ISA Windows Integrated MFA
This Article serves as a Whitepaper for the ISA Windows Integrated MFA feature
Introduction
A User in
InstaSafe Secure Access (ISA) with Authentication Type set to ‘Certificate’
would not be prompted by the ISA App for credential verification and
two-factor authentication (2FA) to establish his or her identity. Instead, the
ISA App would connect automatically, without user input, post validating the
user-specific InstaSafe Certificate on the device and on the basis of the security
checks (device fingerprint) carried out transparently in the background (when
the feature ‘Extended Validation for Certs’ is enabled).
Authentication Type
| ISA App Connection
| Credential Verification
| 2FA
| Security Checks*
|
Password + Certificate
| On Demand
| Yes
| Yes (if configured)
| Yes (if configured)
|
Certificate
| Always-On (Auto Connect)
| No
| No
| Yes (if configured)
|
*Security
checks include Device Binding, Geo-Location Binding and Device Checks (NAC)
While the ISA App itself would not prompt for credential authentication in Always-On mode,
users would still need to authenticate themselves with their domain credentials
in order to login to the domain profile on their systems. 2FA, however, is
skipped in Always-On mode due to its non-interactive nature that prioritizes
convenience. From a security and compliance perspective, 2FA serves as an
important check, prior to the ISA App connecting and users being granted access
to corporate applications.
The ISA
Windows MFA feature is essentially an integration that implements MFA as part
of the Windows Login, thereby providing an improved security posture for users
connecting via Always-On mode. In addition, it also serves as a kind of SSO,
where a user needs to authenticate just once in order to login to the Windows system
as well as connect the ISA App.
Prerequisites
- The ISA App must be installed
and configured for Always-On (Authentication Type = Certificate)
- The username of the profile
configured on the Windows system must exist as a provisioned user on the
respective ISA Console
- Two Factor Authentication must
be enabled either at the User or User Group level. Preferable to have this
enabled at the User level, so that 2FA could be disabled for specific users, if
ever required
- The feature “Extended
Validation for Certs” must be enabled (please contact InstaSafe Support to
verify this)
- In case of domain profiles, it
is recommend to allow login using cached credentials
Working
- When a User attempts to sign-in
to the Windows system, the authentication request is sent to the ISA
Authentication Server for verification. Users provisioned in ISA via AD/LDAP
would then be authenticated by the corporate IAM configured for that ISA Console,
while Local Users provisioned in ISA would be authenticated by the ISA
Authentication Server itself
- Post successful credential
verification, ISA Windows MFA would display an OTP prompt
- Although the ISA App is
configured for Always-On mode, it would wait for successful completion of MFA
before attempting to connect
- Post successful MFA, the
InstaSafe Service on the system would be restarted and ISA App signaled to
proceed with the connection attempt. Any ISA security checks configured for the
user would be performed at this stage
- The ‘OTP Verification Success'
state would be retained for a period of 8 hours, during which if the ISA App were to disconnect for any reason whatsoever (internet fluctuations, switching
between networks, system enters Sleep Mode, etc.), users would not have to
re-authenticate themselves. The ISA App would automatically attempt to reconnect
in the background
- Once the 8 hour ‘OTP
Verification Success' state has expired, the ISA App will not automatically
disconnect. However, when the ISA App does disconnect (due to internet
fluctuations, switching between networks, system enters Sleep Mode, etc.), the
User would be expected to sign-out of their Windows session and re-login if
they wish to reconnect the ISA App. Once re-authenticated with the
Credentials and MFA, the ISA App would reconnect and users can proceed with
their work. In case it is required that the ISA App must disconnect
automatically after 8 hours, the Console wide User Setting "Force
disconnect after _ hrs" should be configured
- Offline Mode – MFA would be bypassed
and the ISA App would not attempt to connect in the following scenarios:
- The user attempts to sign-in
while the system is offline or in flight-mode (no internet connectivity)
- There is no reachability to the
ISA Console at the time of sign-in due to firewall/proxy issues
- In the above scenarios for
Offline Mode, the user would be allowed to attempt a sign-in to their Windows
profile. Once successfully authenticated by Windows, they would be able to
login to their local/domain profile. Corporate applications would, however, be
inaccessible since the ISA App would not be connected
- For users that make use of an
internet connection that doesn’t connect automatically example: dongle, or a
