RSA SecurID for Windows Hello

Document created by RSA Information Design and Development on May 18, 2018Last modified by RSA Information Design and Development on Sep 14, 2018
Version 6Show Document
  • View in full screen mode

You can deploy RSA SecurID for Windows Hello to allow your users to easily and securely sign into their Windows 10 PCs using their RSA SecurID Authenticate for Android devices. RSA SecurID for Windows Hello can help reduce support calls related to PC sign-in.

RSA SecurID for Windows Hello uses Bluetooth to securely communicate with the Authenticate app.

 

                

A user is signed off of his or her Windows 10 PC.

A user presses the space bar with the Authenticate device nearby.

RSA SecurID for Windows Hello signs into the PC.

System Requirements

                       
Supported Device Minimum Required Operating System Version

Minimum Required App Version

Windows PC with the following:

  • Bluetooth Low Energy (LE) capable
  • PIN set up

Windows 10 Version 1709 (RS3 or Fall Creators Update)

RSA SecurID for Windows Hello 1.5.1

Android Bluetooth LE-capable device

RSA has qualified the following devices:

  • Samsung Galaxy S8+, S8, S7, S7 edge, S6, S6 edge, S5

  • Huawei Nexus 6P

Android 5.0

RSA SecurID Authenticate 1.6.0 for Android

 

Set Up RSA SecurID for Windows Hello

The RSA SecurID for Windows Hello setup process involves ensuring that Bluetooth and Bluetooth Low Energy (LE) are enabled on both the Windows PC and mobile devices, ensuring that the devices are paired, and connecting the RSA SecurID for Windows Hello app with the Authenticate app. The RSA SecurID for Windows Hello and Authenticate apps guide the user through this process.

  1. On a Windows 10 PC, the user downloads RSA SecurID for Windows Hello from the Microsoft Store.

  2. On an Android device, the user updates to the latest version of the Authenticate app from Google Play. The user does not need to complete Authenticate device registration.

  3. On the Windows 10 PC, the user opens RSA SecurID for Windows Hello.

  4. The user views the tutorial, accepts the license agreement, and allows or denies Google Analytics data collection.

  5. On the mobile device, in the More screen of the Authenticate app, the user taps Windows Hello and turns on Connect.

  6. In the RSA SecurID for Windows Hello app, the user clicks Next.

  7. If Bluetooth is not turned on in the PC, RSA SecurID for Windows Hello prompts the user to turn it on.

  8. The user selects the mobile device from the list and clicks Connect.

  9. RSA SecurID for Windows Hello pairs the PC with the mobile device.

  10. The mobile device displays a PIN.

  11. The user enters a PIN in RSA SecurID for Windows Hello and clicks Submit.

  12. RSA SecurID for Windows Hello displays the Windows Hello sign-in screen.

  13. The user signs into Windows Hello.

    RSA SecurID for Windows Hello is ready to work.

Sign Into a PC

A user has two options for signing into a PC:

  • Automatic: The user presses the space bar with the mobile device close to the PC. The user is signed into the PC automatically. This is the default setting.

    The mobile device must be near the PC to use this option. This distance is established behind-the-scenes during setup.

  • Approve: The user presses the space bar and then approves the sign-in request on the mobile device. The user is signed into the PC.

    To use this option, in RSA SecurID for Windows Hello Settings, the user turns on Use Approve to sign into PC.

RSA SecurID for Windows Hello does not need to be open to sign into the PC. RSA SecurID for Windows Hello works in the background.

RSA SecurID for Windows Hello does not lock the PC, for example, when the user walks away from the PC with the Authenticate device.

Logging

Use the RSA SecurID for Windows Hello and RSA SecurID Authenticate logs to troubleshoot user issues with setup or signing into the Windows 10 PC. For more information about the RSA SecurID Authenticate logs, see RSA SecurID Authenticate App Logging.

The RSA SecurID for Windows Hello logs include app and user events associated with setup and signing in. Log messages are generated automatically.

An event message has the following components.

                     
Component Purpose
Date and Time The date and time in UTC when the event occurred.
Level Indicates if the event is informative or an error. In general, ERROR events are most helpful for troubleshooting.
Description Describes the specific event. For example, Companion device registration successful..

Users can email the RSA SecurID for Windows Hello log files from the app. When users clicks Email Logs on the bottom of the app, the log files are automatically attached to an email from an email app that the user selects. The email app must be a Microsoft Store app.

The app logs consists of two sets of files

  • RSA SecurID for Windows Hello.exe - date.log: Setup and other app events

  • backgroundTaskHost.exe - date.log: PC sign-in events

For each type of log file, the app creates a new log file each day that the app is used, for example, RSA SecurID for Windows Hello.exe - 20170906.log and backgroundTaskHost.exe - 20170906.log. Before creating a new log file, the app deletes any log files that are 30 days or older.

Troubleshooting

                                   

Issue

Resolution

  • RSA SecurID for Windows Hello cannot find the mobile device during setup.

  • The user is unable to complete setup because of Unsuccessful Connection errors.

  • RSA SecurID for Windows Hello stops working after the user successfully completes setup.

     

Instruct the user to do the following:

  1. In the Authenticate app, tap Windows Hello > the I icon next to your Windows device > Remove This Device. Close the Authenticate app.

  2. On the mobile device, in Bluetooth settings, remove the Windows 10 PC. Turn Bluetooth off and then on again.

  3. On the PC, in Bluetooth settings, remove the mobile device. Turn Bluetooth off and then on again.

  4. Close the RSA SecurID for Windows Hello app.

  5. Open the RSA SecurID for Windows Hello app, and follow the instructions.

  6. If the problem persists, power off and on both the PC and mobile device.

During setup, RSA SecurID for Windows Hello finds multiple devices with the same name.

  • Instruct the user to select the first device in the list, complete setup, and then try to unlock the PC with that device.
  • If RSA SecurID for Windows Hello does not unlock the PC, instruct the user to do the following:
    • Unlock the PC as usual.
    • In RSA SecurID for Windows Hello, click Settings > Remove This Device.
    • Start setup again, and select a different device in the list.

The user wants to use a different Authenticate device to sign into or unlock the PC.

Instruct the user to do the following:

  1. In RSA SecurID for Windows Hello, click Settings> Remove This Device.
  2. In the Authenticate app, tap Windows Hello > the I icon next to your Windows device > Remove This Device.
  3. Follow the instructions to connect the PC to the new mobile device.

The user has a new PC and needs to set up PC unlock again.

Instruct the user to do the following:

  1. In the Authenticate app, tap Windows Hello > the I icon next to your Windows device > Remove This Device.
  2. Download RSA SecurID for Windows Hello to your Windows 10 PC from the Microsoft Store.

  3. Open the RSA SecurID for Windows Hello app, and follow the instructions.

The user forgets the Authenticate device and needs to sign into the PC.

Instruct the user to sign into the PC how he or she did before setting up RSA SecurID for Windows Hello.

You want to manage the sign-in setting for RSA SecurID for Windows Hello for all users in your organization. For example, you want all users to tap Approve in their Authenticate devices to unlock their PCs.

In the initial RSA SecurID for Windows Hello release, the sign in setting can only be managed at the app level.

 

 

You are here
Table of Contents > RSA Authentication Manager Integration > RSA SecurID for Windows Hello

Attachments

    Outcomes