Configuring Password Only Desktop Access
The Allow password-only desktop access is a global setting that applies to user policies where a password is not allowed as the primary authentication factor.
By default, this setting is:
-
Disabled for a new 7.1 or later Imprivata enterprise.
-
Enabled after an upgrade to Imprivata OneSign 7.1 or later.
Support
Password only desktop access is only supported on Windows endpoints; it is not supported on ProveID Embedded workstations.
What it Does
This setting lets you balance security versus convenience. If a user has not enrolled the minimum required authentication methods, you can choose to allow desktop access with a password, until the user has enrolled them.
Example 1—A single primary authentication method
The primary authentication method on the user policy is a proximity card. A second factor is not required.
In this example, you could allow desktop access with a password, until the user has enrolled their proximity card.
Example 2—Multiple primary authentication methods
The primary authentication methods on the user policy are a proximity card and a fingerprint. A second factor is not required.
In this example, you could allow desktop access with a password, until the user has enrolled either a proximity card or a fingerprint.
Only one of the methods are required for desktop access.
Example 3— A single primary authentication method with a second factor
The primary authentication method on the user policy is a proximity card. The second factor is an Imprivata PIN.
In this example, you could allow desktop access with a password until the user:
-
Enrolls a proximity card.
The primary authentication method must be enrolled for desktop access.
-
Enrolls an Imprivata PIN.
The secondary method is required for desktop access.
Example 4—Multiple primary authentication methods with multiple second factors
The primary authentication methods on the user policy are a proximity card and a fingerprint. The second factor is a fingerprint or an Imprivata PIN.
In this example, you could allow desktop access with a password until the user:
-
Enrolls either a proximity card or a fingerprint.
Only one of the primary authentication methods are required for desktop access.
-
Enrolls either a fingerprint or an Imprivata PIN.
Only one of the secondary methods is required for desktop access.
What to Expect
When determining how to configure this setting, consider the following:
-
Enabling the setting lets users access the desktop using a password, even if the minimum required authentication methods are not enrolled.
While the latter gives users more time to complete the enrollment, it does mean that authentication policy can be bypassed indefinitely.
-
Disabling the setting requires users to enroll the minimum required authentication methods before desktop access is allowed.
While the latter is more restrictive, disabling the setting increases your security posture by ensuring that all users have completed enrollment.
Users can access the enrollment utility on Windows endpoints that are configured to use the legacy login user experience only after accessing the desktop.
If you disable this setting, and some of your users have not enrolled the minimum required authentication methods, they will be locked out of the endpoint and will require assistance with enrollment.
To determine if any of your users would be adversely affected, you can run the User Details report to identify which users are assigned to the policy and what modalities they have enrolled.
