The Credential Provider plugin enables a computer running MS Windows for Desktop or MS Windows Server (2012, 2016, 2019) to require a one-time password from the user extra to his/her AD username and password.
It may occur that the user somehow has no access to a valid token because it stopped working, it is broken, lost, or forgotten at home; perhaps the user is no longer a member of the company and an administrator requires access to the user's account. For these and other emergency cases, Bypass codes can be defined for a computer running the Credential Provider plugin.
The bypass code will be used as if it was a valid OTP and must be typed in the OTP text field of the Windows login screen:
Because of their nature, bypass codes must not be used as a general everyday-use OTP, because the codes are fixed and, if set to be used as general, they may be shared between different users, thus, reducing the security.
Bypass codes are stored (encrypted) locally in the machine's windows registry. You may opt to manage and define the bypass codes from the server.
Centralized bypass codes
Enable the centralized management of the codes by opening the Users and Computers window in any of the servers you use for authenticating users with the CP plugin (any of the servers you set during the component installation and configuration).
Right-click the tokens node and select Properties.
Once the properties window appears, click the Desktop login tab and look for the Centrally Managed Bypass Codes checkbox. Enable it.
This will make the server become the owner and definer of the bypass codes. Click the Configure Bypass Codes button next to the check box you just enabled.
Define the desired bypass codes, by a specific user, group, or for all users with the auxiliary window. Refer to the CP User manual for more information on how to define bypass codes.
Once you are done click the OK button.
At this point, the server will manage these codes and will override the configuration made to each CP-enabled computer.
In order for the machine to obtain the centrally managed bypass codes, a user needs to log in using a valid OTP code retrieved from a hardware or software token validated by the Mi-Token server. If there are bypass codes defined in the computer when you enable the centralized administration of the codes, it will remove and replace the existing local codes with the ones obtained from the server, i.e., you do not have to remove the old codes computer by computer.
The centrally-managed codes WILL NOT WORK before logging in once, therefore, you cannot use a newly created code in the server without this first login.
Bypass codes recommendations
- Define a bypass code to be 16 characters+ or longer so it cannot be guessed.
- Follow the same policies your organization has for secure passwords. Bypass codes can be alphanumeric.
- Follow the password change policy of your organization to renew your bypass codes.
- If you set and release the bypass codes for your users, audit their usage of their assigned tokens and make sure the token is used to log into the computer.