1. Windows Login
NO. GoTrust ID computer login will function in connection with a specific authentication server, such server will be installed in the enterprise on-premises or cloud environment and managed by enterprise. If your company has Azure AD environment, you can plug-n-play Idem Key for Azure AD managed Windows device without a building authentication server.
GoTrust ID computer login can support Windows and MacOS, not Linux OS.
GoTrust ID supports Windows Azure AD, Active Directory (AD) or Hybrid environments.
Yes, your phone will communicate via BLE automatically if PC is offline. Besides phone, security key – Idem Key is a recommended login method if internet connectivity is limited.
User can login using an Idem Key under various scenarios, or ask for a designated security code from corporate administrators to complete login. Don’t worry, security code from administrator also supports offline login.
Yes, phone and Idem Key can use for both online and offline login. GoTrust ID phone app provides internet or BLE connection, and we manufacture our own USB security key – Idem Key to provide consistent user experiences.
Yes, GoTrust ID supports Windows 10 version 1809 above and Windows 11.
Yes, GoTrust ID supports Windows Server 2016 and 2019. In Windows Server environment, GoTrust ID phone authenticator will not support BLE communication, it must be internet connected.
Microsoft ended support for Windows Vista on April 11, 2017, ended support for Windows XP on April 8, 2014 and ended support for Windows 7, and Windows Server 2008 on January 14, 2020. Upgrading to a supported version of Windows is necessary for security concerns.
GoTrust ID mobile application supports iOS 10 and above, Android 6 and above.
GoTrust ID provides password-free login experiences for local desktop and Windows Remote Desktop Connection.
GoTrust ID restricts one domain user login on each device and does not support the following login types:
- Shift + right-click “Run as administrator”
- Shift + right-click “Run as different user”
- PowerShell cmdlets
Network Level Authentication (NLA) for Remote Desktop Connection is a recommended security feature in Windows. We encourage users to enable NLA when performing RDP for higher security. When NLA is enabled, the RDP client prompts for primary authentication – password, remote PC login screen will appear after primary authentication is verified, user can login to a remote PC by GoTrust ID phone authentication.
More information about NLA and RDP can be found at the Microsoft site.
Yes. GoTrust ID supports Windows Remote Desktop Connection login.
No. Only Idem Key can be used for GoTrust ID Computer Login.
GoTrust ID Computer Login works with Windows credential provider but cannot be used with other third-party credential providers.
For a better user experience, you can open GoTrust ID mobile app before initiating computer login. Keep GoTrust ID mobile app open to build BLE connection automatically between phone and computer if network is temporarily not available. If the network connection is good, user will receive a notification on mobile to request for login authentication without opening the app.
- In-App Security Code: User can find this code on the mobile.
- Security Code generated from AdminPortal: Ask for this Security Code from corporate IT.
- SMS Security Code: User can receive Security Code from SMS once company has launched SMS service and user’s phone number has been registered in AdminPortal.
- Email Security Code: User can receive Security Code from Email once company has launched Email service and user’s email address has been registered in AdminPortal.
For security reason, a maximum of three (3) SMS messages can be sent within 24 hours.
To improve fingerprint recognition on the phone, you can try removing and then reregistering your fingerprint. Also, when biometrics fail during authentication process, app will also request for passcode to proceed the authentication.
Please allow GoTrust ID to use Touch ID/Face ID, Bluetooth, Camera, etc. while installing GoTrust ID mobile app on your phone. Or go to Settings->GoTrust ID to enable the settings.
Yes, you can use the same Idem Key to perform secure login on Windows device or cloud FIDO-enabled services.
We suggest one Idem Key only registered under one account and kept by one person as his or her own private login key. Each Idem Key is protected by the PIN which is set by the key owner. If you keep this PIN confidential, your device is still safe even the key was lost. Please report to corporate admin immediately to delete your Idem Key authenticator from AdminPortal if you lost the key.
