Overview

Specops Secure Access brings two-factor authentication to Windows login to safeguard user accounts and computers in scenarios where a password may have been compromised. With Secure Access, users are required to authenticate themselves with an additional factor besides their Windows password, right on the login screen. The system is designed to minimize the impact on users while still adding an important layer of security and affords users the flexibility to select which extra factor to use.

General Specops Authentication Concepts


Authentication

Authentication is the process of verifying the identity of a user. Typically, this requires the user to make a claim about their identity by entering their username and password.

Enrollment

Users are required to enroll with Specops Authentication. The enrollment process will vary for each type of identity service.To enroll with a personal identity service such as Google, users will need to follow the link from the Specops web application to the Google web page, and log in with the email address and password associated with their Google account.

Multi-factor authentication

Multi-factor authentication requires more than one method of authentication from independent categories of credentials: something you know (i.e. password), something you have (i.e. Mobile device), and something you are (i.e. Fingerprint). Specops uReset goes beyond two-factor authentication by supporting a broad range of identity services that can be used to increase security and flexibility. The solution not only supports common authenticators, such as questions and answers, and mobile verification codes, but also various digital identity services ranging from personal identity services (e.g. LinkedIn) to company identity services (e.g. salesforce.com), in addition to higher trust methods such as Smart Cards. The Specops multi-factor authentication model is dynamic. Users can choose which identity services they want to combine for enrollment and authentication, as long as they meet the requirements of the policy. Users enrolled with more identity services than required for their authentication will have authentication choice. This guarantees that end-users will always have the ability to satisfy the authentication policy, even if an identity service is unavailable (e.g. not having their mobile phone nearby).

Administrators can select, based on role and security policy, which identity services/authenticators they want to extend to end-users to verify their identity when resetting or unlocking their accounts. Such flexibility can ensure that varying security and flexibility needs are met. For example:

  • For users that have a low-level security clearance, but a high flexibility need, such as students, IT admins can allow them to authenticate with a few personal identity services such as their Google ID.
  • For users that have a higher level security clearance, such as financial aid administrators or senior level executives, IT admins can assign policies that enforce a higher number, or a stronger combination of identity services. This approach provides administrators with the flexibility they need to enforce policies that translate to greater security and efficiency.

Policy

A policy contains the rules required for enrollment and multi-factor authentication. A policy controls what identity services can be used, and how many must be used to verify the identity of end-users. The system administrator is responsible for configuring the rules in the policies.

Identity services

Identity services enable users to securely identify themselves when signing in. Identity services fall into multiple categories, including: username and password, social ( LinkedIn, Tumblr), and higher trust ( Google Authenticator, Microsoft authentic, Duo Security Security).

To use various identity services to authenticate users, the identity service must be configured (enabled) in Authentication Web, and the user affected by the policy must enroll with the identity service. Once a user has enrolled, they can use the identity service to authenticate. Specops Authentication uses data from user objects in Active Directory to read and write information used in the system.

NOTE
Not all identity services can be used with Secure Access. Currently, only the following identity services can be used with Secure Access:
  • Duo
  • Mobile Code
  • Specops:ID
  • Yubikey

Standard

  • Specops:ID: this is an app that allows users to use their mobile device's biometrics (fingerprint, facial recognition etc.) to authenticate.
  • Mobile Code (SMS): Users will receive a one-time six-digit password via an SMS message, which must be entered in order to successfully authenticate.

3rd Party

NOTE
In most cases, enrollment with third party identity services needs to be handled by users individually.
  • Duo Security: With Duo Security, users can authenticate using the Duo Security mobile app.
  • Yubikey: The Yubikey is a hardware authentication device. Users can authenticate by generating One Time Passwords (OTP) with their Yubikey (only if the Yubikey supports Yubico OTP as a security function). For more information on Yubikey, refer to the Yubikey page.

Central Concepts Specops Secure Access


Specops Authentication

Secure Access is part of the Specops Authentication framework and requires that your organization has a Specops Authentication account and that the on-prem component, the Specops Authentication Gatekeeper (for more information, see the installation page), is installed and configured.

Use cases

Protecting client computers when logging in to Windows

With the Specops Client installed and configured for Secure Access, users are forced to identify themselves with a second factor after having typed their Windows username and password on Windows login screen.

