Skip to main content

Passwordless MFA

Quick-start - Passwordless MFA for domain-joined Windows workstations

In this guide we will set up idemeum Passwordless MFA for domain-joined Windows workstations. Your customers will be able to access workstation without passwords leveraging mobile biometrics.


idemeum leverages virtual smart card for user login into domain-joined workstations. Here are the pre-requisites for idemeum Passwordless MFA for domain-joined set up:

  1. idemeum supports Windows 10, 11, IoT for domain-joined Passwordless MFA
  2. Windows workstation has to have a Trusted Platform Module (TPM) enabled. Refer to this link to learn more about how to verify whether TPM is present in the system.
  3. Active Directory Certificate Services (ADCS) need to be set up and configured with idemeum certificate template. The detailed guide is here.

1. Sign up for idemeum MSP tenant

If you have not created your idemeum cloud tenant yet, please follow the steps below to create a trial tenant for your organization.

How to create idemeum cloud tenant
Create idemeum cloud tenant for your organization so that you can test various idemeum services.

2. Enable Cloud Directory for your MSP tenant

To manage identities of your MSP technicians we will leverage idemeum local directory. To enable local directory:

  • Navigate to https://<your-msp-domain>
  • Access UsersUser source and choose Local
  • Save the configuration

3. Create accounts for your technicians

Now you can add your technicians to your tenant local directory. Once onboarded they will be able to login to your MSP tenant and also customer tenants with a mobile device.

  • Navigate to your MSP tenant admin portal at https://<your-msp-domain>
  • Access UsersUser management and click Add user
  • Enter the email address that the user will verify in the mobile application to be onboarded into your tenant, and save the user record
Your technicians will need to install idemeum mobile application, verify one of the emails you specified in the user record, navigate to your MSP tenant URL, scan the QR-code, and they will be onboarded.

4. Create a customer tenant that you will manage

idemeum offers Multi-Tenant MSP Portal to manage all your customer tenants from a single dashboard. To create a tenant for your customer:

  • Navigate to your MSP tenant admin portal at
  • Access Customers on the left and click Create customer
  • Enter Name (will be used to create a subdomain for your MSP tenant, for example cusrtomer-<your MSP domain> and Display name (will be used as a display name / title for your customer tenant)

5. Delegate technician access to customer tenant

You have two options:

  1. You can make every technician an Admin in your MSP tenant and as a result, technicians will have access to all created customers tenants by default.
  2. You do not assign an Admin role to a technician, but delegate access to each customer tenant directly.

To assign an Admin role to a technician, please follow these steps.

  • Navigate to your MSP tenant admin portal at https://<your-msp-domain>
  • Access Users
  • Find the user record, click on ... and then choose Make admin

To delegate access to each customer tenant directly, please follow these steps.

idemeum MSP portal centralizes the control and management of multiple organizations from one dashboard. MSP admins can view top-level data for their managed organizations at-a-glance, or can access and directly manage each customer organization.

6. Configure customer tenant

Now we will configure customer tenant for authentication leveraging Passwordless MFA.

  • Access your customer tenant with a mobile device. You can directly naviagate to a customer tenant URL at customer-<your msp domain> or navigate to your MSP postal, Customers section and click on the link from there. You will need to login with your mobile device.

Enable cloud directory for customer tenant

  • Navigate to your customer tenant admin dashboard and enabel cloud directory
  • Access UsersUser source and choose Local
  • Save the configuration

Enable master key for the customer tenant

Master key is the secret key for each customer tenant that encrypts all sensitive information, such as passwords. Therefore idemeum team can not see any of your or your customer information in our cloud.

  • Navigate to Settings and then Desktop login
  • Enable Master key with a toggle

Enable user authentication with Passwordless MFA

  • Navigate to Settings and then Desktop login
  • Click Enable desktop login for users
  • Then choose Passwordless MFA from the drop down list
  • Click Save

Create your customer users

Now you create users for your customers so that they can onboard with a mobile device. For example, here I create a new user record for Billy:

  • Provide First name and Last name
  • Enter company email address / UPN
  • Optionally enter the personal email address
To onboard your users simply install idemeum mobile application and verify personal or corporate email address in the mobile device. Then they can scan the QR-code (portal or workstation) and get onboarded. 

Set up desktop client branding

You can configure the look and feel for the desktop client by configuring background, logo, and text for your users. You can follow the guide below.

When you install idemeum desktop application it takes over the login screen. In order for the application to reflect your branding images and logo, idemeum allows you to customize the login screen.

Enable ADCS configuration for customer

Active Directory Certificate Services (AD CS) is leveraged to perform certificate-based login, i.e., smart card login post completing MFA via idemeum mobile application.

Before installing idemeum desktop client on domain-joined machines, please ensure you perform a one-time configuration to set up Active Directory Certificate Services.

ADCS Configuration guide

7. Install idemeum desktop application

Now you can install idemeum desktop application to a customer workstation. There are various installation methods. For instance, you can install idemeum desktop client manually.

8. Test user login

Users can now login to their workstations with idemeum Passwordless MFA.

9. Passwordless elevated access for technicians

There is a separate quick-start guide for Passwordless Elevated Access. Your technicians can access any customer workstation with a mobile device. No credentials needed.

All you need to do is to assign an account to each workstation in the cloud portal.

  • Navigate to your customer tenant at customer-<msp domain>
  • Click on Accounts at the top, then choose ... and choose Configure shared account
  • Now assign a local admin account that will be used for technicians to access customer workstation or elevate in the remote session. If the account does not exist, idemeum desktop client will automatically create it.
  • Now for any customer workstation your technicians can click Elevated access and login to a workstation by scanning a QR-code with a mobile device.


If you have any questions, join our Discord chat and we can help you.