new Wi-Fi Network; they would login to the Windows profile in the Offline Mode
(where the ISA App would not attempt to connect). Once internet connectivity
has been established, the user could sign out and re-login to the Windows
profile normally, post which the ISA App will connect as expected
- For Users with the ‘Twin
Tunnel’ feature enabled and configured on their systems, the Windows MFA would
essentially come into play only for the 2nd Tunnel (Data Traffic). The 1st Tunnel
(Voice Traffic) would get connected automatically even if the MFA is bypassed
at the time of sign-in
- All attempts to sign-in to the
Windows profile (while the system is online) would be captured in the ISA
Console. Device Information would not be captured along with the authentication
request made. Offline authentication to the Windows profile would also not be
captured
- OTP Validation Success/Failure
Events would be captured under Event Logs and sent to the SIEM
Conditions when MFA will be prompted
- The username entered to login
to the Windows profile matches with a User provisioned in the respective ISA
Console
- The password entered to login
to the Windows profile matches with the Password used to login to the
respective ISA Console (For ADL/LDAP Users, the corporate IAM will have
accepted the authentication request. For Local Users, the ISA Authentication
Server will have accepted the authentication request)
- ISA App is installed and
configured for Always-On. The User's Authentication Type is set to
'Certificate' and 2FA is enabled at User or User Group level
- There is decent internet
connectivity and ISA Console reachability at the time of sign-in
- The 8 hour session of ‘OTP
Verification Success' state has not yet been initiated, or the session has expired
(and must be re-established)
Conditions when MFA will NOT be prompted
- The username entered to login
to the Windows profile doesn't match with any User provisioned in the
respective ISA Console
- The password entered to login
to the Windows profile doesn't match with the Password used to login to the respective
ISA Console (For ADL/LDAP Users, the corporate IAM will have rejected the
authentication request. For Local Users, the ISA Authentication Server will
have rejected the authentication request)
- ISA App is not installed on
the system
- ISA Windows MFA feature is not
installed
- 2FA is not enabled for the User
- The 8 hour ‘OTP Verification
Success' state is still active
- There is poor or no internet
connectivity at the time of sign-in
- There is no reachability to the
ISA Console at the time of sign-in due to firewall/proxy issues
Limitations
For Local Users provisioned
with the Activation Method 'Automatically on first login' or 'On Date Time', or
when the setting 'Force user to change password on first login' is enabled, the
login attempt to the ISA Windows MFA module may fail. Such users must set their
ISA Passwords prior to attempting the login on their Windows systems when the
ISA Windows MFA module is installed Setup
In order to try out the ISA Windows MFA feature, please reach out to the InstaSafe Support Team for the installation links.
Once downloaded, run the installation file (MSI) file to complete the installation. This would require
elevated Admin privileges.
The Command
Prompt equivalent for installation is mentioned below. This could be used for
mass deployment via GPO.
msiexec /qn
/i InstaSafeCredentialProviderSetup64.msi
msiexec /qn
/i InstaSafeCredentialProviderSetup32.msi
End-User Experience
With the ISA Windows Integrated MFA feature installed on a system, the User will be challenged with a 2FA prompt post entering his/her credentials. Once the Authentication is completed successfully, the User would be signed-in to the system while the ISA App would connect seamlessly in the background.
FAQ
1. How to install the ISA Windows MFA feature?
Prior to installing the feature, ensure the prerequisites are met:
- End-user system running (32bit/64bit) Microsoft Windows 7, 8, 8.1 or 10
- The ISA App must be installed and configured for Always-On (Authentication Type = Certificate)
- The username of the profile configured on the Windows system must exist as a provisioned user on the respective ISA Console
- Two Factor Authentication must be enabled either at the User or User Group level. Preferable to have this enabled at the User level, so that 2FA could be disabled for specific users, if ever required
- The feature “Extended Validation for Certs” must be enabled (please contact InstaSafe Support to verify this)
Download the appropriate binary using the installation links shared by the InstaSafe Support Team:
Once downloaded, run the MSI file to complete the installation. This would require elevated Admin privileges.
The Command Prompt equivalent for installation is mentioned below. This could be used for mass deployment.
msiexec /qn /i InstaSafeCredentialProviderSetup64.msi
msiexec /qn /i InstaSafeCredentialProviderSetup32.msi
2. How to uninstall the ISA Windows MFA feature?
Go to “Programs and Features”, select “InstaSafe Credential Provider” and click ‘Uninstall’.
