Documentation

Password Express
Getting Started with Password Express
Signing up for Password Express
Installing Windows Connect
Performing a Password Reset
Configuring Authentication Policies for Password Reset
Enrolling a User
Installing the Windows Credentials Provider
Secure File Exchange
Installing on Windows
Installing on Linux
Installing an SSL Certificate
Uninstalling (All Platforms)
Virtual File System
Browsing Files
Sharing Files
Upload Forms
Incoming Files
Sharing Shortcodes
File Systems
Mounting External Files
Local Files
Plan Storage
SFTP Folders
Windows Shares
S3 Buckets
Goggle Cloud Storage
Azure Containers
Server Management
User Accounts
Roles
Authorized Keys
Event Logs
Email Messages
HTML templates
Session Management
Authentication Modules
Authentication Policies
SMTP Configuration
User Interface
Branding
User Interface Themes

Introduction

Once you have configured Windows Connect you are ready to test the end-user experience and enroll your users in the Password Express service.

There are several different strategies you can take to enrol users, some of which will require you to Configure Authentication Policies.

The most success is acheived when the user does not have to take any action! In this respect, the default configuration of the system to require an Email-based or SMS-based OTP for password resets may be enough. In this case, as long as your users have telephone numbers and email addresses (that are accessible without the Active Directory password) then your job here is done.

Manual Enrollment

When a user logs into the service their home page will show their current 2FA credential status.

For example, the image below displays a standard user that has not interacted with the system before, but their email addresses and telephone numbers have been pulled in from their Active Directory profile. Here you can see that authenticators that rely on this information are already showing as configured.

Users can then choose to enrol in other authentication schemes directly from this page by clicking the Add button. Or if they need to change or remove those credentials they can click on Manage.

Further documentation will be linked here for enrollment into the individual authentication types.

Enrolling a user with Login Prompts

You can prompt the user to set up additional authentication using Optional authentication. As long as the Authentication Policy supports passwords and the user enters a correct password, they will be prompted to authenticate, or set up any of the credential types you require.

Naturally, this will not work on the Password Reset or Account Unlock policies. In these cases the user would have to have had these set up in advance. Enroling users during login is a useful way of increasing adoption. With our Windows Credential Provider you can even prompt the user during their Windows Desktop login.

For example, let’s say we are going to email out an enrollment request to our users to ask them to go to the Password Express site and set up their credentials. Logging into the Password Express website is controlled by the Default Authentication Policy.

We will ask them to setup either Google Authenticator, or LogonBox Authenticator credentials. To do this navigate to Securtity -> Authentication Policies.

Click the Default Authentication Policy to edit.

Under the Optional tab, enter 1 as the number of optional authentications to require, and add the Google Authenticator and LogonBox Authenticator modules to the optional list as shown in the image.

Click Save to apply.

Now, when any user logs into the Password Express portal, they will be prompted to complete optional authentication.

Here the user chooses one of the authentication modules. If the user has not set this up they will be directed through the registration flow for that module.

Some modules will allow the user to skip registration. You can control this setting in the authenticaiton modules configuraiton page, which is accessed via the Security -> Authentication Policies page

For example, the LogonBox Authentication has the options displayed in the image. You can disable skip altogether, or configure how many times it can be skipped. Or disable registration this way entirely. If you disable registration, remember, the user will have to have a way to log in without requiring any optional authentication.

Enrollment at Windows Login

To enrol users at the Windows Login prompt you first need to Install the Windows Credential Provider on users computers.

Once this has been installed, the user will be logging in through the Windows Login Policy if they are using a Desktop computer, or Windows RDP Policy if they are logging in over the network with the RDP protocol.

Just as we have described in the previous section. Any optional authenticators you add to these policies will be requested whilst the user is logging in through Windows.

To top