Passwords are a huge contributor to enterprise vulnerability. With their high cost and friction, they’re the sore point that continually creates problems. According to the Verizon DBIR 2020, a whopping 75%- 81% of data breaches over the last 5 years are due to vulnerabilities of binary authentication, such as passwords—even when combined with weak Two-Factor Authentication (2FA) and certain Multi-Factor Authentication (MFA). No one believes that they’re the next victim of breach, until they are.
Passwordless Workstation Secure Login is the first step to establish root of trust eliminating the vulnerabilities of passwords.
Passwordless Workstation is a secure login for Win 10 and Mac workstations that uses an intelligent multi factor authentication and is the first step to establish root of trust to elevate platform security.
Combining the OS credential providers with an Intelligent Multi-Factor Authentication (MFA) makes passwords benign for both Mac OS and Win 10 platforms. The benefits include:
- Secure passwordless login
- Reduced helpdesk cost
- Minimized friction
- Wide range of authentication methods (PUSH, Offline TOTP, SMS, Email, Offline TOTP, FIDO token(e.g. Yubikey), Biometric/Touch-ID, FIDO biometric-pin)
- Audit trail
- Risk based continuous authentication
Yes, you need a mobile device in order to pair your workstation and websites (where applicable) to the It’sMeTM App.
You will lose the convenience and safety of a risk-based authentication system.
No. The purpose of passwordless intelligent MFA is to eliminate passwords and their vulnerabilities. That said, enterprise IT has the option to enable various first factors, including passwords/passphrases.
Using It’sMeTM app you can lock your machine remotely. Navigate to the Workstations tab, then select your workstation and click on “Lock”.
- FIDO Push
- SMS TOTP/OTP
- Email TOTP/OTP
- TOTP (requires a paired phone with It’sMe application installed, or an Acceptto token device)
- FIDO USB Device (e.g. Yubikey
- Windows Hello Biometric (FP/FR)
- Smart Card (HID)
- Discrete USB biometric Password/Passphrase (Fall back for pilot only unless passphrases are used- Not recommended)
Other offline authenticators such as Win Hello Biometrics and FIDO authenticators (like Yubikey) can be provisioned for offline support. In certain instances, enterprise IT may enable password/passphrase factors.
If you’re offline, you can log in to your machine using the Offline TOTP feature. On the It’sMe interface, navigate to the Workstations tab and input the 6-digit TOTP code to login. Other offline authenticators such as biometrics and Yubikey can be provisioned for offline support.
Contact the helpdesk to unlock your workstation.
There are a few reasons why your TOTP may not work:
- Your workstation clock may be out of sync. Verify that your workstation’s Time and Date setting is set to “Set Time Automatically”.
- You may be inputting the incorrect TOTP code. Verify that you are viewing the correct workstation on It’sMe and that you are typing the code in accurately.
Yes, multiple pairings are allowed. Note that the first device and proof of identity on claimed identity are required to pair additional mobile devices.
For security reasons, the offline TOTP on secondary device(s) is not automatic and requires manual pairing. This implies that upon replacing devices (lost or stolen device, upgrades) offline TOTP is lost, which puts offline authentication at risk. The unpair-pair procedure of secondary devices needs to be carefully understood by enterprise for this reason.
It’sMe will retain any workstations you currently have when you upgrade or replace your mobile device. However, TOTPs are stored on the device for security reasons; therefore, when you view your workstation in It’sMe on your new device, you will not see a TOTP. Use the ‘Add Offline Authenticator’ feature on the MFA dialog to add a new TOTP code on your new device.
When on the home screen of your mobile device, press and hold the It’sMe icon to reveal a list of options. There, you will see ‘Unlock Workstation’. Selecting this option means that the next workstation authentication made on your account will be automatically accepted.
Yes, with “show previews” enabled on your device, it is possible to respond to a push notification from the locked screen.
From the locked screen, tap on the preview notification and select “Accept”. This will be followed by a biometric gesture (Face or Touch ID) to approve authentication. If this authentication method is not verified, it will then ask for the next failsafe method, e.g. a passcode.
Before It’sMe can be used, it must be paired with eGuardian. After installing and opening the app for the first time, you will see the pairing screen. From this this screen there are two ways to pair:
In Line Pairing – Your organization will provide instructions that guide you to a QR code that will be scanned to pair the device by accessing a secure website.
Email Pairing – Tap the “No QR Code? Sign Up!” and enter your enterprise email to receive an email with instructions to pair. If you are on your workstation, scan the QR code within the body of the email using It’sMe.
For fast pairing on your mobile device, click on universal link icon in the received “Pair your device” email.
However, there is a known Apple issue with universal links (also read OpenRadar. If you encounter this iOS bug, you can scan the QR code from the Workstation “Pair your device” email.
This video explains how the pairing process as well as different authentication factors for online and offline access work.
There is a known Apple issue with Universal Links not working properly on mobile devices. Read more here. You can open the email on your workstation and then scan the pairing QR code that is within the body of the email in order to pair It’sMe.