Skip to main content

Flexible Authentication

Hitachi ID Password Manager has an open authentication architecture, and can plug into existing password systems, corporate directories, two-factor authentication tokens, PKI certificates and biometric engines.

Login options

Users may authenticate into Password Manager as follows:

  • On the web portal:
    • By typing their current password to a trusted system (e.g., Windows/AD, LDAP, RAC/F, etc).
    • By answering security questions.
    • Using a security token (e.g., SecurID pass-code).
    • Using a smart card with PKI certificate.
    • Using Windows-integrated authentication.
    • Using a SAML or OAuth assertion issued by another server.
    • By typing a PIN that was sent to their mobile phone via SMS.

  • Using a telephone, calling an automated IVR system:
    • By keying in numeric answers to a series of security questions (e.g., employee number, date of hire, driver's license number).
    • By speaking one or more phrases, where the Password Manager server compares the new speech sample to one on record (biometric voice print verification)

  • Using a telephone, calling an IT support technician:
    • By answering a series of security questions, where the technician must type the answers into a web portal to authenticate the caller.

Two factor authentication for everyone

Password Manager supports multi-factor authentication for all users, at no extra cost. This is typically done by combining multiple credentials, as follows:

  1. If the user connects from the Extranet, start with a CAPTCHA.
  2. Next, prompt for the user's login ID.
  3. Fingerprint the user's browser -- if the indicated user has signed on from the same browser before, this can act as an unobtrusive authentication factor.
  4. If the user connects from a browser not seen before, prompt for another factor, which may be:
    1. If the user had previously enrolled their mobile phone number, send a PIN to the user's phone, via SMS and prompt the user to enter it. Note: an SMS broker is required to do this,         which may cost as much as a few cents per message. (note)

    2. If the user had previously enrolled their personal e-mail address, send a PIN to that address, on the assumption that the user has e-mail access on their phone.
    3. If the user had previously installed Hitachi ID Mobile Access on their phone, either use push notification to display a PIN on their phone or display a cryptographic challenge in the login screen as a QR code, which the user scans with the app.
  5. Finally, depending on whether the user remembers his password, prompt the user to enter it or answer a series of security questions.
page top page top