Authenticating using a security key for manual authentication (Windows login)
You are only prompted to authenticate manually if you are signing on to your Windows machine without a network connection or Wi-Fi.
Before you begin
-
To use your security key to authenticate when you are offline, you must authenticate successfully at least once when online. For information, see Authenticating using a security key (Windows login).
-
The minimum version of Windows login you need depends on the following:
-
If your organization requires you to enter a password to authenticate, you’ll need PingID for Windows login 2.3 or later.
-
If your organization has eliminated passwords, you’ll need PingID for Windows Passwordless login 1.2 or later.
If you’re not sure, check with your organization’s administrator.
-
-
If your organization requires you to enter a password when you sign on, it is not possible to use a FIDO2 security key to authenticate when accessing your Windows login account through RDP. If your organization has eliminated passwords, you can do so.
-
If you are using a U2F security key, offline authentication is only supported when using PingID for Windows login 2.3 - 2.7.x.
About this task
Manual authentication with a security key is only possible if:
-
Your company policy and configuration allow the use of a security key to authenticate when offline.
-
You have already paired a security key and authenticated successfully at least once when online.
From PingID for Windows login 2.8 and later, you can use any security key that is paired to your account as long as you have successfully authenticated with it at least once online using the specific Windows machine that you want to sign on from. For version 2.7 and lower, you need to pair a security key specifically for manual authentication.
Steps
-
Connect your security key either physically through a USB cable or, if applicable, ensure NFC or Bluetooth are set to ON.
-
Sign on to your Windows machine.
-
If you are offline and do not have an internet connection, in the Manual Authentication window, follow the prompting to authenticate manually.
If you enrolled a security key for manual authentication in Windows login 2.7 or lower, and then upgraded to Windows login 2.8 or higher, you may see the same security key listed but with a different nickname. You should delete the deprecated duplicate device (deprecated devices show the Delete option). Before you delete a device, make sure you have at least one alternative device paired with your account.
-
If you have more than one authentication method paired with your account, in the Authenticating on section, select Security Key.
-
Click Next.
-
-
Use your security key to authenticate.
Result
The green Authenticated message appears with a check mark, indicating authentication is successful. You are redirected and signed on to your account or app.