Specops Secure Access

Specops Secure Access adds multi-factor authentication (MFA) to Windows logins for user accounts and computers, providing extra protection in scenarios where a single password is not secure enough.

With the Specops Client installed and configured for Secure Access, users must verify their identity with a second factor after entering their Windows username and password on the login screen. The same applies when connecting to a Windows computer via Remote Desktop, although in that case, verification occurs outside the login screen.

The system is designed to minimize the impact on users while providing an additional layer of security, giving users the flexibility to choose which extra factor to use.

Central Concepts

The following concepts are relevant for the different scenarios of Specops Secure Access.

Authentication

Once users have enrolled with the required identity services, they will be prompted to authenticate via Secure Access each time they sign in to Windows. Authenticating via Secure Access means using one extra factor (identity service) in addition to the regular Windows username and password. This may — depending on the circumstances — also be an offline code (described in Secure Access for Windows Clients).

The authentication flow is streamlined and will present the user with the same factor they used the last time they authenticated. Depending on the identity service, the process may be as simple as tapping one button in a mobile app, or tapping the button on a YubiKey device. The system administrator configures the rules for authentication, including how often users need to use Secure Access. The system could, for example, be configured to only require the extra factor once a day. In this scenario users would bypass Secure Access — using only the Windows password — until the configured time has elapsed.

Specops Authentication

Secure Access is part of the Specops Authentication framework and requires that your organization has a Specops Authentication account and that the on-prem component, Specops Authentication Gatekeeper, is installed and configured. For more information, see Gatekeeper Installation Overview.

Identity Services

The additional authentication factors in Specops Authentication are called identity services. Some examples of identity services are Text message, YubiKey, and Specops:ID.

Most identity services require users to have a mobile phone, for example, to receive a text message or use biometrics in an app to verify their identity. The system administrator configures which identity services are available to users in the Secure Access policy in Specops Authentication.

Enrollment

To use an identity service, users must first enroll through Specops Authentication. In the Secure Access for Windows Clients scenario, users will be prompted to enroll right from the Windows logon screen.

Specops:ID

Specops:ID is a mobile application specifically designed to optimize the authentication flow and serve as the recommended identity service for Secure Access.

When signing in, users receive a notification on their mobile phone. When tapping the notification, the Specops:ID mobile app is started and the user can accept or reject the authentication request. An administrator configures if a biometrics authentication, fingerprint or Face ID, is required when accepting the request. In the mobile app, users can also see information about their work account, including account lock status and the date when their password was last changed.

Secure Access Authentication Scenarios

Specops Secure Access adds multi-factor authentication to the following scenarios:

Specops Secure Access for Windows Clients
Specops Secure Access for Remote Access

Secure Access for Windows Clients

The Specops Client is the component that integrates with the Windows login screen and must be installed on all computers to support the "Secure Access for Windows Clients" scenario. The Specops Client serves multiple purposes within the Specops Authentication framework and consists of several sub-components. The sub-components and features related to Secure Access are described below.

Specops Credential Provider is the first layer of the Specops Client component. This is the part that is integrated into the Windows login process. Credential Providers are extensibility points provided by Microsoft that enable third-party vendors to integrate with the Windows authentication system. The presence of other third-party Credential Providers may result in conflicts. If such conflicts occur, please contact Specops Support.

When using Secure Access, the credential provider will start the Specops Secure Access desktop app after the user has presented valid domain credentials.
Specops Secure Access desktop app is a Windows desktop application that is opened as a separate window on top of the login screen after the user has entered their username and password. In the Specops Secure Access desktop app, users will be presented with one or more identity services to use as a second factor to complete the authentication. The Specops Secure Access desktop app communicates with Specops Authentication web, which in turn communicates with the on-prem Gatekeeper to verify the user.

If a user needs to enroll with an identity service, the Specops Secure Access desktop app will start the Secured Browser.
Specops Secured Browser relies on a browser runtime, using the CefSharp browser engine. It is secure in the sense that it does not allow the user to navigate anywhere outside of the Specops Authentication registration pages. In Secure Access, the Secured Browser is used when a user needs to enroll one or more identity services. This should normally only happen once for each user. If the organization already uses Specops Authentication for resetting passwords, the users may already be enrolled and ready to start using Secure Access.
Offline Authentication using Specops:ID is a fallback authentication method that allows users to sign in to Windows even if network or cloud services are unavailable, reducing the risk of being locked out. For security reasons, users are still required to provide an additional authentication factor when signing in.

When using the Secure Access desktop app in combination with the Specops:ID mobile app, the fallback method is called Offline Codes. An offline code will be created and synchronized for any computer where the a user signs in using Secure Access. The offline codes are available in the Offline Codes tab in the Specops:ID mobile app.