Protecting remote access (RADIUS)

Organizations with users accessing their network remotely using a VPN, or accessing computers via a Remote Desktop Gateway (RDGW) can protect their users by adding a second factor for those logins. The VPN server or Remote Desktop Gateway can, using RADIUS, be configured to call Microsoft NPS (Network Policy Server) with Specops NPS companion installed and configured, which enables the use of Secure Access.

NOTE
The policy for protecting remote access can be configured with the following identity service: Specops:ID

Specops Client

The Specops Client is the component that integrates with the Windows login screen and needs to be installed on all computers that are to be protected by Secure Access. The Specops Client has multiple purposes within the Specops Authentication framework. For more information on the Specops Client, see this page. In this section only the features related to Secure Access will be described. The Specops Client contains several sub-components, such as the Credential Provider, WinMFA App, and Secure Browser, explained below.

Credential Provider

The Specops Client Credential Provider is the first layer of the Specops Client component. This is the part that is integrated into the Windows login screen. Credential Providers are extensibility points provided by Microsoft to support third party vendors to integrate with the Windows authentication system. When using Secure Access, the credential provider will start the WinMfa App after the user has presented valid domain credentials. When logging in to Windows is enabled, other credential providers will be filtered out by the Specops credential provider.

WinMFA App

The WinMfa App is a Windows desktop application that is opened as a separate window on top of the login screen after the user has entered their username and password. In the WinMfa app, users will be presented with one or more identity services to use as a second factor to complete the authentication. Which identity services are available is configured by the system administrator in the Secure Access policy. The WinMfa app communicates with Specops Authentication in the cloud, which in turn communicates with the on-prem Gatekeeper in order to look up user information. Before a user can authenticate themselves for the first time, they need to enroll with one or more identity services. For more information on identity services that work with Secure Access, see the section on identity services below. If a user needs to enroll, the WinMfa app will start the Secure Browser which is also part of the Specops Client installation package.

Secure Browser

The Secure Browser is included with the Specops Client installation and relies on a browser runtime, using the CefSharp browser engine. It is secure in the sense that it does not allow the user to navigate anywhere outside of the Specops Authentication registration pages. In Secure Access, the Secure Browser is used when a user needs to register for one or more identity services. This should normally only happen once for each user. If the organization already uses Specops Authentication for resetting passwords, the users may already be enrolled and they can start using Secure Access without having to enroll first.

NOTE
Note that even if users have already enrolled with identity services for other Specops Authentication products, they will still have to enroll for Offline code (see below).

Identity services

The additional authentication factors in Specops Authentication are called identity services. Some examples of identity services are Text message, YubiKey, Duo, and Specops:ID. Most identity services require that users use a mobile phone to, for example, receive a text message or use biometrics in an app to prove their identity. Which identity services users can choose from is configured in the policy by the system administrator in Specops Authentication.

Enrollment

In order to use an identity service, users need to be enrolled with them. Users enroll with identity services through the Specops Authentication web which will be presented to them in the Secure Browser if they have not enrolled with any identity services already. Enrolling is another term for registering. Enrolling with the identity services may be a slight inconvenience for users and if possible it is recommended to automate this process for as many identity services as possible. However, automation of the user enrollment is not possible for all identity services. Read more about this here.

Offline code

Besides the identity services configured in the policy by administrators in Specops Authentication, users are also required to register for Offline Code. This is a backup authentication method which can be used if an internet connection is not available during sign-in or if something should go wrong with the Specops Authentication services. Obviously, it is very important that users are not prevented from signing in to Windows even when they do not have access to the network, while still retaining the extra layer of security from an extra factor. The Offline Code is a standard time-based one-time password (TOTP), which can be registered in any TOTP app like Google Authenticator or Microsoft Authenticator. The offline code registration is stored securely on the local computer.

Authentication

When users have enrolled with the required identity services, each time they sign in to Windows they will be directed to perform an authentication via Secure Access. An authentication in Secure Access means using one extra factor (identity service) in addition to their regular Windows username and password. This may — depending on the circumstances — also be the Offline Code (see Offline Code above). The authentication flow is streamlined and will present the user with the same factor they used the last time they authenticated. Depending on the identity service, the process may be as simple as tapping one button in a mobile app, or tapping the button on a YubiKey device. The system administrator configures the rules regarding authentication, including how often users need to use Secure Access. The system could for example be configured to only require the extra factor once a day. In this scenario users would bypass Secure Access — using only the Windows password — until the configured time has elapsed.