Using DigitalPersona Kiosk

DigitalPersona Kiosk provides users with fast, convenient and secure multi-factor identification and authentication in environments where users share a common Windows account yet need separately controlled access to resources, applications and data.

DigitalPersona Kiosk provides the following features:

  • Single Sign-On to enterprise applications - Simplifies user logon to enterprise applications, including traditional Windows applications, web applications and Terminals.

    No changes to those applications are required and setup takes only a few minutes per application.

  • Multi-factor authentication - Further enhances convenience and security by providing administrators with a choice of credentials (such as fingerprints, PKI Smart Cards and Contactless cards or Windows Passwords, etc.) that can be required in any combination to authenticate users logging on to the PC, to enterprise applications, or for fast user switching between users on the same workstation.

  • Ability to roam and share user credentials across computers - If your environment requires users to gain access to multiple workstations or kiosks, they do not need to re-enroll their credentials at each computer.

    DigitalPersona Kiosk can automatically make users' authentication credentials and other data, such as managed logons to enterprise applications, available at each computer within the domain.

  • Attended or unattended credential enrollment - By default, DigitalPersona Kiosk is configured for centralized enrollment through one or more supervised computers using the DigitalPersona Attended Enrollment component, an optional component of DigitalPersona LDS Workstation.

Comparing DigitalPersona Workstation and Kiosk

Most of the basic functionality is common to both DigitalPersona Workstation and DigitalPersona Kiosk. Additional details on user tasks are provided in the DigitalPersona Kiosk Help file.

In the following topics, the term “kiosk” refers to one or more Kiosk Workstations which are tied to a shared Kiosk account.

Both DigitalPersona Kiosk and DigitalPersona Workstation include the following features:

  • Multi-factor and alternative authentication credentials

  • Password Manager - DigitalPersona Kiosk supports managed logons only.

    • Personal logons created by an individual user in DigitalPersona Workstation are not supported and will not appear on an DigitalPersona Kiosk installation.

    • Managed logons provide similar functionality but are created by an administrator using the Password Manager Admin Tool.

  • Both DigitalPersona Workstation and DigitalPersona Kiosk’s default configuration provides centralized enrollment through one or more supervised computers using DigitalPersona Attended Enrollment, an optional component of DigitalPersona LDS Workstation.

  • If enabled, DigitalPersona Kiosk users can enroll their credentials in the same manner as in DigitalPersona Workstation (that is, through the User Console). However, the following credentials are not supported in the Kiosk product:

    • Recovery Questions

    • Bluetooth

    Even if a user has enrolled these credentials in DigitalPersona Workstation, they cannot be used in DigitalPersona Kiosk.

  • Both clients require DigitalPersona LDS Server Version 1.1 or above.

DigitalPersona Kiosk differs from Workstation in the following ways:

  • A specified Shared Account is always used for Windows logon that is independent of the user account being authenticated. This affects account profile and user preferences.

  • By default, all DigitalPersona users are granted Kiosk access. However, to logon to DigitalPersona Kiosk, each user must first be created through Attended Enrollment or through Self Enrollment on a DigitalPersona Workstation.

  • Any authorized DigitalPersona Kiosk user can unlock a Kiosk computer. For example, a user may log on and lock the kiosk computer. Then, a second user can unlock it without performing log off and log on.

  • The name of the last user is not shown in Logon or Unlock dialogs regardless of security settings.

  • A Kiosk user can enroll their own credentials, regardless of which user account was logged on to the kiosk, without logging on to their Windows account. The administrator must have allowed permissions for the user to enroll and delete their fingerprints.

  • DigitalPersona Kiosk does not allow use of the Recovery Questions or Bluetooth credentials for accessing the Kiosk account.

  • A Face credential may be used for authentication on a Kiosk computer, but cannot be used for identification or when logging onto the Kiosk with the Shared Account credentials.

Logging On to Windows

DigitalPersona Kiosk allows users to log on to Windows with any enrolled DigitalPersona credential, such as their DigitalPersona password, their fingerprint or various types of access cards.

All kiosk users share the same Windows session. If the computer becomes locked, any authorized kiosk user will be able to unlock it, view the desktop, and run programs. Users may also have the option to not log into the kiosk session, but instead to log on to their own Windows account instead of the Shared Account, although this is recommended for administrators only.

Computers where DigitalPersona Kiosk is installed will display an additional Kiosk User tile on the Logon Screen:

The user name for the Windows shared account that DigitalPersona Kiosk uses cannot be used to log on to a kiosk session.

