OneLogin OTP for Windows
Using multiple authentication factors is an effective way of preventing someone from accessing your sensitive data even if they manage to get hold of your username or password. OneLogin's Windows OTP App is a free Windows solution that allows users to submit one-time passwords with the push of a button.
- Supported Operating Systems
- Windows XP SP3
- Windows Server 2003 SP2
- Windows Vista SP1 or later
- Windows Server 2008 (not supported on Server Core Role)
- Windows 7
- Windows Server 2008 R2 (not supported on Server Core Role)
- Windows 7 SP1
- Windows Server 2008 R2 SP1
- .NET Framework 2.0 or later
- Windows Installer 3.1 or later
- Each user must have access to the Windows installer package when running the application for the first time. It is recommended that the installer be published to a Window share that is accessible by all OTP users
- OneLogin only supports one OTP credential per user account. Active Directory domain roaming profiles must be configured for domain users that need to logon to multiple computers and have access to OneLogin.
OneLogin strongly recommends that the OTP application be deployed on an operating system with drive encryption for the OS, such as BitLocker. The OTP application relies on the windows security subsystem to protect the OTP credential. Technologies such as BitLocker help to ensure the OS is protected from offline attacks.
Enabling OneLogin OTP
In order to use OneLogin OTP, an admin has to turn it on. Go to Security -> Authentication Factors. Click New Auth Factor and choose OneLogin OTP from the authentication factor list and provide it with an appropriate display name.
Setting the OneLogin OTP Policy
In order to require the OneLogin OTP for users you need to create a security policy that uses it.
- Go to Security -> Policies.
- Click New User Policy to create a new policy, or click an existing user policy row to add the OTP requirement to an existing policy.
- Go to the MFA tab, and select the OTP Auth Required checkbox.
(Optional) Define more fine-grained OTP authentication requirements.
For example, you can bypass it for certain IP addresses, apply it to admins only, apply it at every login or only for unknown browsers, and define session lengths. For more information, see User Policies.
Installing the OTP App
To install the Windows OTP app, download the OneLoginDesktopOTP.msi file, which you can find at the top of this article. Log into your profile and launch the installer. Once installed, OneLogin OTP can be launched from the Start Menu. Upon first launch the app will display a device credential that you can use to register the app with your OneLogin account.
Registering the OTP App
In order for the OTP app to be used, the OTP app must be associated to the user and the user must be under a security policy that requires it. This can be done manually by the administrator user by user, but that's not practical on a large scale, especially with VIP Access where only the employee has access to the device. If OTP is required for all users and a user is under that security policy, the user will be prompted to register the device at the first successful login attempt.
Configuring users manually (optional)
Once OTP is enabled for the security policy and the security policy is assigned to a user, you will be able to register the app for individual users as shown below. Go to Users > All Users and select to edit a user. Under OTP select register device. This is also where you deregister the OTP app.
On the user's first attempt to log in with the new security policy, the user will need to register the app. This requires having the app installed and filling in the Credential ID and two consecutive Security Codes.
After the first setup, users will enter Email and Password. Then the OneLogin OTP security code field will appear. The user will only need to enter it manually or with the push of the send button.