Enforce Digipass Authentication

By default, users can choose whether to use their static password, OTP, or Push Notification to authenticate with Digipass Authentication for Windows Logon. You can enforce OTP authentication for users that have a Digipass authenticator assigned. This prevents users who have a Digipass authenticator assigned from bypassing OTP authentication, but still allows static password authentication for users without a Digipass authenticator.

When enforcing Digipass authentication, Digipass Authentication for Windows Logon verifies whether the user has a Digipass authenticator assigned. If an authenticator is assigned, the provided credentials are assumed to include a one-time password (OTP) and are verified either by the authentication server (online authentication) or against the offline authentication data (offline authentication). If the user is unknown to OneSpan Authentication Server or has no authenticator assigned, the provided credentials are assumed to include a static password and are used directly for Windows authentication. However, for new users you can restrict login and allow using the static password only if:

• OAS online authentication returns that it is a non-OAS user.
• The user store knows that during the last online authentication OAS returned that this is a non-OAS user.

To enforce Digipass authentication, you need to set Filter credential providers to Force Digipass authentication. in Digipass Authentication for Windows Logon Configuration Center (see Configuration with Digipass Authentication for Windows Logon Configuration Center). Alternatively, you can use the Force Digipass authentication option of Group Policy (see Configuration with Group Policy ).