Integrating PingID with Windows login
PingID integrates with local Windows login and Remote Desktop Protocol (RDP) to provide access permissions only to authorized users and to allow organizations to better secure their Windows server environments and end user Windows machine secured login.
PingID adds policy-based multi-factor authentication (MFA) to the Windows default username and password first factor login flow. Users can carry out MFA on any of the authentication devices paired with their account.
PingID integration for Windows login installs a credential provider on each of the protected Windows machines. The credential provider opens a mini web browser that enables the PingID out-of-the-box authentication flow on the user’s local or remote Windows machine. Configure authentication through the PingID credential provider either directly with the PingID service in the cloud or though the PingFederate authentication authority to provide cross-organization authentication policy alignment. PingID integration for Windows login is defined in PingID as a service in the same way that SSH and VPN are considered a service.
Windows platforms and supported versions
PingID integrates with the following Windows platforms, 64-bit versions:
-
Microsoft Windows 10 and 11
-
Microsoft Windows Server 2016, 2019, and 2022 (desktop)
These platforms are supported with the following architectures:
-
RDP:
-
With RDP Network Level Authentication (NLA) configuration or without it
-
RDP architectures, including Web proxy
Per Microsoft design, use of MFA is not permitted in Restricted Admin mode.
-
Use of security keys with RDP are only supported on Windows Server 2022
-
FIDO2 security keys
Windows login supports the use of FIDO2 security keys for authentication only. However, for Windows login 2.7 and later, FIDO U2F security keys are not supported with Windows login for offline use cases.
Windows Hello
Microsoft does not currently support the addition of second factor authentication when using the Windows Hello biometric login flow.
For PingID for Windows login 2.2 integration and later, if Windows Hello biometric authentication is enabled, users can either:
-
Sign on using Windows Hello biometric authentication only.
-
Authenticate with their user name and password. When authenticating with user name and password, PingID can be used for second-factor authentication.
Web access information: Domains, URLs, and ports
For details about Windows login web access requirements, see PingID required domains, URLs, and ports.
PingID policy for Windows login flow
Windows login might be subject to PingID policy settings under web authentication policy. For more information, see Enabling a Windows login and RDP authentication policy.
PingID offline MFA
PingID integration for Windows login supports PingID Offline MFA. Offline MFA enables users to sign on to their Windows machine, even if it is offline, such as when on an airplane without Wi-Fi or network connectivity. The following authentication methods are supported:
-
PingID mobile app, using a one-time passcode
-
FIDO2 security key
Offline MFA is called manual authentication in the PingID End User Guide. |
Prerequisites for offline MFA:
-
To enable offline authentication with the PingID mobile app, the PingID mobile app must be paired to the user’s account, and the user must have signed on to their account in online mode at least once.
-
FIDO2 security key is supported by PingID integration for Windows login 2.3 or later on a protected Windows machine.
Repudiation of a user for a login: During offline logins, there are no server side logs, neither for successful nor for unsuccessful authentications. Administrators should make sure to export these logs from the local machine event viewer. For details about the default or customizable log path, see Installing the PingID integration for Windows login using CLI. |