Signing in

3.2 Signing in

You can sign in to MyID using the MyID Operator Client using the following methods:

Card and PIN logon (smart card, USB token, or VSC).

See section 3.2.1, Signing in using a smart card.
Security phrases (passwords).

See section 3.2.2, Signing in using security phrases.
Windows Hello.

See section 3.2.3, Signing in using Windows Hello.
FIDO.

See section 3.2.4, Signing in using FIDO.
Single-use authentication codes.

See section 3.2.5, Signing in using single-use authentication codes.
Windows authentication.

See section 3.2.6, Signing in using Windows authentication.

You can also launch the MyID Self-Service App from the screen to allow you to change your security phrases, for example, or reset your PIN; see section 3.2.8, Managing your credentials from the MyID Authentication screen.

3.2.1 Signing in using a smart card

For an operator to sign in to MyID using the MyID Operator Client with a smart card:

The operator must have been issued a card (smart card, USB token, or VSC) through MyID.
The smart card must have been issued with a credential profile that has the MyID Logon option set, and contain either a certificate selected for signing or a manager keypair to be used for logon signing operations.
The smart card must not be disabled or have expired.
The operator's MyID account must be enabled in MyID.
In MyID Desktop, in Configuration > Edit Roles, the operator's role must have the Smart Card logon mechanism assigned.
In MyID Desktop, in Configuration > Edit Roles, the operator's role must have access to one or more features in the MyID Operator Client.

See section 3.4, Roles and groups for details of which roles in MyID Desktop map to features in the MyID Operator Client.
In MyID Desktop, in Configuration > Security Settings > Logon Mechanisms tab, the Smart Card Logon option must be set to Yes.

For more information on configuring MyID for smart card logon, see the Logon using a smart card and PIN section in the Administration Guide.

3.2.2 Signing in using security phrases

For an operator to sign in to MyID using the MyID Operator Client with security phrases:

The operator must have security phrases recorded for their account using the Change Security Phrases or Change My Security Phrases workflows.

See the Setting security phrases section in the Operator's Guide.

Important: The operator must have at least as many security phrases recorded as the value set in the Number of security questions for self-service authentication configuration option.
The operator's MyID account must be enabled in MyID.
In MyID Desktop, in Configuration > Edit Roles, the operator's role must have the Password logon mechanism assigned.
In MyID Desktop, in Configuration > Edit Roles, the operator's role must have access to one or more features in the MyID Operator Client.

See section 3.4, Roles and groups for details of which roles in MyID Desktop map to features in the MyID Operator Client.
In MyID Desktop, in Configuration > Security Settings > Logon Mechanisms tab, the Password Logon option must be set to Yes.

For more information on configuring MyID for security phrase logon, see the Logon using security phrases section in the Administration Guide.

3.2.3 Signing in using Windows Hello

For an operator to sign in to MyID using the MyID Operator Client with a Windows Hello credential:

The operator must have been issued a Windows Hello credential through MyID.
The Windows Hello credential must not be disabled or have expired.
The operator's MyID account must be enabled in MyID.
In MyID Desktop, in Configuration > Edit Roles, the operator's role must have the Windows Hello logon mechanism assigned.
In MyID Desktop, in Configuration > Edit Roles, the operator's role must have access to one or more features in the MyID Operator Client.

See section 3.4, Roles and groups for details of which roles in MyID Desktop map to features in the MyID Operator Client.
In MyID Desktop, in Configuration > Security Settings > Logon Mechanisms tab, the Windows Hello Logon option must be set to Yes.

For more information on configuring MyID for Windows Hello logon, see the Setting up Windows Hello for logon section in the Windows Hello for Business guide.

3.2.4 Signing in using FIDO

For an operator to sign in to MyID using the MyID Operator Client with a FIDO authenticator:

The operator must have been issued a FIDO authenticator through MyID.
The FIDO authenticator must not be suspended.
The operator's MyID account must be enabled in MyID.
In MyID Desktop, in Configuration > Edit Roles, the operator's role must have the FIDO Basic Assurance or FIDO High Assurance logon mechanism assigned. You are recommended to configure logon to MyID using FIDO High Assurance rather than FIDO Basic Assurance.
In MyID Desktop, in Configuration > Edit Roles, the operator's role must have access to one or more features in the MyID Operator Client.

See section 3.4, Roles and groups for details of which roles in MyID Desktop map to features in the MyID Operator Client.
In MyID Desktop, in Configuration > Security Settings > Logon Mechanisms tab, the FIDO Basic Assurance Logon or FIDO High Assurance Logon option must be set to Yes.

