search

multiOTP / multiOTPCredentialProvider

multiOTP Credential Provider is a V2 Credential Provider for Windows 7/8/8.1/10/2012(R2)/2016 with options like RDP only and UPN name support
Apache License 2.0
232 stars 77 forks source link

Microsoft User Accounts and Local User Accounts #71

Closed snEEkyPete8909 closed 1 year ago

snEEkyPete8909 commented 1 year ago

My question is regarding Local Only Authentication in a Windows 10 environment.

I'm curious how CredentialProvider handles windows local accounts when they are associated with a Microsoft account.

Recently I installed the CredentialProvider for Local Only Authentication and created a user for a Microsoft Account example@outlook.com using multiotp -fastcreate example@outlook.com. I was able to verify the OTP was successful by running multiotp -display-log -log example@outlook.com 123456 and saw that the user logged in successfully with the OTP. Thinking I was done, I rebooted my machine and shortly found that the last user was forced at login as I hadn't clicked that checkbox on setup, and instead of that last user displaying my Microsoft Account it displayed my account's first name.

Realizing that Windows seemed to be passing the 'local' account name, which was just the first name, or first name last initial, of the user after Microsoft account creation, the jig was up. It seems that user was forced to that account's associated 'local' user. While Windows associates that local username on the back end with the Microsoft Account, multiotp didn't seem to make that association between the "local" username and the Microsoft account. Thankfully I was able to recover from this by using RDP to get to the device and using the Microsoft Account, which was the same user I had created in MultiOTP, to login.

So in this case, is it necessary to create two users - one for the Microsoft Account and the other for the 'local' account, or how are these supposed to be associated on the back end of things, especially if the last user is forced at login? I think I created other accounts on my machine (Windows 10) using the Microsoft account as default, and those users show up as their Firstname in Local Users & Groups, not as users@outlook.com.

Perhaps MultiOTP already see the local user associated with it's accompanying Microsoft login and I have a major user error here, but I just wanted to pass this along just in case. My guess is that you wouldn't really see this often as I imagine most users aren't using only the Credential Provider and they're probably authenticating against a domain.

multiOTP commented 1 year ago

You're right, If you are using a Microsoft account we suppose that you use the complete Microsoft solution, including 2FA solution. If you want to mix Microsoft account and local 2FA auhtentication, you will have to create a local account so far. Regards,