Hitachi ID Privileged Access Manager controls access to many systems, so is an attractive target for attackers. It makes sense to protect it with the strongest level of authentication available.
It can be assumed that, sooner or later, the endpoint from which at least one authorized user signs into Privileged Access Manager will be compromised by malware and user input may be key-logged. This makes login into Privileged Access Manager with only a password not sufficiently secure.
- Privileged Access Manager can be configured to leverage any and all available credentials -- passwords, tokens, smart cards, etc.
- Privileged Access Manager can and should be configured to combine credentials at login time, to require at least two-factor authentication (2FA).
- Privileged Access Manager includes its own 2FA technology, combining a mobile app on Android and iOS with password validation against AD or LDAP. The cost of 2FA is no excuse as there is no incremental cost.
- Privileged Access Manager can take a fingerprint of the user's browser and, if the user has successfully signed on from the same endpoint before, using 2FA, it can prompt the user only for just a password. This reduces user friction without significantly impairing 2FA security.
- Conversely, Privileged Access Manager can require more credentials in high risk contexts, such as unusual time-of-day, day-of-week, or less trusted users such as vendors.
In a high-threat environment, 2FA is no longer an option. Privileged Access Manager both existing 2FA and introduces new, zero-cost 2FA mechanisms. This eliminates the cost objection strong authentication.