When an InstaSafe Secure Access (ISA) user has Authentication Type set to ‘Certificate’ instead of Password+Certs, this is defined as Always-On mode.
In Always-On mode, when the User Agent attempts to connect to the ISA server, the user will be prompted for the username and password only during the installation of the User Agent. In subsequent attempts to connect, the ISA Agent will connect automatically, without user input, using the user-specific certificate for authentication. However, if Two-Factor Authentication (TFA) is enabled for the user or the user group, the user will be served the push notification to select the method for receiving OTP. Additional security parameters such as Device Checks, Device Binding, and Geo Binding will be implemented, if the ‘Extended Validation for Certs’ feature is enabled.
Authentication Type | ISA User Agent
Connection | Password Prompt | 2FA (if configured) | Security Checks (if
configured) |
Password+Certs | On Demand | Yes | Yes | Yes |
Certificate | Always-On | No | Yes | Yes |
Note: Security checks include Device Binding, Geo Binding and Device Checks
While the ISA User Agent will not prompt for credential authentication in Always-On mode, users still need to authenticate themselves with their domain credentials in order to login to the domain profile on their systems. As Always-on performs a non-interactive login, authentication is performed based on user and device certificates.
For more security and compliance requirements where Multi-Factor Authentication (MFA) is mandatory, Always-On mode is not recommended.