TickStream.KeyID Winlogon (Early Access Preview) is a Microsoft Windows logon credential provider that allows you to provide 2nd factor authentication to users of workstations and servers. The credential provider captures typing effort when a user logs on using CTRL+ALT+DEL or when accessing a server through Remote Desktop Protocol and other remote access solutions.
The Activity client will run on the following systems with their minimum hardware specifications.
- Microsoft Windows 7 / Windows Server 2008 R2 and later
- Microsoft Visual C++ Redistributable 2010, 2015 (installed during setup)
- Microsoft .NET Framework 4.0 or higher (installed during setup)
- Download the TickStream.KeyID Winlogon setup package using the link provided to you.
- Run the setup package on the client machine you wish to install it on. Press the ‘Next’ button when the welcome screen appears.
- Accept the licensing agreement. Press the ‘Next’ button to continue.
- Choose the path to install the TickStream.KeyID Winlogon files. Press the ‘Next’ button to continue.
- Enter the KeyID web service address, Authentication key and Server Thumbprint. Press the ‘Next’ button to continue.
- Select a start menu folder
- Press the Install button.
- Press the Finish button.
The setup package can be installed in an unattended mode suitable for automated deployment or installation from a command prompt. Values should be surrounded with quotations
"" if they contain special characters or spaces. You can specify any setting listed in the next section by prefacing it with a
/. Setting names are not case sensitive. If a setting is not specified and exists already in the registry, the existing setting will be used (upgrades will retain existing settings unless explicitly changed.) If a setting is not specified and does not exist in the registry, a default will be provided.
"TickStream KeyID Winlogon x64 1.0.xxxx.exe" /VERYSILENT "TickStream KeyID Winlogon x64 1.0.xxxx.exe" /VERYSILENT /WSURL="https://keyidservices.tickstream.com/operations.asmx" /AUTHENTICATION="myauthenticationkey" /THUMBPRINT="mythumbprint" "TickStream KeyID Winlogon x64 1.0.xxxx.exe" /VERYSILENT /filterProviders=1 /grantOnError=0
TickStream.KeyID Utility allows you to view authentication history and configure various settings. The utility requires .NET Framework 4.0 (included and installed automatically by the TickStream.KeyID setup package.) To make setting changes you must have local system administrator priveleges.
Click File menu -> Settings. You will be prompted to restart the application with elevated priveleges if needed. See the next section for setting information.
Click Help menu -> About. The current version of the Utility and TickStream.KeyID credential provider library will be provided.
Clear the log
Click Action menu -> Clear log. You will be prompted to clear the event log. This action clears the windows custom event log 'TickStream KeyID'.
Sort the log
You can sort the log by each information column.
Configuring KeyID Settings
The TickStream.KeyID ADFS multi factor provider ships with ‘active enrollment’ and ‘active validation’ enabled by default. The Early Access Preview also ships with error handling that allows users to login so long as they type their password correctly, no matter the issue encountered. The credential provider configuration is also such that users may select the default Windows password credential provider if all else fails. You can configure settings by command line during installation.
You may use the included TickStream.KeyID Utility or regedit.exe to edit the registry. The TickStream.KeyID Winlogon settings are located at:
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Intensity Analytics Corporation\TickStream KeyID Winlogon
Below is a listing of configuration items and their descriptions:
|customThreshold||Enables a custom effort threshold for granting access. Set value to
|minConfidence||Minimum confidence level for granting access. Set value as a double precision number, i.e.
|minFidelity||Minimum fidelity level for granting access. Set value as a double precision number, i.e. '70.0'|
|passiveEnrollment||Enables passive enrollment. Set value to
|reqEnrollmentEfforts||Number of enrollment efforts to complete a profile. Set value as an integer, i.e.
|passiveValidation||Enables passive validation. All efforts granted access. Set value to
|filterProviders||Filters the built in windows credential provider. Required if trying to secure Remote Desktop connections. Set value to
|obfuscation||If disabled, password characters will be stored in the profile. Set value to
|# Webservices Subkey|
|authentication||Server license authentication key.|
|grantOnError||Allows access even if there are errors or exceptions when authenticating. Set value to
|strictSSL||Determines whether web service calls enforce strict SSL certificate checking. Set value to
|wsURL||HTTPS URL for KeyID web service operations, i.e.
TickStream.KeyID Winlogon works reliably over RDP connections. If you have NLA enabled in your environment (it is by default on Windows 7 / Server 2008 R2 and up) then you must set the filterProviders value to
1. NLA session pre-authentication will still occur, but users will be greeted with the standard login screen in order to capture their typing effort.
The TickStream.KeyID Winlogon credential provider will now be available when logging into Windows by default. The first time you login, type your username and password as you normally would. You will then be prompted to type your password several more times to build your KeyID profile. When the profile is completed your Windows session will start. Your typing behavior will be evaluated on subsequent logins. At this stage in the early access preview, your typing behavior will only be evaluated when the TickStream.KeyID web services can be reached, i.e. connected to the network. At any time you can reset your profile by checking the 'Reset Profile' box. Your profile will also be reset if your Windows password is changed.
The TickStream.KeyID Winlogon credential provder writes to a custom windows event log. The table provides information about the various events that may be raised.
|1000||Error||Unspecified error containing an HRESULT description.|
|1001||Error||Password pre-keyid-authentication failed, there was a system error|
|2000||Warn||Username contains invalid characters.|
|2001||Warn||Error fetching user SID. Username does not exist or cannot connect to domain controller.|
|2002||Warn||Password pre-keyid-authentication failed (wrong password) for user.|
|2003||Warn||KeyID profile authentication FAILURE results for KeyID profile.|
|3000||Info||Password changed since last logon, deleting KeyID profile for user.|
|3001||Info||KeyID profile authentication SUCCESSFUL results for KeyID profile.|
|3002||Info||User requested profile reset.|
|3003||Info||Passive / active enrollment profile was saved.|
Booting into Windows Safe Mode will disable the TickStream.KeyID credential provider and re-enable the windows password provider for that session.