Enabling/Disabling FIDO2 token
FIDO2 tokens are enabled by default if assigned to user for authentication. If User Does not want to use FIDO2 token, it can be disable/enable with the addition of registry entry mentioned below:
On a computer where Defender Security Server is installed, use Registry Editor to create the following value:
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\PassGo Technologies\Defender\DSS Active Directory Edition
Value type: REG_DWORD
Value name: FIDO2ENABLED
Value data: 0 to disable and 1 to enable
See the following sections for instructions on enabling the use of the YubiKey token programmed in one of these modes:
Enabling the use of Microsoft Authenticator
You can allow users to authenticate via Defender by using one-time passwords generated with Microsoft Authenticator.
To enable Microsoft Authenticator for a user
- On the computer where the Defender Administration Console is installed, open the Active Directory Users and Computers tool (dsa.msc).
- In the left pane (console tree), expand the appropriate nodes to select the container where the user object is located.
- In the right pane, double-click the user object, and then click the Defender tab in the dialog box that opens.
- Below the Tokens list, click the Program button.
- In the Select Token Type step, click to select the Software token option. Click Next.
- In the Select Software Token step, click to select the Microsoft Authenticator option.
- Complete the wizard to enable Microsoft Authenticator for the user.
- For more information about the wizard steps and options, see Defender Token Programming Wizard reference.
Enabling use of OneLogin Authenticator
You can get an activation code either from your system administrator or through a dedicated self-service Web site if it exists in your organization. The self-service Web site is called the Defender Self-Service Portal and it allows you to download and install software tokens, obtain activation code for software tokens, and register hardware tokens.
To enable OneLogin Authenticator for a user
- On the computer where the Defender Administration Console is installed, open the Active Directory Users and Computers tool (dsa.msc).
- In the left pane (console tree), expand the appropriate nodes to select the container where the user object is located.
- In the right pane, double-click the user object, and then click the Defender tab in the dialog box that opens.
- Below the Tokens list, click the Program button.
- In the Select Token Type step, click to select the Software token option.
- Click Next.
- In the Select Software Token step, click to select the OneLogin Authenticator option.
- Complete the wizard to enable OneLogin Authenticator for the user.
- For more information about the wizard steps and options, see Defender Token Programming Wizard reference.
Enabling use of OneLogin Authenticator for PUSH Notifications
Defender 6.6.0 supports PUSH Notifications authentication using OneLogin protect app in addition to existing Defender Soft Token PUSH notifications.
It is configurable as following.
-
The method for OneLogin token will remain same through ADUC or management Portal.
-
User receives activation code only from OneLogin dedicated self-service Portal and allows them to register OneLogin token with OneLogin Protect app.
NOTE:
- It can be used for authentication in clients named Defender Desktop Login, ISAPI, EAP.
- It can be programmed through ADUC and the Management portal.
- PUSH notification to OneLogin Protect will have precedence if both OneLogin token and Defender Soft token are enabled in registry and assigned to User.
- There is no separate registry entry needed to configure push notifications time out value entry or to disable push notifications value entry. Single registry configuration for Timeout and Disable will work for both push tokens [OneLogin and Defender Soft Token]
- In case, user has already existing OneLogin token assigned then only second step of activation through OneLogin portal is required.