Operational Tips

YubiOn FIDO Logon has multiple methods and settings for implementation, and how to choose one depends on the customer’s objectives.
In this chapter, we will describe the specific settings and operation methods that can be selected for various purposes as hints for customers considering the operation of YubiOn FIDO Logon.

Table of Contents

Batch software installation

In order to use YubiOn FIDO Logon, client software must be installed on a PC.
The basic procedure is for end users to download the installer and install the software themselves.
However, customers who wish to minimize end-user operations as much as possible may wish to perform these operations on the administrator’s side.
This applies mainly to customers who are using the system within a large organization.

How to use software distribution functions such as AD

If you are using AD’s software distribution function or software management tool, you can use its distribution function to perform batch installation on each PC by administrator’s operation.
Please refer to the following procedure.

See below for the activation procedure with registration code to be performed after installation.

If you have a separate PC kitting service

If you wish to install the software in a batch as part of PC kitting and copy the settings to multiple PCs, please complete the installation of the FIDO Logon installer and activation with the registration code before copying the PCs.

Points to note when performing batch installation

When performing these procedures, please note the following

Even if the software is installed automatically, accounts and authenticators must be assigned separately.

  • Note that if you have set the sign-in option Limited to Enabled.
    If you have enabled “Restrict sign-in options” in the YubiOn FIDO Logon group policy, when you install the FIDO Logon client software on a new PC, the end user will not be able to logon to the PC The end user will not be able to logon to the PC because he/she has not yet completed the authenticator assignment.
    The end user must be able to logon to the PC at least once after the software installation in order for the authenticator to be assigned.
    There are several possible ways to work around this problem.

    How to use the “Allow Password Logon” setting

    In this scenario, enable the “Password Logon Allowed Setting” in the YubiOn FIDO Logon group policy.
    This setting will allow accounts that have not yet been assigned an authenticator to logon using only their password.
    Once the end user has logged on to the PC with a password, he/she can assign an authenticator using the YubiOn FIDO Logon configuration tool.
    However, the end user will still be able to logon with a password until the authenticator is assigned, so the administrator must prompt the end user to complete the assignment for the security they expect.

    Procedure

    1. On the Group Policy screen, select the policy to be used for the operation and set the “Allow password logon” setting to enable.
    1. Pass the authenticator to the end user.
    2. The end user logs on to the PC with a password and assigns the authenticator using the configuration tool.

      You can check if the end user has completed the authenticator assignment on the Account Screen of the Management Web.

    How to disable the “Limited sign-in options” setting until authenticator assignments are made

    When an unregistered PC is registered, a default group policy is automatically set initially.
    Immediately after registration, the scenario works with the default policy with the “Limited sign-in options” setting disabled, and after a period of time for registration has passed, the policy set for operation is applied.

    Procedure

    1. Set the default Group Policy “Limit sign-in options” setting to Disabled.
    2. Create a new policy for normal operation and set “Limit sign-in options” to enable.
    • Add policy
      At this time, other operationally necessary settings are set in this policy.
    1. Pass the authenticator to the end user.
    2. The administrator prompts the end user to assign the authenticator within a specified period of time.
    3. The end user logs on to the PC with a password for the duration and is assigned an authenticator in the configuration tool.
    4. After the specified period of time, the administrator changes the group policy for the target PC to the policy for the operation.

      Please note that if the end user has not completed the authenticator assignment, the end user will not be able to logon to the PC.
      You can check if the end user has completed the authenticator assignment on the Account Screen of the Management Web.

    How the administrator assigns authenticator

    This is a scenario in which an administrator pre-assigns authenticators on behalf of end users.
    恓scenario is recommended to be considered only for a small number of target PCs, as it would be a heavy burden on the administrator if there are a large number of target PCs.
    For example, a combination of settings for existing PCs at the time of installation could be configured in a different scenario, while the few newly purchased PCs would be configured in this scenario.

    The administrator can assign authenticators on the account screen of the administration web.
    However, to do so, the target account information must be uploaded to the YubiOn FIDO Logon server.
    Account information is uploaded automatically when a PC with the client software installed is connected to the network.
    Account information is uploaded at the following times.

    • When the configuration tool is launched.
    • When the PC is screen-locked or restarted (FIDO Logon application is activated).

    Procedure

    1. Assign authenticators to the target accounts on the Accounts screen of the Management Web.
    2. Distribute the assigned authenticators to each end user.

Allow administrators to logon to all PCs

Administrators may want to be able to logon to all PCs used by end users in order to perform maintenance.
This section describes the solution for each customer’s environment.

For domain environment

For domain environments, an administrator account for the domain can be used.

Because the authenticator assignment information for a domain account is common to all customers, when an authenticator is assigned to a domain account, the assignment is reflected on all PCs with software installed on them via the server.
Using this mechanism, a single authenticator assignment operation is all that is required to logon to all PCs with the domain administrator account.

Logon to all PCs with a single assignment

Procedure

  1. Assign authenticators to the domain’s administrator account from the PC’s configuration tool or Management Web’s account screen.

You can check the authenticator assignment status of your domain account from the “Account Screen”.