All Kiosk users must use their own DigitalPersona credential to log on.

Logging On to Windows without Kiosk

To log on to a computer without using a kiosk session, select Other User and enter your Windows user name and password.

When logging in to a computer outside of a kiosk session, the designated Shared Account for the Kiosk is not used and therefore DigitalPersona Kiosk features are not available. Specifically, access to the DigitalPersona Console, and the use of Password Manager logons are disabled.

This feature is intended for administrators who might need to access a computer for administrative purposes, and without Kiosk features enabled.

Non-administrators can be prohibited from logging on to the computer outside of a kiosk session by enabling a setting in the controlling GPO. See Prevent users from logging on outside of a Kiosk session.

Important: If you lock the computer outside of a kiosk session, other kiosk users will not be able to unlock it, so be sure to log out of a local session on any kiosk workstation.

Automatic Logon using the Shared Kiosk Account

Kiosk can be configured to automatically log on to the Shared Kiosk account when Windows starts or restarts. The Windows Logon screen will not be displayed.

The automatic logon setting will allow any user to access a Windows session without interactive authentication when the Kiosk computer is restarted.

This option is controlled by the Allow automatic logon using Shared Kiosk Account setting.

Changing Your Password

The process of changing your Windows password on a computer with DigitalPersona Kiosk installed is the same as on a computer without DigitalPersona Kiosk installed.

To change your Windows password:

  1. Press Ctrl+Alt+Delete.

  2. Select Change a Password.

  3. Enter your Windows user name and your old password.

  4. Enter and confirm a new password.

User Account Control

An administrator may use any authorized and enrolled credential instead of their user name and password, to give a standard user permission to perform an activity that is restricted by User Account Control.

When the User Account Control dialog displays, a local administrator with an authorized credential can use their credential to permit the activity.

Using the Password Manager Admin Tool with Kiosk

The Password Manager Admin Tool is an administrative tool that allows an administrator to provide automated logon to password-protected resources, programs and websites.

With DigitalPersona Kiosk, Password Manager includes the following differences when compared to DigitalPersona Workstation implementations:

  • Managed logons created with the Password Manager Admin Tool must be deployed to the Shared Account instead of to user accounts.

  • Kiosk users do not need to log on to Windows to use managed logons. Their identity is verified each time they log on to the resource. For kiosk users, the Password Manager logon data is never cached locally.

Note: Only managed logons created using the DigitalPersona Password Manager Admin Tool, version 1.0 or higher, are compatible with the current version of DigitalPersona Kiosk.

Logging On to Password-Protected Programs

DigitalPersona Kiosk lets a kiosk user log on to password-protected resources, programs and websites with any enrolled credential. As an administrator, you must enable this feature for specific programs by creating managed logons for them.

Password-protected resources with managed logons display a Password Manager icon, shown below, in the upper left corner of the screen (Internet Explorer) or to the right of the first recognized entry field (Firefox and Chrome).

 

 

 

Password Manager Icon for Internet Explorer web browser and Windows applications

 

 

Password Manager Icon for Internet Explorer web browser and Windows applications indicating a recognized Change Password screen

 

 

 

Password Manager Icon for Chrome, Firefox, and Edge web browsers

 

 

 

Password Manager Icon for Chrome Firefox, and Edge web browsers indicating a recognized Change Password screen

Administrators can also add a logon for a change password screen to a managed logon.

Users are prompted for their account data the first time they log on to a resource. Then, on subsequent logons, they only need to launch the program, and submit their enrolled credential. DigitalPersona Kiosk automatically enters the user name, domain and password and any other necessary account data in the appropriate logon screen text boxes and, if so configured, submits the account data.

For further information, see Managing Your Password Manager Data.

Switching Users on DigitalPersona Kiosk Computers

You can log on, unlock or gain access to a password-protected resource on a Kiosk computer by using your enrolled credentials.

After your work is finished, you can do one of the following:

  • Close the resource and leave the Kiosk computer unlocked - The next user can approach the Kiosk computer and provide their credentials to gain access to the password-protected resource.

  • Close the resource and lock the Kiosk computer - The next user can approach the Kiosk computer and provide their credentials to unlock the computer. They can then open any password-protected resource with their credentials.

  • Close the resource and log off from the Kiosk computer - The next user can approach the Kiosk computer and provide their credentials to log on to the computer. The user is logged into the Shared Account for the kiosk.

For further information, see installation and configuration of DigitalPersona Kiosk.

All other functionality is the same as DigitalPersona Workstation.