Skip to content

Windows HyID Credential Provider

Overview

Accops HyID

Accops HyID is an Identity and Access Management solution designed to safeguard your critical business applications and data from unauthorized use by internal and external users by managing user identities and monitoring user access. The out-of-the-box MFA can be easily integrated with all your modern, legacy, cloud, and on-prem solutions. HyID provides users solid control over endpoints, enabling contextual access, device entry control, and a flexible policy framework. HyID offers multiple interfaces and connectors based on LDAP, RADIUS, and SAML to add MFA to any third-party solutions. HyID provides multiple MFA tokens and factors like SMS, Email, Mobile Apps, Hardware OTP tokens, push notifications to phones or PCs, biometrics, FIDO, and device hardware ID & PKI. The Single Sign-On (SSO) feature provides better security and convenience.

About this document

Installing and configuring the HyID Credential Provider is a prerequisite for implementing Two-Factor Authentication (2FA). This document provides steps to install Windows HyID Credential Provider on a Windows server or Windows 10 machine.

Applicable Version

The document is created using:

  • HyID Version 5.4 SP6
  • Windows Credential Provider version 1.1.3.14
  • Windows server 2k12R2/2k16/2k19 and Windows 10

Note

The screenshots may differ in different setup versions.

HyID Policy creation for Windows Credential Provider

  1. Log in to the HySecure Management Console.

  2. Go to the Policies > HyID Policies and click the Add.

  3. Provide the following details:

    • HyID Policy Name: Name to identify the policy.
    • HyID Policy Description: Description of the policy.
    • HyID Policy Type: Choose HyID policy type as HyID Desktop Agent.
    • Select Priority of the Policy: Select priority as 1. Change if you have multiple HyID Desktop Agent type HyID policies.
    • Select Authentication Domain: Select the HySecure authentication domain where you have added your authentication servers.
    • Select Authorization server: Select the Authorization server with which the user will get authorized.
    • Select Policy Assignment type: Select the appropriate option as required by All Users, User Groups, and Organizational Units.
    • Select User: Select User or User Groups from which you want to apply 2FA via Linux Credential Provider.

  4. In the HyID Desktop Agent section, two-factor authentication is enabled for desktop login or remote desktop connection (MSTSC). If required, enable both.

    We have selected both for demo purposes. In the Windows credential provider, select the types of 2FA you want. We have selected Mobile tokens and Push notifications for demo purposes.

  5. The Email and SMS OTP Configuration section contains all the Email and SMS token-related settings. For details regarding each option, refer to the management console section of HyID.

  6. The Mobile/PC token Configuration section contains all the Mobile and PC token-related settings. For details regarding each option, refer to the management console section of HyID.

  7. The HyID Desktop Configuration section contains all the configurations related to the HyID Desktop agent. For details regarding each option, kindly refer to the management console section of HyID.

  8. Allow OTP for workstation unlocks/sleep/hibernate: Enable this option to ask OTP whenever the system gets unlocked, sleeps, or hibernates.

  9. Master Password to bypass OTP: The admin can create a master password in case the user loses their mobile device or, for any reason, can’t provide OTP and still wants to bypass the MFA for one time.
  10. Enable OTP for Domain Users: If the server or machine is a domain-joined machine, enable prompting for MFA on domain user login.
  11. Enable OTP for Workgroup User: If the server or machine is a workgroup machine, enable prompting for MFA on local user login. Please note that the admin has to create the same local user in the Native User directory HySecure and select the Native Authentication server in the Authentication domain.

  12. Ask Domain Credential for Workgroup User: In case the admin does not want to create a local user inside the HySecure native directory of HySecure then by enabling this option, a local user will be prompted for Domain Credentials, and if there is an existing HyID Policy for that domain users the user has to provide MFA token to log in.

  13. Offline OTP Configuration: This section contains all the settings related to the use cases where the Windows agent loses their connectivity with the HyID Server, and for a few attempts, the user wants to use an Offline token. For details regarding each option, refer to the management console section of HyID.

  14. Click Submit and create a HyID Policy for Windows Credential Provider.

Installation Of HyID Desktop Windows Credential Provider

The administrator can self-register and activate their Mobile token on their mobile phones by accessing the public URL of HySecure Gateway. Refer to the Mobile token registration SOP to reactivate mobile tokens.

Follow the given below steps to install Windows HyID Credential Provider:

  1. Copy the HyID Setup file on the Windows machine desktop folder and run with the Admin privileges.

  2. Click Next to proceed further.

  3. Accept the license agreement to proceed.

  4. At the prompt to choose the components, select Accops HyID Service and HyID Secure Logon and click Next to proceed.

  5. Provide the IP address of the HySecure Primary and Secondary server for fetching the 2FA policy from the HySecure gateway and the authentication Domain ID, and click Install to proceed.

  6. Click Get Setting to fetch HySecure server details and proceed to the next step.

  7. After a successful connection, the agent provides the connection details. Click OK to continue.

  8. Click Finish to complete agent installation.

  9. Once the client is installed, log out and re-login to the server. You will be prompted for the login credentials followed by the 2FA option that the Admin has selected while creating the HyID policy. Select one option, enter your OTP, and log in.

Note

Verify that the HyID policy has been created and the user has been added to the HyID policy in the HySecure management console.