For more information on setting up MyID for FIDO logon, see the Configuring MyID for FIDO logon section in the FIDO Authenticator Integration Guide.

3.2.5 Signing in using single-use authentication codes

For an operator to sign in to MyID using the MyID Operator Client with an authentication code:

The operator's MyID account must be enabled in MyID.
To receive an email message or SMS containing the authentication code, the operator must have an email address or cell phone number recorded, and MyID must be configured to send email or SMS notifications.
In MyID Desktop, in Configuration > Edit Roles, the operator's role must have the Authentication Code logon mechanism assigned.
In MyID Desktop, in Configuration > Edit Roles, the operator's role must have access to one or more features in the MyID Operator Client.

See section 3.4, Roles and groups for details of which roles in MyID Desktop map to features in the MyID Operator Client.

For more information on setting up MyID for authentication code logon, see the Configuring authentication codes for the MyID authentication server section in the Administration Guide.

3.2.6 Signing in using Windows authentication

For an operator to sign in to MyID using their Windows credentials:

The operator's MyID account must be enabled in MyID.
In MyID Desktop, in Configuration > Edit Roles, the operator's role must have the Windows Logon mechanism assigned.
In MyID Desktop, in Configuration > Edit Roles, the operator's role must have access to one or more features in the MyID Operator Client.

See section 3.4, Roles and groups for details of which roles in MyID Desktop map to features in the MyID Operator Client.
In MyID Desktop, in Configuration > Security Settings > Logon Mechanisms tab, the Integrated Windows Logon option must be set to Yes.
The operator's browser must be configured to pass on their Windows credentials; see section 3.2.6.1, Configuring browsers for Windows authentication.
The fields SAMAccountName and Domain must be stored in MyID when using Integrated Windows Logon. The Domain must contain the NetBIOS domain name and not the DNS format.
The user must not be a member of the Protected Users group in Active Directory; see the Protected Users group in Active Directory section in the Administration Guide.

3.2.6.1 Configuring browsers for Windows authentication

By default, browsers do not pass your Windows authentication details to websites. You must configure your browser to allow it to send this information to the MyID website, or the browser will display a pop-up prompting for your Windows username and password.

You may want to configure the browsers for your organization using Group Policy.

To configure your browser for Windows authentication:

For Chrome:

Set the AuthServerAllowlist key in the Windows registry to include the location of the MyID web server:
Copy
```
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome]
"AuthServerWhitelist"="myserver.domain.com"
```
If the setting does not already exist, you can add it. If the setting already exists, add the MyID web server to the list. You can include several server names by separating them with commas, and can include * as a wildcard. For example:

"AuthServerWhitelist"="*.domain.com,myserver2.domain2.com"

Note: You must restart the PC after making the registry change to ensure that Chrome picks up the latest settings.

Alternatively, you can specify the MyID web server on the command line; for example:

chrome.exe --auth-server-whitelist="myserver.domain.com"
For Firefox:
1. In the Firefox browser address bar, type:
  
  about:config
2. Click Show All.
3. Set the following options:
  - network.automatic-ntlm-auth.trusted-uris – type the server name of the MyID web server. You can include several server names by separating them with commas.
  - network.automatic-ntlm-auth.allow-proxies – set to TRUE.
  - network.negotiate-auth.allow-proxies – set to TRUE.
For Edge:
1. In Internet Options, on the Security tab, add the MyID web server to the Local Intranet list.
2. Ensure the following options are set:
  - Security tab:
    
    Local Intranet > Custom Level > User Authentication > Logon > Automatic logon only in Intranet zone
  - Advanced tab:
    
    Security > Enable Integrated Windows Authentication

3.2.7 Signing in to MyID

To sign in to MyID:

From the MyID Operator Client landing page, click Sign In.

If more than one logon mechanism is configured for your system, you are prompted to select which one to use.
To log on with security questions:
1. Select the Security Questions logon mechanism.
2. Type your Username:
3. Click Next.
4. Type the responses to your security questions:
  
  The number of security questions you must answer depends on the Number of security questions for self-service authentication configuration option. If you have more security phrases recorded than are required (for example, if you have four security phrases recorded, and you need two to log on) MyID prompts you for a random selection of questions.
5. Click Sign In.
  
  The MyID Operator Client dashboard appears.
To log on with a smart card or VSC:
1. Select the Smart Card logon mechanism.
2. The Select Security Device dialog appears, listing all of the smart cards (including Virtual Smart Cards) currently attached to your PC.
  
