With this last document we say goodbye to the PINsafe articles and everything we can do with it, We already saw in previous articles how to set up a two-factor authentication in Citrix environments or at the OWA and today we will finally see how to integrate it into the login of a Windows, either for Terminal Services accesses or on each user's own PC!

Prior to this deployment, we will have to have the PINsafe appliance already configured in our environment, We can base ourselves on these previous documents where we deployed the appliance Or we rode Our own facility, apart from initially configuring it in a basic way. We will now continue installing the necessary software on each PC, We can install it manually as we will see in this document or unattended and pass the configurations to it, all with GPO, It's very simple!

We have already seen in previous documents what PINsafe offers us, If we need info on all its possibilities see this link. It basically consists of adding additional authentication to users, they will only have to remember a PIN code and with that they will have to write an OTC (One Time Code) that will be unique every time; the PIN will be received by the users through an image that they see on the logon screen, by sending an SMS/email or if they have the app on their mobile devices they can use it as a token!! We will be able to integrate PINsafe into most applications or systems that require user validation, we can see a wide summary in its Wiki (And by the way, that if it is not supported it is nothing more than indicating it and they integrate it!!!), thanks to RADIUS or authentication APIs through agent configuration (as in this scenario).

The first thing will be to register the IP range of the Agents for validation, In this scenario, the agents will be the computers with the PINsafe software installed, so from “Server” > “Agents” we will create a new one that validates the entire IP range of the network of Computers or PCs, for this, we must put in 'Hostname/IP’ the IP range and the right mask, plus a shared secret that we'll set up later.

The following, will be to install the PINsafe Credential Provider that we can download from the wiki and install it on the equipment we are interested in.

As it is a manual installation, we will have to install it based on a 'MyWife' wizard’ (Yes baby, Yes baby…).

“Next,”

“Install” to start installing,

… Wait a few seconds…

GOOD, if we do not copy any configuration file and we do it manually, We will mark “Launch Configuration Utility” & “Finish”,

And in this setup wizard, we must indicate what the IP of the PINsafe appliance is in the 'Server' field, as well as the port, The context, The Shared Secret, if we want a secure connection… and then we will have to configure the authentication methods, as well as if we want TURing image… We will make a “Test Connection” And if everything is right, We can close the session and try to validate ourselves with double authentication!

As we can see when entering our username & password, We will click on “Request Image” and a pop-up window will pop up so that we can convert our PIN to OTC and we can validate ourselves with our Active Directory password plus a unique and temporary code that even if a keylogger catches it, nothing happens!