Logon to authenticator-less account

This section describes operations to set permissions and restrictions for logon by Windows accounts that are not registered with an authenticator.

Operation Procedure

Select Authentication Service > Group Policy from the menu.

  1. Click the policy you want to configure from the group policy list.
    Group policy
  2. Change the value of the setting for Two-Factor Authentication Settings > Logon Item > Logon to authenticator-less account. Group policy
  3. Click the “Update” button.
  4. Click “OK” on the confirmation message.

Set value

  • Deny logon

    Accounts with unregistered authenticators will not be allowed to log on with FIDO Logon.
    When “Limited sign-in options” is enabled, all accounts on the PC cannot log on using only passwords.

    However, if the PC’s FIDO authentication is “not used”, the user can log on with a password until the authenticator is registered once and authenticated (FIDO authentication is “in use”) to avoid unintentional logon failure.

    e.g.) When “Limited sign-in options” is enabled

    Account Status of authenticator settings How to logon
    User1 Authenticator registered Log on using FIDO authentication
    User2 Authenticator not registered Logon disabled

  • Logon with password only the first time and enforce authenticator registration

    Accounts that have not registered an authenticator will need to register an authenticator after entering the password on the logon screen.
    If the authenticator is successfully registered, the user can log on using FIDO Logon.

    e.g.) When “Limited sign-in options” is enabled

    Account Status of authenticator settings How to logon
    User1 Authenticator registered Log on using FIDO authentication
    User2 Authenticator not registered Requires registration of authenticator

  • Allow logon with password

    Even when “Limited sign-in options” is enabled, accounts that are not registered with an authenticator can log on with a password only.

    e.g.) When “Limited sign-in options” is enabled

    Account Status of authenticator settings How to logon
    User1 Authenticator registered Log on using FIDO authentication
    User2 Authenticator not registered Logon with password