When a user attempts to sign in to Windows without network access, the Secure Access desktop app will prompt them to use an offline code. The user must then manually open the Specops:ID mobile app, navigate to the Offline Codes tab, and locate the code for the computer they are signing in to.

If a user has multiple offline codes from signing in to several computers, they can use the Scan QR function in the mobile app to scan the code displayed by the Secure Access desktop app. This will automatically locate the correct offline code and display it. Once the user has found the correct code in the mobile app, they must enter it into the desktop app to complete the authentication.
Offline Authentication without Specops:ID If the Specops:ID mobile app is not used, there is the option to use a Smart Card for the offline authentication scenario. Currently only YubiKey smart cards are supported. For this scenario, several extra configuration steps are required which are detailed in the Set up Smart Card as Offline method section further down.

Secure Access for Remote Access

Organizations with users accessing the network remotely using a VPN, or via a Remote Desktop Gateway (RDGW), can protect their users by adding a second factor for those logins. In this scenario, Specops Secure Access extends an existing Microsoft Network Policy Service (NPS) setup.

Note

In this scenario, the Secure Access desktop app is not used. However, the Specops:ID identity service is specifically required and the users must have the Specops:ID mobile app installed.

Microsoft Network Policy Service (NPS): The scenario requires that Microsoft Network Policy Service (NPS) has been setup in the network, to secure VPNs and Remote Desktop Gateway. For information about NPS, please refer to the official documentation from Microsoft.
Specops Secure Access NPS Companion: To complete the "Secure Access for Remote Access" setup, the Specops Secure Access NPS Companion needs to be installed on all NPS servers. This component extends the NPS setup to communicate with the Specops Authentication web services whenever a user attempts to authenticate via a VPN or the RDGW. For more information, refer to Configuring Secure Access for Remote Access further down.

Getting Started

There are a few different configuration areas for Secure Access, depending on the authentication scenario.

To get started with Secure Access, the following preparations are necessary for both scenarios:

Set up a Specops Authentication account.
Install and configure the on-prem component, Specops Authentication Gatekeeper.
Make sure users who are to participate are informed that they need to install the Specops:ID mobile app.

Configuration of the Secure Access authentication policy is required for both scenarios, while the remaining configuration steps differ depending on the scenario. All steps are described in the following sections.

Configuring Secure Access for Windows Clients

Configure Specops Authentication

Locate the Specops Authentication Web URL in the on-prem Gatekeeper Admin Tool and then open the Specops Authentication Admin pages in a web browser.

In the Secure Access section, configure the authentication policy for Windows Clients.
In the Secure Access section, create an API key for Windows Clients, copy the API key and hold on to it for now. Also copy the API URL from the same page. The API key and the corresponding URL are needed when configuring the Specops Client.

Configure Specops:ID mobile app

The configuration for the Specops:ID app is performed from the Specops Authentication Admin pages.

In the Identity Service section, locate Specops:ID and the setting "Require Biometric verification". If this option is enabled, users will have to use finger print or Face Id to be able to accept an authentication request in the Specops:ID mobile app.
The Specops:ID identity service also includes a feature to prevent notification fatigue. This feature does not apply to Secure Access, as users must enter the correct password before initiating the Specops:ID identity service.

If users utilize Specops:ID for other authentication scenarios, such as password resets, enabling the notification fatigue feature should be considered. In the section for the Identity Service Specops:ID, a Challenge Type can be configured and set to either QR code or number input. Enabling one of these options prevents users from accidentally approving an authentication request in the app that was initiated by a third party.

For the "number" challenge type, the user enters the number displayed in the Secure Access desktop app into the mobile app. For the "QR code" challenge type, the user scans the QR code shown in the desktop app.

Deploy Specops Client to client computers

Deploy the Specops Client to all client computers that are to participate.

Configure client computer

In this step you will need the API key and the API URL.

The configuration for the Specops Client is stored in the Windows registry on any client computer where it is installed. There are a few required settings that need be applied to be able to use Secure Access. These registry settings must be deployed to every computer where the Specops Client is installed. The recommended way to deploy these settings is to use Group Policy and the ADMX template that is included in the Specops Client setup.

The root key for these settings is:

HKEY_LOCAL_MACHINE\SOFTWARE\Specopssoft\uReset\Client\Mfa

Mandatory settings

The following settings are required to enable Secure Access on client computers.

