Authentication Flow

Cross Identity Windows Login is basically used for Windows Authentication by providing Cross Identity User credentials or Passwordless Authentication, enhancing the user experience while maintaining robust security protocols. 

After installing the WindowsCustomLogin agent, the user doesn't need to authenticate using Windows credentials.

Password-based authentication

1. The user locks his/ her Windows system (Win+L).

2. Once the user unlocks the Windows system, a user provides the username.

   

3. During the initial login, the user will be prompted with two password fields as shown in the below screenshot. 

   

4. Users must enter both Cross Identity Password and Windows Password for the first-time login after installation of the agent. 

   

5. For a domain-joined users, only one password field will be prompted where user must enter the domain password.

   

6. CWL agent validates the user credentials and provides access to the user to the Windows system.

   

7. During the subsequent logins, the user will be prompted to enter only his Cross Identity credentials to login to the Windows system.

   

   Note:

   The Username of Windows login and CI must be the same in order to perform successful authentication.

Passwordless Authentication

1. The user locks his/her Windows system.

2. During the initial login, the user will be prompted with two password fields as shown in the below screenshot.

   

3. The user must enter both Windows Password and Cross Identity Password for the first-time login after installation of this agent. 

4. CWL agent validates the user credentials and provides access to the user to the Windows system.

5. During the subsequent logins, once the user provides the username and proceeds, he/she will be notified with a push notification via the CIVerifID mobile app. 

6. Once a user authenticates on the CIVerifID app, he will be logged in successfully into the Windows system.

   

   Note:

   The user must be registered with Passwordless authentication on the CIVerifID App.

Password reset flow

1. Reset the password from the Self-Service Password Reset option/ Change password available in Cross Identity. 

2. The user locks his Windows screen. 

3. Users will be able to log in with the new password into the Windows system.

Offline Authentication flow

If the user’s system is not connected to the internet, he/ she can still log in to the Windows system via a TOTP. The flow will be the same for both domain and non-domain joined users.

1. Assume the user is not connected to the internet.

2. The user locks his/ her Windows system (Win+L).

3. Once the user unlocks the Windows system, a user provides the username.

   

4. User will get the below prompt.

   

5. User must enter the 6-digit TOTP which was registered with the CI tenant for the same user.

6. Once done, he will be able to login into the Windows System.

Login with MFA

Users (domain and non-domain) can log in to CWL with a step-up authentication configured in CI’s Admin Portal.

Prerequisites:

• User must be registered to the MFA options such as Security Questions, Soft Token, SMS OTP and Email OTP.

• Advanced Access Management Policy must be defined and enabled in the admin portal as per requirement.

Login with Soft Token as MFA

1. User locks his/ her Windows system (Win+L).

2. Once the user unlocks the Windows system, the user provides the username.

   

3. User will be prompted to provide the password.

   

4. CWL agent validates the user credentials and prompts for the MFA screen as a step-up authentication mechanism.

   Note:

   User must be registered with Soft Token in CI and the AAM Policy must be enabled.

   

5. The user must proceed with the challenge-response option the below screen is prompted; the user has to validate the TOTP.

   

6. CWL agent validates the TOTP and allows access to the Windows system.

Login with Security Questions as MFA

1. User locks his/ her Windows system (Win+L).

2. Once the user unlocks the Windows system, the user provides the username.

   

3. User will be prompted to provide the password.

   

4. CWL agent validates the user credentials and prompts for the MFA screen as a step-up authentication mechanism.

   Note:

   User must be registered with Security Questions in CI and the AAM Policy must be enabled.

   

5. The user has to proceed with the challenge-response option the below screen is prompted, the user has to validate the security questions.

   

6. CWL agent validates the security questions response and provides access to the user to the Windows system.

Login with Email OTP as MFA

1. The user locks his/ her Windows system (Win+L).

2. Once the user unlocks the Windows system, the user provides the username.

   

3. The user will be prompted to provide the password.

   

4. CWL agent validates the user credentials and prompts for the MFA screen as a step-up authentication mechanism.

   Note:

   The user’s email address must be present in CI and the AAM Policy must be enabled.

   

5. The user can proceed with the email OTP option the below screen is prompted; the user has to validate the OTP received on his email.

   

6. CWL agent validates the OTP and allows access to the Windows system.

Login with SMS OTP as MFA

1. The user locks his/ her Windows system (Win+L).

2. Once the user unlocks the Windows system, the user provides the username.

   

3. User will be prompted to provide the password.

   

4. CWL agent validates the user credentials and prompts for the MFA screen as a step-up authentication mechanism.

   Note:

   User’s mobile number must be present in CI and the AAM Policy must be enabled.

   

5. The user can proceed with the SMS OTP option the below screen is prompted; the user has to validate the OTP received on his email.

   

6. CWL agent validates the OTP and allows access to the Windows system.