For non-domain environments

With local accounts, each PC has a different account, so even if an authenticator is assigned to one PC, it will not be reflected on all PCs as is the case with domain accounts.
In order to be able to logon to all PCs, a local administrator account and authenticator must be assigned to every PC.
These settings require a new assignment operation each time a new PC is added, which places a heavy burden on the administrator.

An alternative method would be to set the Password Logon Allowed setting to Enabled and have the administrator logon with a password only.
When this setting is enabled, an account that is not assigned an authenticator can logon with a password when logging on.
The administrator logs on with a password only, and the end-user account logs on with two-factor authentication by assigning an authenticator.
Note, however, that since this is not two-factor authentication, the security strength is reduced.

Procedure

  1. Open the Group Policy page of Management Web.
  2. Select the policy that includes the target PC and set the “Allow Password Logon” setting to Enable.

Do not allow end users to add and remove security keys

Depending on your organization, you may want to control which authenticators your end-users use and not allow them to freely use the authenticators they have prepared themselves.
The following configuration allows the administrator to assign all authenticators and not allow end-users to add or remove authenticators.

Procedure

  1. In the Group Policy Settings of YubiOn FIDO Logon, change “Authentication Information Management Mode in Configuration Tool” and set it to “Prohibit Registration and Deletion”.

If this setting is made, you can prohibit the addition or deletion of authenticators from the PC’s configuration tool.

The administrator will also not be able to add authenticators from the configuration tool. If the administrator wishes to add or remove an authenticator, he or she must add or remove it from the Account Management screen of the Management Web page.
Please note that the administrator must have the authenticator in hand when adding an authenticator.

What to do if an end user loses his/her authenticator

If an end user loses his/her authenticator, the registration information must be deactivated immediately to prevent unauthorized use by a third party who has picked up the authenticator.
After deactivation, a new authenticator should be distributed to the end user and reconfigured.
Since the end user cannot logon to the PC until the new authenticator is set up, a temporary password logon is allowed.

Procedure

  1. Access the Account screen of Management Web and remove the authenticator assigned to the target account.
  1. Set “Emergency Logon” for the target account to temporarily allow password-only logon.
  1. Prepare a spare authenticator and send it to the end user.
  2. The end user logs on to the PC with a password and uses the configuration tool to assign the newly arrived authenticator.
  3. Cancel the “Emergency Logon” setting.

Use of one shared PC by multiple people

When one PC is used by one end user, each PC is assigned an authenticator, but multiple users can logon to a shared PC.

For domain environment

  • For domain environments, an account for the domain is available.

    If the authenticator assignment has been completed for the end user to logon

    If an end user who logs on to a shared PC has already completed account and authenticator assignment on his/her own PC, he/she can logon to that shared terminal with a domain account without additional configuration.
    This is because the authenticator assignment information for a domain account is the same for all customers, and once an authenticator is assigned to a domain account, the assignment is propagated to all PCs with the software installed through the server.

    If the authenticator assignment has not been completed for the end user to logon

    If an end user logging on to a shared PC has not yet assigned an authenticator to his/her account, please follow the steps below to assign an authenticator.
    Procedure

    1. Assign authenticators to the domain’s administrator account from the PC’s configuration tool or Management Web’s account screen.

    You can check the authenticator assignment status of your domain account from the “Account Screen”.

For non-domain environments

  • If the shared PC is not a member of a domain, the authenticator must be assigned to a local account on the shared PC.
    Local accounts for shared PCs may be created for each end user who logs on, or a single account may be used for all users.

    If local accounts are different for each end user

    This is a scenario where the end user logs on to the target local account with a password and assigns his or her own authenticator.

    Procedure

    1. On the Group Policy screen, select the policy to be used for the operation and set the “Allow password logon” setting to enable.
    1. Pass the authenticator to the end user.
    2. The end user logs on to the PC with a password and is assigned an authenticator in the configuration tool.

    If the local account is common (one) for all end users

    When local accounts are common, it becomes difficult for end users to assign their own authenticators with the “Password Logon Allowed” setting enabled.
    The “Allow Password Logon” setting prevents the second user from logging on after the first user has assigned an authenticator, because once one authenticator is assigned, the next password-only authenticator will not be allowed.
    In other words, all authenticator assignments must be completed when the first user logs on with a password.
    Alternatively, the administrator should register the assignment of all authenticators from the Account screen of Management Web.

Loan out authenticators only when logging on to a shared PC.

Depending on the customer’s environment, there may be cases where a shared PC is prepared for specific tasks and the security of that PC needs to be strengthened.
In such a case, instead of each person having his/her own authenticator, the authenticator can be lent out only when the shared PC is used, and returned when the use is finished.
For example, the following is an example of such an operation.

  1. Loaning authenticators to users
    Authenticator on loan
  2. User logs on to a shared terminal using its authenticator
    Logon to a shared terminal with authenticator
  3. Return authenticators after work is completed.
    Return authenticator

A PIN or biometric (fingerprint) is required to use the authenticator.
Biometric authenticators are not suitable for shared use because the number of biometric data that can be registered is limited.

Even when using a PIN-type authenticator, the PIN for that authenticator must be given to the user.
To maintain security, consider having the administrator change the PIN for each loan to a user.
Please note that if the PIN is not changed for each loan, the authenticator must be physically managed strictly to prevent unauthorized use.