• Site Map
• Contact Us

• Home
• Our Company
  • Customers
  • Careers
  • Contact Us
  • RSS & Blogs
• Products
  • Identity Manager
  • Password Manager
  • Group Manager
  • Privileged Access Manager
  • Download evaluation
  • Releases
  • CCC
• Solutions
  • Security / GRC
  • Reducing IT support cost
  • Improve user service
• Support
  • Shipping products
  • Supported versions
  • Portal login
  • Report problem
• Services
  • Solution delivery
  • Methodology
  • Education
  • Upgrades
  • AdMax Program
  • Hitachi ID Systems-Managed IAM
  • Guarantee
• News &  Events
  • Press Releases
  • Press Coverage
  • Archived Webinars
• Resource Center
  • White Papers
  • Independent Reviews
  • Brochures
  • Slide Decks
  • Case Studies
  • Regulatory Compliance
  • Certifications
  • Community
• Partners
  • Technology Partners
  • Channel Partners
  • System Integrators and Consultants
  • Managed Service Providers
  • Public Sector
  • Partner Portal
  • Online partner application

Security Authentication options

Hitachi ID Password Manager authentication options

Users Signing Into Hitachi ID Password Manager (formerly P-Synch)

(1)Users may authenticate into Password Manager as follows:

• On the web portal:
  • By typing their current password to a trusted system (e.g., Windows/AD, LDAP, RAC/F, etc).
  • By answering security questions.
  • Using a security token (e.g., SecurID pass-code).
  • Using a smart card with PKI certificate.
  • Using Windows-integrated authentication.
  • Using a SAML assertion issued by another server.
  • By typing a PIN that was sent to their mobile phone via SMS.
  • Using a combination of these mechanisms.

• Using a telephone, calling an automated IVR system:
  • By keying in numeric answers to a series of security questions (e.g., employee number, date of hire, driver's license number).
  • By speaking one or more phrases, where the Password Manager server compares the new speech sample to one on record (biometric voice print verification)

• Using a telephone, calling a (human) analyst on the help desk:
  • By answering a series of security questions, where the analyst must type the answers into a web portal to authenticate the caller.

Help Desk Analysts Signing Into Password Manager

Help desk analysts can authenticate callers using a designated subset of the calling user's security questions. The use of a subset ensures that some security questions remain private. Analysts may either see answers to the user's security questions (less secure, more convenient) or be required to type answers provided by the caller (more secure).

Authentication with PKI Tokens and Smart Cards

If users have client-side certificates (either in their browser or a smart card) and Hitachi ID Systems customer has a PKI deployment, then the web server hosting Password Manager can be configured to authenticate incoming users with their PKI certificates, for one or more virtual directories. If the web server authenticates the user in this way, then Password Manager can be configured to simply trust it (i.e., accept the REMOTE_USER or a similar variable right from the web server, as an authenticated Password Manager profile ID).

Strong Q&A Authentication

Password Manager supports multiple question sets in the context of challenge/response authentication:

• Each question set either allows users to define their own question-and-answer pairs or requires users to answer some number of pre-defined questions.

• Each question set with pre-defined questions has its own, normally unique, list of questions.

• Questions may have formatting constraints (e.g., all numeric for use with a touch tone IVR system).

• Questions sets may be used in different contexts -- self-service authentication, help desk user authentication, displayed to IT support users or mandatory input by IT support users.

• Users may be required to fill in some minimum number of the questions in each set. For example, a question set may have a set of 20 standard questions and users must populate answers to at least 5.

• During authentication, some defined number of questions is drawn from each relevant question set, at random, to carry out authentication.

• Question sets can be assigned to authentication screens. This makes it possible to serialize the authentication process. For example, users must successfully answer some questions from their pre-defined set before being prompted to answer their own free-form questions. This can force an attacker to compromise some answers before even starting to figure out the answers to others.

• Question/answer data in each question set may be stored in different places. For example, data for one question set may be physically on the Password Manager servers, while a second might be accessed on an LDAP directory and a third validated against an HR application.

• There is no limit to the number of question sets, questions per set or answers per user.

Careful configuration of challenge/response authentication is required to ensure that it is at least as strong as hard-to-guess and regularly changing passwords.

© Hitachi ID Systems, Inc. . All rights reserved.