top of page
Blog article

Blog article

Passwordless MFA for Windows - Small-scale Implementation Example


We want to introduce a case study in which a manufacturing company introduced YubiOn FIDO Logon on a small scale. At this company, employees and outside workers sometimes work in the same environment, and they were considering a method to enable MFA (multi-factor authentication) for logon to PCs used in this environment. In response to this problem, we proposed the introduction of "YubiOn FIDO Logon" and were able to solve the problem. This time, I will introduce the specific content.


Introduced Organization

Manufacturing Company


  • Introduction of YubiOn FIDO Logon Approximately 10 Windows machines. Use local accounts.


  • Introduction of external authenticator Employees use their smartphones. For outside workers, arrange Security Key NFC by Yubico.

Issues

At this company, employees and outside workers log on to PCs installed at specific locations using local account IDs and passwords. When reviewing their security, they considered changing their PCs' logon to MFA (multi-factor authentication) using an external authenticator. This company allows the use of BYOD (bring your own device), and the idea was to use personal smartphones for employees and security keys for outside workers as external authentication devices. While considering MFA using these authenticators, we were asked to consult regarding whether or not it would be possible.


In summary, the following issues need to be resolved:

  • Enable MFA (multi-factor authentication) for logging on to specific PCs.

  • Use smartphones or security keys as authenticators.


Solution
  • MFA (multi-factor authentication) with YubiOn FIDO Logon By installing the YubiOn FIDO Logon software and linking employee accounts with smartphones, linking outside worker accounts with security keys, they strengthened the logon section of the target PC to MFA (multi-factor authentication) using a smartphone or security key. Since this product is a cloud service, customers do not need to prepare a separate server. And they can use it immediately after registering. The selection of the authenticator will be explained later.

When logging on to a PC, employees can now log on without a password by verifying their biometrics on a smartphone, and for outside workers by entering a PIN of a security key. You can ensure much higher security by possessing an authenticator and performing MFA (multi-factor authentication) using PIN (knowledge) or biometric identification, rather than logging on with a password only. In addition, it simplifies operations when logging on, so user usability is not compromised.


The differences in authentication operations are as follows:

For smartphones

iOS / iPadOS

Logon is completed by scanning the QR code with the camera and successfully performing biometric authentication (face/fingerprint) on the smartphone.


Android

Android supports "Hybrid authentication by notification". When you log on to a PC, a notification to start authentication will be sent to your smartphone. Logon is completed by tapping the notification and successfully performing biometric authentication (face/fingerprint) on your smartphone.

※ Biometric information is used only for authentication on the device and is not sent to the server side.


For security keys

There are two types of FIDO2-compatible security keys: "a model that requires PIN entry" and "a model that verifies biometric".


PIN model (model adopted this time):

Insert the security key when logging on to the PC, and if the PIN authentication is successful, the logon will be completed. ※ The reason for selection will be explained later.


Biometric model:

When logging on to a PC, insert the security key and if biometric (face/fingerprint) authentication is successful, logon will be completed.


  • About the authenticator selection YubiOn FIDO Logon can be used with smartphones and FIDO2-compatible security keys. Regarding the use of smartphones, I think the best option would be if you are allowed to use a company smartphone or BYOD. However, depending on the company/organization's policy, the use of smartphones may be prohibited. In such cases, we recommend a security key. This time, the customer wanted to keep costs as low as possible, so they used a relatively inexpensive PIN model security key. I will introduce how to choose a security key in another article.

Finally

YubiOn FIDO Logon is the perfect solution for multi-factor authentication for PC logon using smartphones or security keys. By adopting FIDO authentication, higher security can be ensured compared to password authentication. We support everyone from small-scale to large-scale installations, so please contact us with your needs.


  • YubiOn FIDO Logon YubiOn FIDO Logon is a cloud service that provides multi-factor authentication using the FIDO2 protocol for PC logon. There are also convenient functions such as integrated management and remote control functions on the Web management console. Please check the product introduction page for detailed product information. Also, please refer to this setup guide for details on the installation procedure.


  • Security key sales You can buy it from Amazon.

※ For bulk purchases or requests for quotations, please contact us through the contact page.

Comments


bottom of page