This article explains how to configure the Beyond Identity Authenticator to allow users to share passkeys across multiple machines using roaming profiles, which is especially useful for non-persistent VDI environments. It details the registry settings, roaming profile deployment, and credential roaming configuration required for implementation.
The Beyond Identity Authenticator can now be configured to allow a user to switch between different machines. This enables Beyond Identity keys to be shared via roaming profiles on an Active Directory Domain.
It’s recommended only for specific use cases. For example, this can be used with non-persistent VDI machines with additional policy controls around them to avoid an end user having to import a passkey each time a VDI machine is started.
Implementation
To allow a user to share passkeys across different machines, the system administrator must perform the following steps:
Set the following value in the Windows Registry of machines in scope for leveraging a shared software passkey:
Registry Key | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\BeyondIdentity\Authenticator |
Registry Key Value | SHARED_PROFILES |
Type | DWORD |
Value | 0 = Disables shared profiles (default) 1 = Enables shared profiles |
This will set the Beyond Identity authenticator to store and read passkeys from %appdata%\BeyondIdentity.
Summary
Once configured, the passkey in the roaming profile is available and viewable in the Authenticator whenever a user logs into a new machine configured to use roaming profiles.