Hitachi ID Password Manager has an open authentication architecture, and can plug into existing password systems, corporate directories, two-factor authentication tokens, PKI certificates and biometric engines.

Login options

Users may authenticate into Password Manager as follows:

  • On the web portal:
    • By typing their current password to a trusted system (e.g., Windows/AD, LDAP, RAC/F, etc).
    • By answering security questions.
    • Using the Hitachi ID Mobile Access smart phone app to scan a cryptographic challenge displayed on the user's PC screen as a QR code.
    • Using third party smart phone apps, such as Duo Security or Google Authenticator.
    • Using a hardware or software security token (e.g., RSA SecurID).
    • Using a smart card with a PKI certificate.
    • Using Windows-integrated authentication.
    • Using a SAML or OAuth assertion issued by another server.
    • By typing a PIN that was sent to their mobile phone via SMS.

  • Using a telephone, calling an automated IVR system:
    • By keying in numeric answers to a series of security questions (e.g., employee number, date of hire, driver's license number).
    • By speaking one or more phrases, where the Password Manager server compares the new speech sample to one on record (biometric voice print verification)

  • Using a telephone, calling an IT support technician:
    • By answering a series of security questions, where the technician must type the answers into a web portal to authenticate the caller.

Two factor authentication for everyone

Password Manager supports multi-factor authentication for all users, at no extra cost. This is typically done by combining multiple credentials, as follows:

  1. If the user connects from the Extranet, start with a CAPTCHA.
  2. Next, prompt for the user's login ID.
  3. Fingerprint the user's browser -- if the indicated user has signed on from the same browser before, this can act as an unobtrusive authentication factor.
  4. If the user connects from a browser not seen before, prompt for another factor, which may be any of the following:
    1. If the user had previously enrolled their mobile phone number, send a PIN to the user's phone, via SMS and prompt the user to enter it.

    2. If the user had previously enrolled their personal e-mail address, send a PIN to that address, on the assumption that the user has e-mail access on their phone.
    3. If the user had previously installed Mobile Access on their phone, either use push notification to display a PIN on their phone or display a cryptographic challenge in the login screen as a QR code, which the user scans with the app.
    4. If the user has been activated to use a third party 2FA technology, such as a one time password token (e.g., RSA SecurID) or a third party app (e.g., Duo Security or Google Authenticator), use that.
  5. Users may be prompted to select one of several 2FA options, or one of several alternatives for the same option (e.g., send a PIN via SMS to one of multiple mobile numbers or e-mail addresses).
  6. Finally, depending on whether the user remembers his password, prompt the user to enter it or answer a series of security questions.