InstaSafe | ISA Windows Integrated MFA

ISA Windows Integrated MFA

This Article serves as a Whitepaper for the ISA Windows Integrated MFA feature

Introduction

A User in InstaSafe Secure Access (ISA) with Authentication Type set to ‘Certificate’ would not be prompted by the ISA App for credential verification and two-factor authentication (2FA) to establish his or her identity. Instead, the ISA App would connect automatically, without user input, post validating the user-specific InstaSafe Certificate on the device and on the basis of the security checks (device fingerprint) carried out transparently in the background (when the feature ‘Extended Validation for Certs’ is enabled).

Authentication Type
ISA App Connection
Credential Verification
2FA
Security Checks*
Password + Certificate
On Demand
Yes
Yes (if configured)
Yes (if configured)
Certificate
Always-On (Auto Connect)
No

No
Yes (if configured)

*Security checks include Device Binding, Geo-Location Binding and Device Checks (NAC)

While the ISA App itself would not prompt for credential authentication in Always-On mode, users would still need to authenticate themselves with their domain credentials in order to login to the domain profile on their systems. 2FA, however, is skipped in Always-On mode due to its non-interactive nature that prioritizes convenience. From a security and compliance perspective, 2FA serves as an important check, prior to the ISA App connecting and users being granted access to corporate applications.

The ISA Windows MFA feature is essentially an integration that implements MFA as part of the Windows Login, thereby providing an improved security posture for users connecting via Always-On mode. In addition, it also serves as a kind of SSO, where a user needs to authenticate just once in order to login to the Windows system as well as connect the ISA App.

Prerequisites

  1. The ISA App must be installed and configured for Always-On (Authentication Type = Certificate)
  2. The username of the profile configured on the Windows system must exist as a provisioned user on the respective ISA Console
  3. Two Factor Authentication must be enabled either at the User or User Group level. Preferable to have this enabled at the User level, so that 2FA could be disabled for specific users, if ever required
  4. The feature “Extended Validation for Certs” must be enabled (please contact InstaSafe Support to verify this)
  5. In case of domain profiles, it is recommend to allow login using cached credentials

Working

  1. When a User attempts to sign-in to the Windows system, the authentication request is sent to the ISA Authentication Server for verification. Users provisioned in ISA via AD/LDAP would then be authenticated by the corporate IAM configured for that ISA Console, while Local Users provisioned in ISA would be authenticated by the ISA Authentication Server itself
  2. Post successful credential verification, ISA Windows MFA would display an OTP prompt
  3. Although the ISA App is configured for Always-On mode, it would wait for successful completion of MFA before attempting to connect
  4. Post successful MFA, the InstaSafe Service on the system would be restarted and ISA App signaled to proceed with the connection attempt. Any ISA security checks configured for the user would be performed at this stage
  5. The ‘OTP Verification Success' state would be retained for a period of 8 hours, during which if the ISA App were to disconnect for any reason whatsoever (internet fluctuations, switching between networks, system enters Sleep Mode, etc.), users would not have to re-authenticate themselves. The ISA App would automatically attempt to reconnect in the background
  6. Once the 8 hour ‘OTP Verification Success' state has expired, the ISA App will not automatically disconnect. However, when the ISA App does disconnect (due to internet fluctuations, switching between networks, system enters Sleep Mode, etc.), the User would be expected to sign-out of their Windows session and re-login if they wish to reconnect the ISA App. Once re-authenticated with the Credentials and MFA, the ISA App would reconnect and users can proceed with their work. In case it is required that the ISA App must disconnect automatically after 8 hours, the Console wide User Setting "Force disconnect after _ hrs" should be configured
  7. Offline Mode – MFA would be bypassed and the ISA App would not attempt to connect in the following scenarios:
    1. The user attempts to sign-in while the system is offline or in flight-mode (no internet connectivity)
    2. There is no reachability to the ISA Console at the time of sign-in due to firewall/proxy issues
  8. In the above scenarios for Offline Mode, the user would be allowed to attempt a sign-in to their Windows profile. Once successfully authenticated by Windows, they would be able to login to their local/domain profile. Corporate applications would, however, be inaccessible since the ISA App would not be connected
  9. For users that make use of an internet connection that doesn’t connect automatically example: dongle, or a new Wi-Fi Network; they would login to the Windows profile in the Offline Mode (where the ISA App would not attempt to connect). Once internet connectivity has been established, the user could sign out and re-login to the Windows profile normally, post which the ISA App will connect as expected
  10. For Users with the ‘Twin Tunnel’ feature enabled and configured on their systems, the Windows MFA would essentially come into play only for the 2nd Tunnel (Data Traffic). The 1st Tunnel (Voice Traffic) would get connected automatically even if the MFA is bypassed at the time of sign-in
  11. All attempts to sign-in to the Windows profile (while the system is online) would be captured in the ISA Console. Device Information would not be captured along with the authentication request made. Offline authentication to the Windows profile would also not be captured
  12. OTP Validation Success/Failure Events would be captured under Event Logs and sent to the SIEM