You can only use GoTrust ID phone authenticator or GoTrust Idem Key to login Windows after GoTrust ID enrollment. If you want to keep Windows Hello PIN or Windows Hello Biometrics login options, please configure in the AdminPortal. Please note password is not a login option for Windows version 3.1.4 or later.
Yes, update password dialog box will appear on PC when password expires. Please insert new password in the dialog box to update password on the domain controller, old password will be shown automatically which is hidden behind asterisks (******) for security purpose.
Credential provider won’t be triggered if performing Safe Mode login. To limit the effect of physical attack, you can block non administrators from logging in while Windows is running in Safe Mode.
For example, you can set the registry DWORD value HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\SafeModeBlockNonAdmins to 1, to only allow administrator to perform Safe Mode login.
2. Install and Uninstall for Windows
Yes, Group Policy configuration settings can be applied to GoTrust ID desktop application installation. To create and apply the GoTrust ID desktop application Group Policy Object (GPO):
- Go to “Active Directory Users and Computers”, create a new “Organization Unit” under the proper domain.
b. b. Right-click the folder where GoTrust ID Business. msi installer is located and click “Properties”, click on the “Sharing” tab to make sure the created Organization Unit has been added. And click “Advanced Sharing” to grant such Organization Unit “Read (& execute)” permission.
Right-click the GoTrust ID Business. msi installer and click “Properties”, click on the “Security” tab, find the Organization Unit to confirm “Read (& execute)” permission.
c. Go to “Group Policy Management”, right-click the desired Organization Unit, and click “Create a GPO in this domain, and Link it here”. Right-click the created GPO and click “Edit”.
d. Enable following settings and add an environment variable for your authentication server:
Navigate to “Computer Configurations\Policies\Administrative Templates\System\Logon, enable “Always wait for the network at computer startup”.
Navigate to “Computer Configurations\Policies\Administrative Templates\System\Group Policy, enable “Configure software installation policy processing”, and ensure the options are all checked.
Navigate to “Computer Configurations\Policies\Administrative Templates\Windows Components\Windows Installer, enable “Always install with elevated privileges”.
Navigate to “Computer Configurations\Preferences\Windows Settings\Environment”, and right-click “New – Environment Variable” to create a base server URL system variable.
e. Navigate to “Computer Configurations\Policies\Software Settings, right-click “Software installation, click “Package” under “New”.
f. Find the GoTrust ID Business. msi installer by the UNC path, e.g. \\server-name\software\GoTrustIDBusiness.msi, and click “Open”, select deployment method “Assigned” and click “OK”.
g. Navigate to the desired Organization Unit\SoftwareInstall, click “Add” and choose the desired Organization Unit to Security Filtering. Right-click “SoftwareInstall” and enable “Enforced”.
h. Navigate to the Organization Unit, and add the target computers to the Organization Unit. The target client computers need a reboot to apply the new GPO settings and install GoTrust ID desktop application.
i. GoTrust ID desktop application will be shown in the recently added list after rebooting.
Learn more about installing software using Group Policy from Microsoft Support.
a. Navigate to “Computer Configurations\Policies\Software Settings\Software installation, right-click the target software, click “Remove” under “All Tasks”, and press “OK”.
b. The target client computers need a reboot to apply the uninstallation.
Yes, company can use its software deployment utilities to deploy GoTrust ID desktop application.
Please make sure you have passed biometrics verification on the phone right after scanning QR code. PC screen will show “Register Successfully” once biometric authentication on the phone has been verified and phone has completed registration with authentication server.
If problem still exits, please check the connection environment between phone and authentication server.
Please insert your Windows device login password.
Normally one user license account can register 5 computers maximum.
You can enroll multiple phone authenticators to login your Windows device.
4. Server Configuration
GoTrust ID authentication server can run in an on-premises or cloud environment.
Yes, GoTrust ID authentication server supports High Availability (HA) structure to ensure a level of operational performance.
GoTrust ID authentication server can run on Windows server or Linux server.
Accurate and reliable time is highly important for server, PC and phone. Time discrepancy will result in login error. Please use Network Time Protocol (NTP) or other practical method to set correct time for authentication server.