonProvider	{2135F72A-90B5-4ED3-A7F1-8BB705AC276A}
  PINLogonProvider	{CB82EA12-9F71-446D-89E1-8D0924E1256E}
  WinBio Credential Provider	{BEC09223-B018-416D-A0AC-523971B639F5}
  WLIDCredentialProvider	{F8A0B131-5F68-486C-8040-7E8FC3C85BB6}

  For more information about blocking additional credential providers, refer to the Digipass Authentication for Windows LogonInstallation Guide.

• Force Digipass authentication. Select this option to enforce Digipass authentication, if applicable. Effectively, this setting will block any credential provider other than Digipass Authentication for Windows Logon, including customer-specific third-party credential providers!

  If you select this option, every user with an assigned Digipass authenticator is required to use OTP authentication. Static password authentication is prevented. Users who do not have an authenticator assigned can still use their static password to log on.

If you enable Dynamic User Registration (DUR) in the respective OneSpan Authentication Server policy, the Filter credential providers option is basically not effective for non-OAS users. In this case, every domain user who is unknown to OneSpan Authentication Server will be automatically registered via DUR after a successful authentication and can use the static password, until an authenticator is assigned and the (optional) grace period has ended.

The behavior of the Filter credential providers option can be different in RDP scenarios, especially with multiple domains. Consider a scenario where a user is already logged on (computer A) and attempts to connect to another workstation or server (computer B) via remote desktop (RDP), where both computers have Digipass Authentication for Windows Logon installed (but with different configuration settings). If computer B requires OTP authentication but computer A does not, the user may not be required to use an OTP when connecting from computer A to computer B via RDP (because of the settings of computer A). This behavior is caused by a Windows security limitation that forcibly uses the credential provider settings of the source computer and cannot be circumvented in newer Windows versions.

Remote Desktop Gateway (RD Gateway) allows remote users to access network resources on an internal network from any Internet-connected device. Usually, when connecting to a network resource (e.g. a terminal server) via an RD Gateway server, the user has to authenticate twice: once on the RD Gateway, and once on the terminal server. This does not apply if the user credentials are the same for both. In this case, Windows performs pass-through authentication, and the user must enter the credentials only once.

If you require Digipass authentication, users would be prompted for an OTP twice, once on the RD Gateway and once on the terminal server. Select this option to require Digipass authentication only once and perform pass-through authentication. This option is only available if you set Filter credential providers to Block weak credential providers or Force Digipass authentication. This option affects Digipass Authentication for Windows Logon Credential Provider only.

If you install Digipass Authentication for Windows Logon on the terminal server that is accessed via the RD Gateway server, you need to set this option.

Note that if you enable this option, remote users can connect to the terminal server and authenticate with their static passwords, even if you have set Filter credential providers to Block weak credential providers or Force Digipass authentication.

Non-OAS users are not registered to OneSpan Authentication Server and do not have authenticators to perform OTP authentication. If Digipass authentication is required, those users cannot log on.

Select this option to allow non-OAS users to authenticate using their static passwords, even if Digipass authentication is enforced. Note that users who are known by OneSpan Authentication Server but do not have an authenticator assigned can always use their static password to log on.

This option is only available if you set Filter credential providers to Block weak credential providers or Force Digipass authentication.

If you enable Dynamic User Registration (DUR) in the respective OneSpan Authentication Server policy, the Allow static password authentication for non-OAS users option is not effective. In this case, every domain user who is unknown to OneSpan Authentication Server will be automatically registered via DUR after a successful authentication and can use the static password, until an authenticator is assigned and the (optional) grace period has ended.

If you clear this check box, all users who have an authenticator assigned are required to use it to log on, including administrators.

This is a sub-setting of Allow static password authentication for non-OAS users.

If this setting is enabled, a user is only allowed to use their static password if:

• OAS online authentication returns that it is a non-OAS user.
• The user store knows that during the last online authentication OAS returned that this is a non-OAS user.

This option is only available if you enable the Allow static password authentication for non-OAS users setting.

Specify how often an incorrect OTP value can be consecutively typed during offline authentication before the offline authentication data is locked. This value counts for all Digipass authenticators assigned to a user. Each consecutive unsuccessful offline authentication attempt decreases the number of available retries. In case of a successful authentication (online or offline), the number of available retries is reset. If no more retries are left, offline authentication data is locked and all assigned Digipass authenticators are blocked from future authentication attempts. Unlocking the offline authentication data requires administrator action on the server (see Locked offline authentication).

The default setting is 5.

Select this option to specify the Digipass control parameters for offline authentication. If you do not specify Digipass control parameters, inbuilt default values are used.

Enter the maximum number of time step variations allowed between a Digipass authenticator and OneSpan Authentication Server during logon. The value is given in time steps. It only affects accounts that have time-based Digipass authenticators assigned. This option is only available if you select the Set offline authentication Digipass control parameters check box.

Possible values: 2–1000.

The default setting is 30.

Enter the maximum number of event variations allowed between a Digipass authenticator and OneSpan Authentication Server during logon. The value is given in events. It only affects accounts that have event-based Digipass authenticators assigned. This option is only available when you select the Set offline authentication Digipass control parameters check box.

Possible values: 10–1000

The default setting is 30.