Additional administrator considerations for authentication with OTP

  • You need to provide information about which credentials are required for authentication together with the Digipass authenticator, i.e. one-time password, server PIN, and/or static password.
  • You can configure Digipass Authentication for Windows Logon (via Digipass Authentication for Windows Logon Configuration Center or via Group Policy) to display a notification if the grace period is about to expire upon every authentication attempt with the static password (on the Welcome screen or in the Status Hover Pane).

  • You can configure Digipass Authentication for Windows Logon (via Digipass Authentication for Windows Logon Configuration Center or via Group Policy) to enforce OTP authentication for users who have a Digipass authenticator assigned. This will disable the default credential provider on the Select User screen, and users can only select DIGIPASS Authentication. Users who have a Digipass authenticator assigned can only authenticate with OTPs, while users who do not have a Digipass authenticator assigned may use their static password.

    The behavior of the Require Digipass authentication option can be different in RDP scenarios, especially with multiple domains. Consider a scenario where a user is already logged on (computer A) and attempts to connect to another workstation or server (computer B) via remote desktop (RDP), where both computers have Digipass Authentication for Windows Logon installed (but with different configuration settings). If computer B requires OTP authentication but computer A does not, the user may not be required to use an OTP when connecting from computer A to computer B via RDP (because of the settings of computer A). This behavior is caused by a Windows security limitation that forcibly uses the credential provider settings of the source computer and cannot be circumvented in newer Windows versions.

  • You can configure Digipass Authentication for Windows Logon (via Digipass Authentication for Windows Logon Configuration Center or via Group Policy) to display contact information to inform users about whom to contact in case they forgot/lost their Digipass authenticators to request a backup Virtual Mobile Authenticator.
  • You can configure Digipass Authentication for Windows Logon to enforce static password verification when performing offline authentication by disabling Stored Password Proxy and setting Back-End Authentication to Always in the OneSpan Authentication Server configuration.

  • You can configure Digipass Authentication for Windows Logon (via Group Policy only) to always use separate credential fields for the password and the OTP on the Windows Logon screen (see Configuring the Windows Logon screen ).

Related Tasks

Logon to Windows and Windows Server

Change of the Server PIN

Update Offline Authentication Data

Configuration with Digipass Authentication for Windows Logon Configuration Center

Using Group Policy to Configure Digipass Authentication for Windows Logon