Integrating PingID with Windows login

PingID integrates with local Windows login and Remote Desktop Protocol (RDP) to provide access permissions only to authorized users and to allow organizations to better secure their Windows server environments and end-user Windows machine secured login.

PingID adds policy-based multi-factor authentication (MFA) to the Windows default username and password first factor login flow. Users can carry out MFA on any of the authentication devices paired with their account.

PingID integration for Windows login installs a credential provider on each of the protected Windows machines. The credential provider opens a mini web browser that enables the PingID out-of-the-box authentication flow on the user’s local or remote Windows machine. Configure authentication through the PingID credential provider either directly with the PingID service in the cloud or through the PingFederate authentication authority to provide cross-organization authentication policy alignment. PingID integration for Windows login is defined in PingID as a service in the same way as SSH and VPN are considered a service.

Windows platforms and supported versions

PingID integrates with the following Windows platforms, 64-bit versions:

Microsoft Windows 10 and 11
Microsoft Windows Server 2016, 2019, and 2022 (desktop)

These platforms are supported with the following architectures:

RDP:
- With or without RDP Network Level Authentication (NLA) configuration
- RDP architectures, including Web proxy
  When Restricted Admin mode is enabled, Microsoft’s design doesn’t permit the use of MFA.
  
  Security keys with RDP are only supported on Windows Server 2022.

FIDO2 security keys

Windows login provides the following support for FIDO2 security keys:

Authentication: For all versions.
Registration: From PingID for Windows login 2.11 and later. Windows login doesn’t support FIDO2 security keys with enterprise attestation.
Offline authentication: For all versions. Offline authentication for FIDO U2F isn’t supported from PingID for Windows login 2.7 and later.

Windows Hello

Microsoft doesn’t currently support second-factor authentication with the Windows Hello biometric login flow.

For PingID for Windows login 2.2 integration and later, if Windows Hello biometric authentication is enabled, users can either:

Sign on using Windows Hello biometric authentication only.
Authenticate with their username and password. When authenticating with username and password, PingID can be used for second-factor authentication.

Web access information: Domains, URLs, and ports

For details about Windows login web access requirements, see PingID required domains, URLs, and ports.

Windows login might be subject to PingID policy settings under a web authentication policy. Learn more in Enabling a Windows login and RDP authentication policy.

PingID offline MFA

PingID integration for Windows login supports PingID Offline MFA. Offline MFA enables users to sign on to their Windows machine, even when offline, such as on an airplane without Wi-Fi or network connectivity. Supported authentication methods include:

PingID mobile app, using a one-time passcode
FIDO2 security key

Offline MFA is called manual authentication in the PingID End User Guide.

Prerequisites for offline MFA:

To enable offline authentication with the PingID mobile app, the PingID mobile app must be paired to the user’s account, and the user must have signed on to their account in online mode at least once.
FIDO2 security key is supported by PingID integration for Windows login 2.3 or later on a protected Windows machine.

Repudiation of a user for a login: There are no server-side logs for either successful or unsuccessful authentications during offline sign ons. Administrators should export these logs from the local machine event viewer. For details about the default or customizable log path, see Installing the PingID integration for Windows login using CLI.

PingID Administration Guide