swipe to navigate

Strong authentication

All editions of Identity Express support multi-factor user authentication. This includes several available strategies, where organizations must choose the strategy that fits their circumstances, in particular leveraging whatever authentication technologies have already been implemented.

A typical login sequence is as follows:

  1. If the user connects from outside the private/secure corporate network, start with a CAPTCHA.
  2. Next, prompt for the user's login ID.
  3. Fingerprint the user's browser -- if the indicated user has signed on successfully from the same browser before, this fact can act as an unobtrusive authentication factor.
  4. If the user connects from a browser or location not seen before, prompt for another factor, which may be any of the following:
    1. If the user has been activated to use a third party 2FA technology, such as a one time password token (e.g., RSA SecurID or YubiKey) or a third party app (e.g., Duo Security, Google Authenticator, Okta Verify, etc.), use that.
    2. If the user had previously installed Hitachi ID Mobile Access on their phone, either use push notification to display a PIN on their phone or display a cryptographic challenge in the login screen as a QR code, which the user scans with the app.
    3. If the user had previously enrolled their mobile phone number, send a PIN to the user's phone, via SMS and prompt the user to enter it. noteNote: an SMS broker is required to do this, which may cost as much as a few cents per message.

    4. If the user had previously enrolled their personal e-mail address, send a PIN to that address, on the assumption that the user has e-mail access on their phone.
  5. Users may be prompted to select one of several 2FA options or one of several alternatives for the same option (e.g., send a PIN via SMS to one of multiple mobile numbers or e-mail addresses).
  6. Finally, depending on whether the user remembers his password, prompt the user to enter it or answer a series of security questions. Using a second, "knowledge" factor reduces the risk of compromised authentication due to lost or stolen phones or hardware tokens.

Robust approval processes

All editions of Identity Express support workflow approvals. Having selected authorizers, the key challenge is to get human beings to quickly and reliably approve or reject requests.

In any workflow system, business users are invited to participate in a process and complete tasks. Unfortunately, human beings are not reliable actors:

  1. They may not notice the invitation to act.
  2. They may be indisposed for a short while (e.g., in a meeting).
  3. They may be indisposed for a long while (e.g., on vacation).
  4. They may not know how to complete the task.
  5. They may intend to complete the task later, but forget to do so.
A workflow system that sends single invitations to users will get slow, unreliable responses.

  • Where multiple participants are required, they should all be invited at the same time. This leads to better response times than inviting each participant only after the previous one completed their task.
  • Where the task is to approve a request, allow N of M participants to do the job. For example, many scenarios require approval by HR -- and a good rule is to allow any one of three HR staff to approve a request.
  • Random selection of participants from larger groups. Continuing with the HR example, there may be more than 3 people in the HR department, so a random sample is chosen for each request.
  • Automatic reminders to non-responsive participants, by default every few hours after the first invitation.
  • Escalation from non-responsive participants to their alternates. For example, after sending three reminders to a participant, escalate the request to their manager.

  • A UI that allows users to delegate their responsibilities to someone else for a period of time, for example during a planned vacation.
  • Organizations are encouraged to deploy a cloud-hosted proxy system and the Mobile Access app on user phones. This allows authorizers to approve or reject requests from their mobile phone -- from any location, at any time, without a VPN.
  • Privileged Access Manager can also be configured to check a user's out-of-office status or away message on e-mail systems such as Office 365 and to pre-emptively escalate requests to other users if the original participants has indicated that they are out of the office.


Comment via LinkedIn