Setting	Description	Default
WinMfa_EnableLocal	Set this value to 1 to enable Secure Access for Windows Clients	0
WinMfa_EnableRemote	Set this value to 1 to enable Secure Access for Windows Clients for the remote desktop scenario	0
WinMfa_DispatcherApiUrl	The URL that Secure Access initially connects to, you can obtain this from the API keys sections of the Secure Access section on the Specops Authentication web
WinMfa_ApiKey	The API that Secure Access uses to authenticate to Specops Authentication, you can obtain this from the API keys sections of the Secure Access section on the Specops Authentication web

Optional settings

These are some additional settings that you may want to configure for the client computers:

Setting	Description	Default
WinMfa_TimeBeforeRequireMfa	By default, Secure Access MFA is required for every login by default when Secure Access is enabled. Change this setting if you want to allow users to log in without MFA for a specified period of time after successful online authentication. The format is HH:MM:SS and the maximum time is 72 hours. If an invalid value is entered, MFA will be required for every login.	0
WinMfa_AllowOfflineAuth	By default, offline authentication is disabled which disables login if the computer is offline or a temporary service outage or misconfiguration occurs. Enable this setting if you want to allow offline authentication at times the Specops Authentication API cannot be reached or there are other service outages.	0
WinMfa_DaysBeforeRequireOnlineAuth	If offline authentication is enabled, a user can log in with offline authentication up to the configured number of days before being required to go online in order to login. Change this setting if you have different requirements for online authentication than the default of 30 days.	30

Logging

Logging is enabled in:

HKEY_LOCAL_MACHINE\SOFTWARE\Specopssoft\uReset\Client\Mfa\Logging

Setting	Description	Default
debug	Set this value to 2 to enable logging. The log files are stored in C:\Windows\debug\SpecopsWinMfa\ After each log in attempt a catalog with a timestamp is created, including the following log files: WinMfa.Launcher.log and WinMfa.App.log	0

Set up Smart Card as Offline method

If Specops:ID is not used, users will not get the automatic offline code option for authentication in the case of network issues. This section describes how to set up the Smart Card option as an alternative.

Note

Currently only YubiKey smart cards are supported.

Distribute opensc-pkcs11.dll to client computers

Distribute the opensc-pkcs11.dll file to the client computers.

For licensing reasons, the required opensc-pkcs11.dll file is not included in the Specops Authentication client installation package and needs to be distributed to all client computers.

This file can be found in, for example, this package: https://github.com/OpenSC/OpenSC

Download the light version of this package, and either distribute it to all client computers, or specifically extract the opensc-pkcs11.dll file from the package and distribute only this file.
After the file has been distributed to the client computers, the WinMfa_SmartCardPkcs11LibraryPath registry value must be set to the full path of the file´s location, see next section.

Configure Smart Card as offline authentication method

Configure the following settings for the Smart Card option:

Setting	Description	Default
WinMfa_OfflineIdentityService	To use the Smart Card option as an offline authentication method, set to Smart Card	Specops ID
WinMfa_SmartCardDisplayName	This setting configures how the Smart Card option is displayed to the users
WinMfa_SmartCardPkcs11LibraryPath	This setting is required if Smart Card is used as the offline identity service. Set to the full path of where the opensc-pkcs11.dll file is distributed
WinMfa_SmartCardVerifyCertificateExpiration	Set to 0 to skip certificate validation	1

Enroll users with YubiKey

To enroll a YubiKey with Specops Authentication, complete the following steps:

Install the Yubico-Piv-Tool.
Insert a YubiKey into the computer.
On a computer where the Gatekeeper Admin Tool has been installed, use the New-SAYubiKeySCOfflineEnrollment PowerShell cmdlet to create a certificate on the YubiKey device and store it securely in your Active Directory. Example:

New-SAYubiKeySCOfflineEnrollment -Username user -PinCode 123456 -CertificateSubject /CN=Alvis/OU=scard/OU=corp/

Alternatively, if users are already using YubiKeys that already contain certificates, these certificates can be sent to Specops Authentication instead of creating a new one as detailed above. To do this, the certificate needs to be extracted from the YubiKey using the YubiKey software. In this example below such a certificate is assumed to be stored in the variable $certificate. Use the following PowerShell script. Note that this script has the same requirements as the New-SAYubiKeySCOfflineEnrollment described above.

Set-SASmartcardOfflineEnrollment -Username [userName] -Certificate $certificate

Configuring Secure Access for Remote Access

On every NPS server where the NPS Companion is installed, the API URL and API key need to be configured. These values can be obtained from the API keys sections of Secure Access in the Specops Authentication web.

To setup Specops Secure Access NPS Companion:

Open the Specops Authentication Admin pages in a web browser:
- In the Secure Access section, configure the authentication policy for Remote Access.
- In the Secure Access section, create an API key for Remote Access, copy the API key and hold on to it for now. Also copy the API URL from the same page. The API key and the corresponding URL are needed when configuring the NPS companion.
Make sure NPS is set up and working. Refer to Microsoft documentation for information.
Install the Secure Access NPS Companion on the NPS servers.
Configure the NPS Companion by running the powershell script Set-SpecopsApiConfiguration.ps1 that is included in the installation. Use the API key and API URL from the previous step. Example:

.\Set-SpecopsApiConfiguration.ps1 -Url [API-URL] -ApiKey [API-key]