Security Authentication Options
Hitachi ID Facebook Page Hitachi ID Twitter Page Find us on Google+ Hitachi ID YouTube Page

Authentication Options - Hitachi ID Password Manager

Users Signing Into Hitachi ID Password Manager

(1)Users may authenticate into Password Manager as follows:

Help Desk Analysts Signing Into Password Manager

Support staff can authenticate callers using a designated subset of the calling user's security questions. The use of a subset ensures that some security questions remain private. Support staff may either see answers to the user's security questions (less secure, more convenient) or be required to type answers provided by the caller (more secure).

Authentication with PKI Tokens and Smart Cards

If users have client-side certificates (either in their browser or a smart card) and Hitachi ID Systems customer has a PKI deployment, then the web server hosting Password Manager can be configured to authenticate incoming users with their PKI certificates, for one or more virtual directories. If the web server authenticates the user in this way, then Password Manager can be configured to simply trust it (i.e., accept the REMOTE_USER or a similar variable right from the web server, as an authenticated Password Manager profile ID).

Strong Q&A Authentication

Password Manager supports multiple question sets in the context of challenge/response authentication:

Careful configuration of challenge/response authentication is required to ensure that it is at least as strong as hard-to-guess and regularly changing passwords.

Watch a Movie

Enrollment of security questions

Play movie


  • A user has been invited to fill in a form with security questions and answers.
  • This animation starts after:
    • The user has clicked a link in an e-mail, or
    • a browser window was automatically launched at PC login.
    • The user has already authenticated to Password Manager with a password, token or smart card.

Key concepts:

  • Policy is used to combine user-chosen and standardized questions.
  • Some questions may be accessible to the help desk.
  • Some questions may be suitable for telephone authentication.
  • Usually only a random subset of enrolled questions is used to authenticate a user.