Configuring the Windows Logon screen

By default, Digipass Authentication for Windows Logon shows a Password field on the Windows Logon screen and users need to type the static password and the OTP in the Password field, i.e. passwordotp.

You can configure Digipass Authentication for Windows Logon to use separate credential fields for the password and the OTP on the Windows Logon screen.

To enable and configure this behavior, set the following options in the Group Policy (Computer Configuration > Policies > Administrative Templates > OneSpan > Digipass Authentication for Windows Logon > Display and User Experience):

• Use separate credential fields for logon. Set this option to Enabled to enable separate credential fields.
• When enabled, use the Options fields to configure the look and behavior of the separate credential fields. The credential field layout is described as a list of JSON objects, where each JSON object defines one credential field in the UI. You can define up to three custom fields.

Each JSON object must contain the following name/value pairs (if a value is set to null, the default value applies):

• "label": label

  Defines the label to show in the UI.

  Default value: "Field n", where n is the index of the field in the list, starting at 1.

• "order": order

  Defines the concatenation order of the field, i.e. at which position in the final credential string the field's value is inserted. Must be unique across all fields. Note that the fields are shown in the UI in the order they are specified in the JSON object list.

  Default value: The order of the field in the list.

• "required": [true|false]

  Determines whether this field is mandatory (true) or can be left blank (false).

  Default value: false

• "mask": [true|false]

  Determines whether the input typed in the fields is obscured with asterisks (true) or is shown visibly as plain text (false).

  Default value: true

• "check": expression

  This value defines an optional validation expression to restrict the length of the input, specified with a comparison operator (either '<', '=', or '>') followed by a non-negative number.

  Default value: "" (no length validation)

Note that you must specify the JSON objects in a single line, newline characters are not allowed.

Default value

This example is the default value. It renders two fields. The first field is labeled Password, is optional, and the input is masked as asterisks, but not verified. The second field is labeled OTP, is optional, and the input is shown as plain text and must be at least 6 characters long.

The final credential string would be passwordotp.

[{"label":"Password","order":1,"required":false, "mask":true,"check":""}, {"label":"OTP","order":2,"required":false,"mask":false,"check":">5"} ]

Three separate fields

This example uses the maximum of three custom fields, for static password, OTP, and server PIN. The first field is labeled Password, is optional, and the input is masked as asterisks, but not verified. The second field is labeled OTP, is optional, and the input is shown as plain text and must be at least 6 characters long. The third field is labeled Server PIN, is optional, and the input is masked as asterisks and must be exactly 4 characters long if entered. It is rendered on the third position in the UI, but because its order is set to 2, its value is added at the second position.

The final credential string would be passwordserver_pinotp.

[{"label":"Password","order":1,"required":false, "mask":true,"check":""}, {"label":"OTP","order":3,"required":false,"mask":false,"check":">5"}, {"label":"Server PIN","order":2,"required":false,"mask":true,"check":"=4"} ]

Additional considerations

• Custom fields are only considered and rendered for the OTP credential provider. They do not apply to the push notification credential provider.
• If Digipass Authentication for Windows Logon cannot parse the custom field configuration, e.g. because the syntax is invalid, it ignores the configuration and uses the default behavior (only one Password field).
• If the credentials entered by the user do not meet the validation conditions, a respective error message is shown. This does not increase the user lock count.
• These options only change how the input form is displayed on the client side. The internal logon handling is not affected and works the same, regardless of the number of input fields shown.