Conditions when MFA will be prompted

  1. The username entered to login to the Windows profile matches with a User provisioned in the respective ISA Console
  2. The password entered to login to the Windows profile matches with the Password used to login to the respective ISA Console (For ADL/LDAP Users, the corporate IAM will have accepted the authentication request. For Local Users, the ISA Authentication Server will have accepted the authentication request)
  3. ISA App is installed and configured for Always-On. The User's Authentication Type is set to 'Certificate' and 2FA is enabled at User or User Group level
  4. There is decent internet connectivity and ISA Console reachability at the time of sign-in
  5. The 8 hour session of ‘OTP Verification Success' state has not yet been initiated, or the session has expired (and must be re-established)

Conditions when MFA will NOT be prompted

  1. The username entered to login to the Windows profile doesn't match with any User provisioned in the respective ISA Console
  2. The password entered to login to the Windows profile doesn't match with the Password used to login to the respective ISA Console (For ADL/LDAP Users, the corporate IAM will have rejected the authentication request. For Local Users, the ISA Authentication Server will have rejected the authentication request)
  3. ISA App is not installed on the system
  4. ISA Windows MFA feature is not installed
  5. 2FA is not enabled for the User
  6. The 8 hour ‘OTP Verification Success' state is still active
  7. There is poor or no internet connectivity at the time of sign-in
  8. There is no reachability to the ISA Console at the time of sign-in due to firewall/proxy issues

Limitations

For Local Users provisioned with the Activation Method 'Automatically on first login' or 'On Date Time', or when the setting 'Force user to change password on first login' is enabled, the login attempt to the ISA Windows MFA module may fail. Such users must set their ISA Passwords prior to attempting the login on their Windows systems when the ISA Windows MFA module is installed

Setup

In order to try out the ISA Windows MFA feature, please reach out to the InstaSafe Support Team for the installation links.

Once downloaded, run the installation file (MSI) file to complete the installation. This would require elevated Admin privileges.
 
The Command Prompt equivalent for installation is mentioned below. This could be used for mass deployment via GPO.

msiexec /qn /i InstaSafeCredentialProviderSetup64.msi
msiexec /qn /i InstaSafeCredentialProviderSetup32.msi

End-User Experience

With the ISA Windows Integrated MFA feature installed on a system, the User will be challenged with a 2FA prompt post entering his/her credentials. Once the Authentication is completed successfully, the User would be signed-in to the system while the ISA App would connect seamlessly in the background.





FAQ

1. How to install the ISA Windows MFA feature?

Prior to installing the feature, ensure the prerequisites are met:
  1. End-user system running (32bit/64bit) Microsoft Windows 7, 8, 8.1 or 10
  2. The ISA App must be installed and configured for Always-On (Authentication Type = Certificate)
  3. The username of the profile configured on the Windows system must exist as a provisioned user on the respective ISA Console
  4. Two Factor Authentication must be enabled either at the User or User Group level. Preferable to have this enabled at the User level, so that 2FA could be disabled for specific users, if ever required
  5. The feature “Extended Validation for Certs” must be enabled (please contact InstaSafe Support to verify this)
Download the appropriate binary using the installation links shared by the InstaSafe Support Team:

Once downloaded, run the MSI file to complete the installation. This would require elevated Admin privileges.

The Command Prompt equivalent for installation is mentioned below. This could be used for mass deployment.

msiexec /qn /i InstaSafeCredentialProviderSetup64.msi
msiexec /qn /i InstaSafeCredentialProviderSetup32.msi

2. How to uninstall the ISA Windows MFA feature?

Go to “Programs and Features”, select “InstaSafe Credential Provider” and click ‘Uninstall’.

