Moving from PC to PC in a Non-Roaming Environment
FIS Authenticator is a stand-alone application without any server functionality to support the creation or maintenance of a user's accounts. This isolation is one step FIS Authenticator takes to keeping the users accounts secure. A caveat to this architecture is FIS Authenticator stores the MFA locally within the Windows profile of the user. It is our assumption that the Windows profile is a secured environment protected by a password and, if networked, supports roaming of the Windows profile. Together, these features of Windows allows FIS Authenticator to sync the profile data wherever the user authenticates. This article will discuss methods that can be employed to minimize the friction users will experience when roaming is not enabled.
Benefits of Roaming
FIS Authenticator makes use of Windows user security to secure the data created by FIS Authenticator. FIS Authenticator will make use of the user's roaming folder to store its data. The data is synced to the server environment such that the data will follow the user wherever they log into the environment served by their infrastructure. It's a seamless experience and one that we intended the best user experience for FIS Authenticator.
Working in Non-Roaming Environments
There are situations where roaming will not be available to end users. The following will describe cases where users will not have a dedicated workstation for FIS Authenticator, and are expected to float between workstation. Users in these environments will likely encounter FIS Authenticator on a workstation they have not used before which will require setup. The friction of having to set up FIS Authenticator on each machine will only be experienced when they use a workstation new to them. Over time, the frequency of using a workstation that has not be setup will subside.
The following are some suggestions on how users can work around the lack of roaming to quickly set up their accounts on their workstations.
- Workstations with Cameras
- Protected Network Share
- Access to Email
Workstations with Cameras
Users with a workstation that have a camera will have the ability to optically scan a QR code. Users can keep a printed copy of their QR code in a discrete location, and scan it when they have to create a new account.
Protected Network Share
A user authenticated on a machine could have a protected network share that only they have access. The user can store an image file of their QR code onto the share. The user can setup FIS Authenticator by uploading the QR code from the network share to complete their setup.
Access to Email
A user can store their MFA details in a pinned email with either their secret key in plain text, or an attachment with the QR code image. The user could refer to that email whenever they encounter a new workstation they have not used before and need to set up FIS Authenticator.