Can PrivacyIDEA Push Token be used for Windows Logon MFA?

Hello,

I am currently using PrivacyIDEA 3.10.2 and have successfully enabled Push Token (Polling mode, without Firebase).

We want to integrate PrivacyIDEA Push authentication into the Windows login process. The desired workflow is:

  1. The user enters their Active Directory username and password on the Windows login screen.
  2. After submitting the credentials, PrivacyIDEA sends a Push Notification to the user’s mobile phone.
  3. The user approves the request on their PrivacyIDEA Authenticator app, and Windows grants access after successful verification.

Currently, we are using PrivacyIDEA RADIUS to connect to Windows NPS (Network Policy Server) for MFA, but we are unsure whether Push Token authentication can be integrated into the Windows login flow.

My Questions:

  • Is it possible to use PrivacyIDEA Push Token directly for Windows Logon authentication?
  • If so, how can we configure it?
  • Does PrivacyIDEA provide a Windows Credential Provider Plugin, or would this require a custom solution?
  • Is there any recommended approach for integrating PrivacyIDEA Push authentication into Windows login?

Any advice or guidance on this would be greatly appreciated. Thank you! :pray:

Regarding this issue, originally, when adding a Push Token, a PIN code was entered. However, during testing for Windows login, using the PIN code repeatedly resulted in errors. Surprisingly, when I stopped entering the PIN code, I was able to receive the Push notification and successfully log in. The PIN code worked fine with HOTP, but when using Push authentication, it failed to verify.

This issue has been resolved. Thank you, everyone!

For other readers:

Of course you can use PUSH tokens for Windows login.
You need the privacyIDEA Credential Provider, that also supports the token type “push”.