3. How to silently uninstall the ISA Windows MFA feature?

Execute the command below in an elevated Command Prompt window (in the directory where the MSI file is present):

msiexec /x InstaSafeCredentialProviderSetup64.msi /q

4. How does the ISA Windows MFA feature work in Offline Mode?

In Offline Mode, MFA will be bypassed when the user attempts to sign-in to the Windows profile. Once successfully authenticated by Windows, they would be able to login to their local/domain profile. Corporate applications would, however, be inaccessible since the ISA App would not be connected.

Note: In Offline Mode, User logins to the Windows profile do not get captured under Event Logs. This would be introduced in future editions.

5. In which scenarios would Offline Mode come into play?

  1. The user attempts to sign-in while the system is offline or in flight-mode (no internet connectivity)
  2. There is no reachability to the ISA Console at the time of sign-in due to firewall/proxy issues
  3. The user makes use of an internet connection that doesn’t connect automatically, for example: dongle, or a new Wi-Fi network

6. In which scenarios would MFA not be prompted?

  1. The username entered to login to the Windows profile doesn't match with any User provisioned in the respective ISA Console
  2. The password entered to login to the Windows profile doesn't match with the Password used to login to the respective ISA Console (For ADL/LDAP Users, the corporate IAM will have rejected the authentication request. For Local Users, the ISA Authentication Server will have rejected the authentication request)
  3. ISA App is not installed on the system
  4. ISA Windows MFA feature is not installed
  5. 2FA is not enabled for the User
  6. The 8 hour ‘MFA Verification Success' state is still active
  7. There is poor or no internet connectivity at the time of sign-in
  8. There is no reachability to the ISA Console at the time of sign-in due to firewall/proxy issues

7. How to relax the MFA requirement and prevent ISA from connecting for Users within the office premises (corporate network) ?

The InstaSafe servers with domains “instasafe.net” and “instasafe.com” must be blocked by the internal firewall to bypass MFA while signing into Windows. Please contact InstaSafe Support for the specific IP addresses to be blocked.

8. How will the user connect to ISA once the 8 hour 'OTP Verification Success' state has expired ?

Once the 8 hour 'OTP Verification Success' state has expired, the ISA App will not automatically disconnect. However, when the ISA App does disconnect (due to internet fluctuations, switching between networks, system enters Sleep Mode, etc.), the User would be expected to sign-out of their Windows session and re-login if they wish to reconnect the ISA App . Once re-authenticated with the Credentials and OTP, the ISA App would reconnect and users can proceed with their work. 

Note: In case it is required that the ISA App must disconnect automatically after 8 hours, the Console wide User Setting "Force disconnect after _ hrs" should be configured.

9. Is the 8hr window ('OTP Verification Success' state) configurable?

The 8hr window is currently not an admin configurable option. However, the InstaSafe Support Team can be contacted to increase/decrease the window. It might not always be feasible to change this window, and would be decided on a case-to-case basis.

10. Will the ISA Windows MFA feature work as soon as the MSI is installed? If not, what else needs to be configured?

The ISA App has to be installed before the ISA Windows MFA feature is set up, in addition to ensuring the prerequisites mentioned in Question 1 of this FAQ are met.

11. What would be the behaviour on devices shared between multiple users? (multiple user profiles configured on the same Windows system)

Each user on the  device will be treated as a different user and the MFA/Notifications will be applicable for that respective user only.

For example, the ISA App on a particular Windows device is configured for the user alice@contoso.com provisioned on the ISA Console ‘Acme’, and there are 2 user profiles configured on the device: Alice and Bob

When Alice enters her credentials (and exists as a provisioned user in the Acme Console) at the Windows sign-in page, the Push Notification*/T-OTP would be sent to Alice, post which she would be signed-in to her Windows profile
If Bob enters his credentials (and exists as a provisioned user in the Acme Console) at the Windows sign-in page, the Push Notification*/T-OTP would be sent to Bob, post which he would be signed-in to his Windows profile

In both cases, the Event Logs will record distinct events, indicating which user completed the Windows MFA Login. However, the ISA User App would connect for Alice, since it is a device-specific configuration, and the logged in user would receive all of Alice’s entitlements to application access (network level access) over InstaSafe
*Push Notification based approvals along with biometric authentication are possible by using the InstaSafe Authenticator App available on the Android Playstore and the Apple App Store.

12. Are Usernames case sensitive?

Yes, the Username entered at the Windows sign-in page (using the ISA Windows MFA feature) must be entered with the same case-sensitivity as that created in or synced to the InstaSafe Console.