Introduction

TickStream.KeyID Winlogon (Early Access Preview) is a Microsoft Windows logon credential provider that allows you to provide 2nd factor authentication to users of workstations and servers. The credential provider captures typing effort when a user logs on using CTRL+ALT+DEL or when accessing a server through Remote Desktop Protocol and other remote access solutions.

System Requirements

The Activity client will run on the following systems with their minimum hardware specifications.

  • Microsoft Windows 7 / Windows Server 2008 R2 and later
  • Microsoft Visual C++ Redistributable 2010, 2015 (installed during setup)
  • Microsoft .NET Framework 4.0 or higher (installed during setup)

Setup Wizard

  1. Download the TickStream.KeyID Winlogon setup package using the link provided to you.
  2. Run the setup package on the client machine you wish to install it on. Press the ‘Next’ button when the welcome screen appears.
  3. Accept the licensing agreement. Press the ‘Next’ button to continue.
  4. Choose the path to install the TickStream.KeyID Winlogon files. Press the ‘Next’ button to continue.
  5. Enter the KeyID web service address, Authentication key and Server Thumbprint. Press the ‘Next’ button to continue.
  6. Select a start menu folder
  7. Press the Install button.
  8. Press the Finish button.

Quiet Install

The setup package can be installed in an unattended mode suitable for automated deployment or installation from a command prompt. Values should be surrounded with quotations "" if they contain special characters or spaces. You can specify any setting listed in the next section by prefacing it with a /. Setting names are not case sensitive. If a setting is not specified and exists already in the registry, the existing setting will be used (upgrades will retain existing settings unless explicitly changed.) If a setting is not specified and does not exist in the registry, a default will be provided.

"TickStream KeyID Winlogon x64 1.0.xxxx.exe" /VERYSILENT
"TickStream KeyID Winlogon x64 1.0.xxxx.exe" /VERYSILENT /WSURL="https://keyidservices.tickstream.com/operations.asmx" /AUTHENTICATION="myauthenticationkey" /THUMBPRINT="mythumbprint"
"TickStream KeyID Winlogon x64 1.0.xxxx.exe" /VERYSILENT /filterProviders=1 /grantOnError=0

TickStream.KeyID Utility

TickStream.KeyID Utility allows you to view authentication history and configure various settings. The utility requires .NET Framework 4.0 (included and installed automatically by the TickStream.KeyID setup package.) To make setting changes you must have local system administrator priveleges.

Settings

Click File menu -> Settings. You will be prompted to restart the application with elevated priveleges if needed. See the next section for setting information.

TickStream.KeyID Information

Click Help menu -> About. The current version of the Utility and TickStream.KeyID credential provider library will be provided.

Clear the log

Click Action menu -> Clear log. You will be prompted to clear the event log. This action clears the windows custom event log 'TickStream KeyID'.

Sort the log

You can sort the log by each information column.

Configuring KeyID Settings

The TickStream.KeyID ADFS multi factor provider ships with ‘active enrollment’ and ‘active validation’ enabled by default. The Early Access Preview also ships with error handling that allows users to login so long as they type their password correctly, no matter the issue encountered. The credential provider configuration is also such that users may select the default Windows password credential provider if all else fails. You can configure settings by command line during installation.

You may use the included TickStream.KeyID Utility or regedit.exe to edit the registry. The TickStream.KeyID Winlogon settings are located at:
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Intensity Analytics Corporation\TickStream KeyID Winlogon

Below is a listing of configuration items and their descriptions:

Validation Subkey

Item Description
customThreshold Enables a custom effort threshold for granting access. Set value to 0 to disable, 1 to enable.
minConfidence Minimum confidence level for granting access. Set value as a double precision number, i.e. 50.0
minFidelity Minimum fidelity level for granting access. Set value as a double precision number, i.e. '70.0'
passiveEnrollment Enables passive enrollment. Set value to 0 to disable, 1 to enable.
reqEnrollmentEfforts Number of enrollment efforts to complete a profile. Set value as an integer, i.e. 15
passiveValidation Enables passive validation. All efforts granted access. Set value to 0 to disable, 1 to enable.
filterProviders Filters the built in windows credential provider. Required if trying to secure Remote Desktop connections. Set value to 0 to disable, 1 to enable.
obfuscation If disabled, password characters will be stored in the profile. Set value to 0 to disable, 1 to enable.
# Webservices Subkey
Item Description
authentication Server license authentication key.
grantOnError Allows access even if there are errors or exceptions when authenticating. Set value to 0 to disable, 1 to enable.
strictSSL Determines whether web service calls enforce strict SSL certificate checking. Set value to 0 to disable, 1 to enable.
thumbprint Server thumbprint.
wsURL HTTPS URL for KeyID web service operations, i.e. https://keyidservices.tickstream.com/operations.asmx

Remote Desktop

TickStream.KeyID Winlogon works reliably over RDP connections. If you have NLA enabled in your environment (it is by default on Windows 7 / Server 2008 R2 and up) then you must set the filterProviders value to 1. NLA session pre-authentication will still occur, but users will be greeted with the standard login screen in order to capture their typing effort.

Usage

The TickStream.KeyID Winlogon credential provider will now be available when logging into Windows by default. The first time you login, type your username and password as you normally would. You will then be prompted to type your password several more times to build your KeyID profile. When the profile is completed your Windows session will start. Your typing behavior will be evaluated on subsequent logins. At this stage in the early access preview, your typing behavior will only be evaluated when the TickStream.KeyID web services can be reached, i.e. connected to the network. At any time you can reset your profile by checking the 'Reset Profile' box. Your profile will also be reset if your Windows password is changed.

Event Logs

The TickStream.KeyID Winlogon credential provder writes to a custom windows event log. The table provides information about the various events that may be raised.

EventID Severity Description
1000 Error Unspecified error containing an HRESULT description.
1001 Error Password pre-keyid-authentication failed, there was a system error
2000 Warn Username contains invalid characters.
2001 Warn Error fetching user SID. Username does not exist or cannot connect to domain controller.
2002 Warn Password pre-keyid-authentication failed (wrong password) for user.
2003 Warn KeyID profile authentication FAILURE results for KeyID profile.
3000 Info Password changed since last logon, deleting KeyID profile for user.
3001 Info KeyID profile authentication SUCCESSFUL results for KeyID profile.
3002 Info User requested profile reset.
3003 Info Passive / active enrollment profile was saved.

Safe Mode

Booting into Windows Safe Mode will disable the TickStream.KeyID credential provider and re-enable the windows password provider for that session.