What users see for Authenticate

After configuring Authenticate on UEM, Windows or macOS desktops get notification to authenticate and register Authenticate.

A silent registration is enabled by default for Authenticate.

The following provide information about the user experience with Authenticate:

• Workflow on Windows desktop

• Workflow on macOS desktop

• FIDO Key Rotation Details and Required Actions

Workflow on Windows desktop

Workflow for Silent Registration

>>>>

Workflow for QR Code

>>>>

Workflow for QR Code and password

>>>>>>>>

Registration Status

Lock pass initiated on a Windows lock screen

>>

Workflow on macOS desktop

Silent Registration

>>>>>>

Workflow on a macOs light mode

>>>>>>>>>>

Registration Status

FIDO Key Rotation Details and Required Actions

Key Generation

During registration, two asymmetric key pairs are generated:

• Desktop Signing Key (DSK) – used to perform FIDO Authentication

• Desktop Encryption Key (DEK) – used to encrypt any data, needs to be sent to the Desktop Trust Agent.

These keys are governed by:

• Rotation Period for FIDO Key (default: 180 days)

  Increasing Rotation Period does not apply retroactively to already-registered agent. It takes effect only if the user updates keys during grace period or upon agent re-registration.

• Grace period to rotate the FIDO Key before expiry (e.g., 7 or 15 days)

  Increasing Grace Period enables the notifications to appear earlier than before.
  Example: With a 15-day grace period, the warning starts on Day 165 (for a 180-day rotation).

  This doesn't have any negative impact on the functionality.

Configurations are managed in the Zero Sign-On settings in the Access console.

User Access – Normal Flow

1. Select Sign in using Ivanti Zero Sign-On Authenticate option.
   

2. Authentication succeeds if keys are valid.

Pre-Expiry Notification Flow

Within the configured grace period before key expiry (e.g., Day 179 of a 180-day rotation): A popup notification appears informing the user about upcoming key expiry.

Users cannot check the key expiry status ahead of time. Notification appears only during the configured grace period.

Two options are presented:

1. Update Now: Triggers regeneration of keys via Ivanti FIDO Authenticator.

   1. Click Open Ivanti Zero Sign-On Authenticate.

      

   2. Registration is updated automatically.

      

      

2. Later: Dismisses the warning. You can continue to log in if keys are still within valid period.

Post-Expiry Behavior

Once the rotation + grace period expires: Keys become invalid.

1. You will get an "expired" screen when selecting ZSO Authenticate.

   

2. ZSO authentication is blocked. The following user alternatives are available:

   1. Choose another login method (if enabled by admin):

      • Sign in using QR Code

      • Sign in using Password

      • Sign in using Security key or Biometric

   2. Re-register the ZSO Authenticate Agent:

      • Relaunch the Desktop Trust Agent.

      • Follow the registration flow again.

        Device does not need to be re-enrolled. Only the ZSO Authenticate Agent is re-registered.