Skip to main content

Authentication Options - Hitachi ID Password Manager

Users Signing Into Hitachi ID Password Manager

Users may authenticate into Password Manager as follows:

  • On the web portal:
    • By typing their current password to a trusted system (e.g., Windows/AD, LDAP, RAC/F, etc).
    • By answering security questions.
    • Using a security token (e.g., SecurID pass-code).
    • Using a smart card with PKI certificate.
    • Using Windows-integrated authentication.
    • Using a SAML or OAuth assertion issued by another server.
    • By typing a PIN that was sent to their mobile phone via SMS.

  • Using a telephone, calling an automated IVR system:
    • By keying in numeric answers to a series of security questions (e.g., employee number, date of hire, driver's license number).
    • By speaking one or more phrases, where the Password Manager server compares the new speech sample to one on record (biometric voice print verification)

  • Using a telephone, calling an IT support technician:
    • By answering a series of security questions, where the technician must type the answers into a web portal to authenticate the caller.

Help Desk Analysts Signing Into Password Manager

Support staff can authenticate callers using a designated subset of the calling user's security questions. The use of a subset ensures that some security questions remain private. Support staff may either see answers to the user's security questions (less secure, more convenient) or be required to type answers provided by the caller (more secure).

Authentication with PKI Tokens and Smart Cards

If users have client-side certificates (either in their browser or a smart card) and Hitachi ID Systems customer has a PKI deployment, then the web server hosting Password Manager can be configured to authenticate incoming users with their PKI certificates, for one or more virtual directories. If the web server authenticates the user in this way, then Password Manager can be configured to simply trust it (i.e., accept the REMOTE_USER or a similar variable right from the web server, as an authenticated Password Manager profile ID).

Strong Q&A Authentication

Password Manager supports multiple question sets in the context of challenge/response authentication:

  • Each question set either allows users to define their own question-and-answer pairs or requires users to answer some number of pre-defined questions.

  • Each question set with pre-defined questions has its own, normally unique, list of questions.

  • Questions may have formatting constraints (e.g., all numeric for use with a touch tone IVR system).

  • Questions sets may be used in different contexts -- self-service authentication, help desk user authentication, displayed to IT support users or mandatory input by IT support users.

  • Users may be required to fill in some minimum number of the questions in each set. For example, a question set may have a set of 20 standard questions and users must populate answers to at least 5.

  • During authentication, some defined number of questions is drawn from each relevant question set, at random, to carry out authentication.

  • Question sets can be assigned to authentication screens. This makes it possible to serialize the authentication process. For example, users must successfully answer some questions from their pre-defined set before being asked to answer their own free-form questions. This can force an attacker to compromise some answers before even starting to figure out the answers to others.

  • Question/answer data in each question set may be stored in different places. For example, data for one question set may be physically on the Password Manager servers, while a second might be accessed on an LDAP directory and a third validated against an HR application.

  • There is no limit to the number of question sets, questions per set or answers per user.

Careful configuration of challenge/response authentication is required to ensure that it is at least as strong as hard-to-guess and regularly changing passwords.

Watch a Movie

Enrollment of security questions

Play movie


  • A user has been invited to fill in a form with security questions and answers.
  • This animation starts after:
    • The user has clicked a link in an e-mail, or
    • a browser window was automatically launched at PC login.
    • The user has already authenticated to Password Manager with a password, token or smart card.

Key concepts:

  • Policy is used to combine user-chosen and standardized questions.
  • Some questions may be accessible to the help desk.
  • Some questions may be suitable for telephone authentication.
  • Usually only a random subset of enrolled questions is used to authenticate a user.

Read More:

  • Secure Password Management:
    Passwords are only as good as the weakest link in the password management process.
  • Locking down Password Manager:
    Protecting the Password Manager server, its data and its communications against attack.
  • Password Policy Enforcement:
    Password Manager can enforce a global password policy, ensuring that users choose hard-to-guess passwords, never reuse passwords, and change their passwords regularly.
  • Security vs. Usability:
    The human factor is important when formulating password policies and designing authentication processes.
  • Consistent Authentication Processes:
    Social engineering attacks, packet sniffing and other mechanisms can be used to compromise password security without having to directly crack passwords.
  • Delegating Password Reset Privileges:
    Delegating just the right to reset password to help desk staff or managers, without giving them other, unneeded rights.
  • Audit Logs:
    Audit Trails and transaction logs create accountability in security processes.
  • Authentication Options:
    Authentication processes supported by Password Manager for securely logging in users.
page top page top