Hitachi ID Password Manager supports multi-factor authentication for all users, at no extra cost. This is typically done by combining multiple credentials, as follows:
- If the user connects from the Extranet, start with a CAPTCHA.
- Next, prompt for the user's login ID.
- Fingerprint the user's browser -- if the indicated user has signed on from the same browser before, this can act as an unobtrusive authentication factor.
- If the user connects from a browser not seen before, prompt for
another factor, which may be any of the following:
- If the user had previously enrolled their mobile phone number,
send a PIN to the user's phone, via SMS and prompt the user to
- If the user had previously enrolled their personal e-mail address, send a PIN to that address, on the assumption that the user has e-mail access on their phone.
- If the user had previously installed Hitachi ID Mobile Access on their phone, either use push notification to display a PIN on their phone or display a cryptographic challenge in the login screen as a QR code, which the user scans with the app.
- If the user has been activated to use a third party 2FA technology, such as a one time password token (e.g., RSA SecurID) or a third party app (e.g., Duo Security or Google Authenticator), use that.
- If the user had previously enrolled their mobile phone number, send a PIN to the user's phone, via SMS and prompt the user to enter it.
- Users may be prompted to select one of several 2FA options, or one of several alternatives for the same option (e.g., send a PIN via SMS to one of multiple mobile numbers or e-mail addresses).
- Finally, depending on whether the user remembers his password, prompt the user to enter it or answer a series of security questions.
BYOD as a credential
Hitachi ID Systems ships mobile apps for Android and iOS, where the communication path between an on-premises (non-Internet-reachable) IAM system and a smart phone attached to the public Internet is brokered by a cloud-hosted proxy. The main purpose of these mobile apps is to address the connectivity problem, where the phone is outside the "corporate" network but the IAM system is inside and no connection originating at the phone can terminate at the IAM system, because of NAT, firewalls, absence of a VPN and absence of a reverse web proxy.
The Mobile Access mobile app also supports a 2FA feature, which works as follows:
- The user's phone has a locally installed, unique-to-that-device encryption key, deployed at phone/app activation time.
- The user attempts to sign into the IAM system from his PC (VPN, on-premises).
- The login screen renders a cryptographic challenge, displayed as a QR code.
- The user activates the app, which uses the phone's camera to scan the QR code and compute a response.
- The response code is sent via a cloud-hosted proxy to the IAM system, to complete the login step.
- If the user has no data connection on his phone, he is able to read the response code from the screen of his phone and type it into a text entry box in the IAM system's HTML login page.
This is intended as a zero-added-cost feature for all users at all Hitachi ID customers, so that all users gain the benefit of a second authentication factor (something they have - their phone).
Hitachi ID recommends combining this with either a password or security
questions, rather than using this as the sole authentication factor.