  If there is a Device Friendly Name specified in the credential profile that was used to issue the device, this is displayed next to the smart card.
  
  Note: You can set the Show Full Name at Logon and Show Photo at Logon options (on the Logon page of the Security Settings workflow) to configure this screen to display the associated user image and full name of the cardholder.
  
  Note: If you enable this feature, it is possible to obtain user photos and cardholder names without authentication.
3. Select the smart card you want to use to log on.
  
  You can log in with a physical smart card inserted into a card reader on your PC, or with a virtual smart card (VSC) installed on your PC.
  
  You must now authenticate to your security device.
4. Type your PIN, then click Login.
  
  The MyID Operator Client dashboard appears.
To log in with an authentication code:
1. Select the Authentication Code logon mechanism.
  
  The Authentication Code Login screen appears:
2. Type your Username or email address.
3. Select the option for obtaining your authentication code:
  - I already have a code – select this option if you have already been provided with an authentication code.
  - Send by email – select this option if you want to receive your code in an email message to the email address stored in your person record in MyID. This option is available only if the Self Requested Authentication Code Email email template is enabled.
  - Send by SMS – select this option if you want to receive your code in an SMS message to the cell phone number stored in your person record in MyID. This option is available only if the Self Requested Authentication Code SMS email template is enabled.
  If neither the email nor SMS options appear, you can still use an authentication code to log on if an operator requests one on your behalf.
  
  Note: The complexity of the code is determined by the Complexity option configured in the email template. See the Changing email messages section in the Administration Guide for details.
4. Click Next.
  
  The authentication code entry screen appears:
5. Type your Authentication Code, and click Sign In.
  
  The MyID Operator Client dashboard appears.
To log in with your Windows credentials:
1. Select the Windows Authentication logon mechanism.
  
  Note: This logon mechanism supports single-click login. If the only logon mechanism available is Windows authentication, when you click Sign In on the landing page, the MyID Operator Client completes the sign-in process without further interaction.
2. MyID checks your Windows authentication.
  
  Note: If a popup appears asking for your Windows username and password, you may not have configured your browser correctly. See section 3.2.6.1, Configuring browsers for Windows authentication.
  
  The MyID Operator Client dashboard appears.

3.2.8 Managing your credentials from the MyID Authentication screen

To carry out self-service operations on your credentials (for example, changing your security phrases, or resetting your device PIN) before signing in to the MyID Operator Client, click the Manage My Credentials option on the MyID Authentication screen.

Note: The Allow Self-Service at Logon configuration option (on the Logon tab of the Security Settings workflow) must be set for this option to appear.

You must have the MyID Self-Service App installed, and the MyID Client Service app installed and running, to use this feature.

Depending on your browser settings, you may need to confirm that you want to allow the browser to open the Self-Service App; for example:

The MyID Self-Service App starts. For more information, see the Self-Service App guide.

3.2.9 Timeouts and re-authentication

When you authenticate to the MyID Operator Client, for example by using your smart card, or by typing your username and security questions, you are granted access for one hour (3600 seconds). However, if you continue working with the MyID Operator Client, this access can be extended every time you make a call to the server; for example, by opening a new screen, saving data, or running a report. You can extend your authentication period at any point up to two hours (7200 seconds) after last using the MyID Operator Client.

However, if you attempt to use the MyID Operator Client more than two hours after last using it, you must re-authenticate to be able to continue. The MyID Authentication dialog appears, and you must provide your authentication details; once you have done so, you can carry on working with the MyID Operator Client.

Important: You must authenticate with the same user and the same logon method. If you authenticate with a different user or logon method, the operation is canceled, and you are returned to the main screen.

Extended authentication is available only for sessions in the same tab or window for security reasons; if you open another tab or window, when the initial access period (one hour) expires, you must re-authenticate, after which you can continue to extend the authentication in that tab or window as before.

If you sign out, or close the browser window, you must re-authenticate when you want to continue using the MyID Operator Client.

There is a limit of 6 days (518400 seconds) beyond which you cannot continue to extend the authenticated session. If you reach this limit (for example, with an automated system), you must re-authenticate before you can continue working with the MyID Operator Client.

If you want to change the default access period, extension period, or limit, you can edit the application settings file for the web.oauth2 web service; see section 17.4.14, Configuring re-authentication timeout periods.

If you want to disable this feature, you can edit the MyID Operator Client settings file; see section 17.4.15, Enabling or disabling re-authentication.