Authentication Options - Hitachi ID Password Manager
Users Signing Into Hitachi ID Password Manager
Users may authenticate into Password Manager as follows:
- On the web portal:
- By typing their current password to a trusted system (e.g., Windows/AD,
LDAP, RAC/F, etc).
- By answering security questions.
- Using a security token (e.g., SecurID pass-code).
- Using a smart card with PKI certificate.
- Using Windows-integrated authentication.
- Using a SAML or OAuth assertion issued by another server.
- By typing a PIN that was sent to their mobile phone via SMS.
- Using a combination of these mechanisms.
- Using a telephone, calling an automated IVR system:
- By keying in numeric answers to a series of security questions
(e.g., employee number, date of hire, driver's license
- By speaking one or more phrases, where the Password Manager server
compares the new speech sample to one on record (biometric
voice print verification)
- Using a telephone, calling an IT support technician:
- By answering a series of security questions, where the technician
must type the answers into a web portal to authenticate the caller.
Help Desk Analysts Signing Into Password Manager
Support staff can authenticate callers using a designated subset
of the calling user's security questions. The use of a subset ensures
that some security questions remain private. Support staff may either see
answers to the user's security questions (less secure, more convenient)
or be required to type answers provided by the caller (more secure).
Authentication with PKI Tokens and Smart Cards
If users have client-side certificates (either in their browser or
a smart card) and Hitachi ID Systems customer has a PKI deployment, then the web
server hosting Password Manager can be configured to authenticate
incoming users with their PKI certificates, for one or more virtual
directories. If the web server authenticates the user in this way,
then Password Manager can be configured to simply trust it (i.e.,
accept the REMOTE_USER or a similar variable right from the web server,
as an authenticated Password Manager profile ID).
Strong Q&A Authentication
Password Manager supports multiple question sets in the context of
- Each question set either allows users to define their
own question-and-answer pairs or requires users to
answer some number of pre-defined questions.
- Each question set with pre-defined questions has its own,
normally unique, list of questions.
- Questions may have formatting constraints (e.g., all numeric
for use with a touch tone IVR system).
- Questions sets may be used in different contexts -- self-service
authentication, help desk user authentication, displayed to
IT support users or mandatory input by IT support users.
- Users may be required to fill in some minimum number of
the questions in each set. For example, a question set may
have a set of 20 standard questions and users must populate
answers to at least 5.
- During authentication, some defined number of questions is drawn
from each relevant question set, at random, to carry out
- Question sets can be assigned to authentication screens.
This makes it possible to serialize the authentication process.
For example, users must successfully answer some questions from their
pre-defined set before being asked to answer their own
free-form questions. This can force an attacker to compromise
some answers before even starting to figure out the
answers to others.
- Question/answer data in each question set may be stored in
different places. For example, data for one question set may be
physically on the Password Manager servers, while a second might be
accessed on an LDAP directory and a third validated against
an HR application.
- There is no limit to the number of question sets, questions per
set or answers per user.
Careful configuration of challenge/response authentication is required
to ensure that it is at least as strong as hard-to-guess and regularly
Watch a Movie
Enrollment of security questions
- A user has been invited to fill in a form with
security questions and answers.
- This animation starts after:
- The user has clicked a link in an e-mail, or
- a browser window was automatically launched at PC login.
- The user has already authenticated to Password Manager with
a password, token or smart card.
- Policy is used to combine user-chosen and standardized questions.
- Some questions may be accessible to the help desk.
- Some questions may be suitable for telephone authentication.
- Usually only a random subset of enrolled questions is used to
authenticate a user.