Multi-factor authentication to Microsoft Windows OS (PKI, Passwordless)
Passwordless login and authentication using push notifications, Single Sign-On and PKI certificates
User authentication to the Microsoft Windows operating system using the ProID Mobile method without the need to use the user’s domain password.
Step 1 – Computer
The user selects the option to log on with a mobile phone on the operating system logon page.
Step 2 – Application
A push notification will be sent to the mobile phone, which the user confirms using the selected method.
After confirming the notification, the user is logged into the MS Windows operating system.
Secure and encrypted
Passwordless multifactor authentication (MFA) in the Microsoft Windows operating system uses the highest possible level of security using the user’s domain certificate, which was issued directly by the company’s certification authority (using the PKI principle). When authenticating to the operating system, the user does not enter his domain password.
For added security, the user’s presence at the logon computer is always required. This is ensured by secure encrypted Bluetooth Low Energy (BLE) communication using the elliptic curve algorithm (ECC).
Authentication can also take place offline, i.e. when the computer is without an Internet connection (offline). In this case, communication with the cloud service is automatically redirected via mobile data on the phone.
You can also log into the operating system in multifactorial ways – smart card, USB tokens or TPM chip.
How does passwordless login to OS Windows work?
- Installed ProID Middleware (MSI package) on the user’s endpoint
- Hardware support for BLE on the user’s computer
Supported authentication methods:
- Push notifications
Supported operating systems:
- Microsoft Windows 11 Home/Pro
- Microsoft Windows 10 Home/Pro
Onboarding methods ProID Mobile for passwordless authentication to MS Windows
- The certification authority is extended by a template for issuing a user’s domain certificate for the ProID Mobile mobile method – IDNOMIC and MS Server.
- Users from Azure Active Directory (AAD) are added to the portal.proid.cz portal.
- The current ProID Middleware (MSI package) is installed on the user’s computer – the end user does not have admin rights to the computer, so installation is recommended, for example, through domain policies. The current version of the ProID mobile authentication method middleware can be found in the portal.proid.cz admin portal.
- Installation of the ProID Mobile mobile application on the user’s phone – the user has the option to download the application from publicly available application stores. Another recommended way is to use Mobile Device Management if the customer uses such a system.