Authentication Options - Hitachi ID Password Manager
Users Signing Into Hitachi ID Password Manager
(1)Users may authenticate into Password Manager as follows:
- On the web portal:
- By typing their current password to a trusted system (e.g., Windows/AD, LDAP, RAC/F, etc).
- By answering security questions.
- Using a security token (e.g., SecurID pass-code).
- Using a smart card with PKI certificate.
- Using Windows-integrated authentication.
- Using a SAML or OAuth assertion issued by another server.
- By typing a PIN that was sent to their mobile phone via SMS.
- Using a combination of these mechanisms.
- Using a telephone, calling an automated IVR system:
- By keying in numeric answers to a series of security questions (e.g., employee number, date of hire, driver's license number).
- By speaking one or more phrases, where the Password Manager server compares the new speech sample to one on record (biometric voice print verification)
- Using a telephone, calling an IT support technician:
- By answering a series of security questions, where the technician must type the answers into a web portal to authenticate the caller.
Help Desk Analysts Signing Into Password Manager
Support staff can authenticate callers using a designated subset of the calling user's security questions. The use of a subset ensures that some security questions remain private. Support staff may either see answers to the user's security questions (less secure, more convenient) or be required to type answers provided by the caller (more secure).
Authentication with PKI Tokens and Smart Cards
If users have client-side certificates (either in their browser or a smart card) and Hitachi ID Systems customer has a PKI deployment, then the web server hosting Password Manager can be configured to authenticate incoming users with their PKI certificates, for one or more virtual directories. If the web server authenticates the user in this way, then Password Manager can be configured to simply trust it (i.e., accept the REMOTE_USER or a similar variable right from the web server, as an authenticated Password Manager profile ID).
Strong Q&A Authentication
Password Manager supports multiple question sets in the context of challenge/response authentication:
- Each question set either allows users to define their
own question-and-answer pairs or requires users to
answer some number of pre-defined questions.
- Each question set with pre-defined questions has its own,
normally unique, list of questions.
- Questions may have formatting constraints (e.g., all numeric
for use with a touch tone IVR system).
- Questions sets may be used in different contexts -- self-service
authentication, help desk user authentication, displayed to
IT support users or mandatory input by IT support users.
- Users may be required to fill in some minimum number of
the questions in each set. For example, a question set may
have a set of 20 standard questions and users must populate
answers to at least 5.
- During authentication, some defined number of questions is drawn
from each relevant question set, at random, to carry out
- Question sets can be assigned to authentication screens.
This makes it possible to serialize the authentication process.
For example, users must successfully answer some questions from their
pre-defined set before being asked to answer their own
free-form questions. This can force an attacker to compromise
some answers before even starting to figure out the
answers to others.
- Question/answer data in each question set may be stored in
different places. For example, data for one question set may be
physically on the Password Manager servers, while a second might be
accessed on an LDAP directory and a third validated against
an HR application.
- There is no limit to the number of question sets, questions per set or answers per user.
Careful configuration of challenge/response authentication is required to ensure that it is at least as strong as hard-to-guess and regularly changing passwords.