3. How to silently uninstall the ISA Windows MFA feature?
Execute the command below in an elevated Command Prompt window (in the directory where the MSI file is present):
msiexec /x InstaSafeCredentialProviderSetup64.msi /q
4. How does the ISA Windows MFA feature work in Offline Mode?
In Offline Mode, MFA will be bypassed when the user attempts to sign-in to the Windows profile. Once successfully authenticated by Windows, they would be able to login to their local/domain profile. Corporate applications would, however, be inaccessible since the ISA App would not be connected.
Note: In Offline Mode, User logins to the Windows profile do not get captured under Event Logs. This would be introduced in future editions.
5. In which scenarios would Offline Mode come into play?
- The user attempts to sign-in while the system is offline or in flight-mode (no internet connectivity)
- There is no reachability to the ISA Console at the time of sign-in due to firewall/proxy issues
- The user makes use of an internet connection that doesn’t connect automatically, for example: dongle, or a new Wi-Fi network
6. In which scenarios would MFA not be prompted?
- The username entered to login to the Windows profile doesn't match with any User provisioned in the respective ISA Console
- The password entered to login to the Windows profile doesn't match with the Password used to login to the respective ISA Console (For ADL/LDAP Users, the corporate IAM will have rejected the authentication request. For Local Users, the ISA Authentication Server will have rejected the authentication request)
- ISA App is not installed on the system
- ISA Windows MFA feature is not installed
- 2FA is not enabled for the User
- The 8 hour ‘MFA Verification Success' state is still active
- There is poor or no internet connectivity at the time of sign-in
- There is no reachability to the ISA Console at the time of sign-in due to firewall/proxy issues
7. How to relax the MFA requirement and prevent ISA from connecting for Users within the office premises (corporate network) ?
The InstaSafe servers with domains “instasafe.net” and “instasafe.com” must be blocked by the internal firewall to bypass MFA while signing into Windows. Please contact InstaSafe Support for the specific IP addresses to be blocked.
8. How will the user connect to ISA once the 8 hour 'OTP Verification Success' state has expired ?
Once the 8 hour 'OTP Verification Success' state has expired, the ISA App will not automatically disconnect. However, when the ISA App does disconnect (due to internet fluctuations, switching between networks, system enters Sleep Mode, etc.), the User would be expected to sign-out of their Windows session and re-login if they wish to reconnect the ISA App . Once re-authenticated with the Credentials and OTP, the ISA App would reconnect and users can proceed with their work.
Note: In case it is required that the ISA App must disconnect automatically after 8 hours, the Console wide User Setting "Force disconnect after _ hrs" should be configured.
9. Is the 8hr window ('OTP Verification Success' state) configurable?
The 8hr window is currently not an admin configurable option. However, the InstaSafe Support Team can be contacted to increase/decrease the window. It might not always be feasible to change this window, and would be decided on a case-to-case basis.
The ISA App has to be installed before the ISA Windows MFA feature is set up, in addition to ensuring the prerequisites mentioned in Question 1 of this FAQ are met.
Each user on the device will be treated as a different user and the MFA/Notifications will be applicable for that respective user only.
For example, the ISA App on a particular Windows device is configured for the user
alice@contoso.com provisioned on the ISA Console ‘Acme’, and there are 2 user profiles configured on the device: Alice and Bob
When Alice enters her credentials (and exists as a provisioned user in the Acme Console) at the Windows sign-in page, the Push Notification*/T-OTP would be sent to Alice, post which she would be signed-in to her Windows profile
If Bob enters his credentials (and exists as a provisioned user in the Acme Console) at the Windows sign-in page, the Push Notification*/T-OTP would be sent to Bob, post which he would be signed-in to his Windows profile
In both cases, the Event Logs will record distinct events, indicating which user completed the Windows MFA Login. However, the ISA User App would connect for Alice, since it is a device-specific configuration, and the logged in user would receive all of Alice’s entitlements to application access (network level access) over InstaSafe
12. Are Usernames case sensitive?
Yes, the Username entered at the Windows sign-in page (using the ISA Windows MFA feature) must be entered with the same case-sensitivity as that created in or synced to the InstaSafe Console.