InstaSafe Credential Provider (ICP)
How does ICP work when the computer is offline?
- When the computer is offline, Multi-Factor Authentication (MFA) will be bypassed, when the user attempts to sign-in to the Windows profile. Once successfully authenticated by Windows, they would be able to login to their local/domain profile. However, corporate resources would be inaccessible since the ISA User Agent will not be connected.
- When the computer is offline, user logins to the Windows profile do not get captured under Event Logs. This will be introduced in future versions.
In which scenarios would the computer be considered as offline?
- When the user attempts to sign-in when the system is offline or in flight-mode with no internet connectivity.
- The ISA Controller at the time of sign-in is inaccessible due to firewall or proxy issues.
- The user’s Internet connection doesn’t connect automatically, for example when using a dongle or when the Wi-Fi is not set to connect automatically.
When would MFA not be prompted?
- When the user has not selected ICP under Sign-in Options.
- When ICP is not installed on the computer.
- When the InstaSafe User Agent is not installed on the computer.
- When Two-Factor Authentication (TFA) is not enabled for the user.
- When there is no Internet connectivity at the time of sign-in.
How to disable MFA and prevent the ISA User Agent from connecting when the user is physically present at the corporate premises using the corporate network?
The InstaSafe servers with domains “instasafe.net” and “instasafe.com” must be blocked by the internal firewall to bypass MFA while signing into Windows. Contact InstaSafe Support for the specific IP addresses to be blocked.
How will the user connect to ISA once the 8 hour 'OTP Verification Success' state has expired ?
Once the 8 hour 'OTP Verification Success' state has expired, the ISA User Agent will not automatically disconnect. However, when the ISA App does disconnect due to Internet unavailability; when switching between networks; when the computer enters Sleep Mode, the user should sign-out of their Windows session and re-login, if they wish to reconnect the ISA App . Once re-authenticated with the credentials and OTP, the User Agent would reconnect.
In case it is required that the ISA User Agent must disconnect automatically after 8 hours, the option under User Setting, Force User Disconnect After _ Hours should be configured.
Is the 8 hours window of 'OTP Verification Success' state configurable?
The 8 hours window is currently not an administrator configurable option. However, InstaSafe Support could be contacted to increase or decrease the window. It must be noted that it might not always be feasible to change this window, and would be decided on a case-to-case basis.
Will the ICP feature work as soon as the application is installed? If not, what else needs to be configured?
The ISA User Agent must be installed before ICP is installed. In addition, the prerequisites in the article Integrating InstaSafe Credential Provider (ICP) into Windows Authentication must be met.
What happens when ICP is installed without installing the ISA User Agent?
When signing in with ICP selected, if the ISA User Agent connection is not established, the MFA prompt will not be displayed, and authentication will fail because ICP cannot connect to the ISA Controller.
What would be the behaviour on computers with multiple user profiles configured on the same Windows system?
Each user on the device will be treated as a different user. The ICP integrated MFA will be applicable only for the specific user. The MFA OTP and push notification will be sent to the specific user’s authenticator app.
However, the ISA User Agent, which is a device-specific installation authorized for all users on the computer, will connect using only the user-specific installation's credentials.
If Always-On Mode is enabled for the user-specific installation, the connection will be shared across all Windows user profiles. The corporate resources assigned will be shared by all logged-in users.
For example, a Windows computer has two user profiles - jebb@alphaetch.local and tex@alphatech.local. The ISA User Agent on the computer is configured for the user jebb@alphaetch.local.
When Jebb enters his credentials at the Windows sign-in page, the push notification and TOTP will be sent to Jebb’s authenticating device and Jebb will be successfully signed-in to his Windows profile.
When Tex enters his credentials at the Windows sign-in page, the push notification and TOTP will be sent to Tex’s authenticating device and Tex will be signed-in to his Windows profile.
In both cases, the Event Logs will record distinct events, indicating which user completed the ICP MFA.
However, the ISA User Agent will connect using Jebb-specific parameters and will require Jebb’s credentials.
If Always-On Mode is enabled for Jebb, when Tex is logged in, he will be able to access the corporate resources assigned to Jebb.
Are usernames case sensitive?
Yes, the username entered at the Windows sign-in page with ICP selected must be entered with the same case parameters as set on or, in the case of AD/LDAP users, synced on the ISA web console.