Hitachi ID Password Manager streamlines the management of passwords and other login credentials:
- Transparent password synchronization:
When users change their password natively on a system where a password synchronization trigger has been installed, the new password is tested for strength against the Password Manager password policy. If accepted, the password is changed both locally and on other systems where the user has accounts.
Password Manager includes password synchronization triggers for Active Directory, Windows servers, OID, Linux and Unix (various), iSeries and z/OS (optional component).
Using a familiar and mandatory password change process guarantees 100% user adoption.
- Web-based password synchronization:
Using an interactive web page to change passwords has educational benefits but requires user awareness and cooperation.
- Self-service password reset:
Users who have forgotten a password or triggered an intruder lockout can sign into Password Manager using other types of credentials to reset their password or clear the lockout. Non-password authentication options include security questions, voice biometrics, smart cards, hardware tokens and random PINs sent to a user's mobile phone using SMS.
Access to self-service is available from a PC web browser, from the Windows login screen, using a telephone or using the mini web browser on a smart phone.
- Federated sign-on:
Applications can be configured to leverage Password Manager as a federated identity provider. An application configured to do this is referred to as a service provider (SP) , whereas Password Manager acts as an identity provider (IdP) . When users access the SP URL, they are redirected to the IdP, where they identify themselves and authenticate. They are then redirected back to the SP and are automatically signed in. This mechanism allows multiple applications to share a single, secure login process.
- Personal password vault:
Users can activate a personal password vault using a passphrase. Once this is done, users can store and retrieve credentials, such as login IDs and passwords to social network platforms, financial or retail web sites, etc. on Password Manager. This data is accessible via the web and from user smart phones using Hitachi ID Mobile Access.
- Two-factor authentication for everyone:
Password Manager supports multi-factor authentication for all users. This includes both an open integration framework with support for all major MFA technologies on the market and an out-of-the-box mobile app that provides a second factor for users who have not yet been provisioned one.
The recommended sequence for authenticating users into the Password Manager web portal (and where it acts as a federated IdP, through into integrated SP applications) is as follows:
- If the user connects from outside the private/secure corporate network, start with a CAPTCHA.
- Next, prompt for the user's login ID.
- Fingerprint the user's browser -- if the indicated user has signed on successfully from the same browser before, this fact can act as an unobtrusive authentication factor.
- If the user connects from a browser or location not seen before,
prompt for another factor, which may be any of the following:
- If the user has been activated to use a third party MFA technology, such as a one time password token (e.g., RSA SecurID or YubiKey) or a third party app (e.g., Duo Security, Google Authenticator, Okta Verify, etc.), use that.
- If the user had previously installed Mobile Access on their phone, either use push notification to display a PIN on their phone or display a cryptographic challenge in the login screen as a QR code, which the user scans with the app.
- If the user had previously enrolled their mobile phone number,
send a PIN to the user's phone, via SMS and prompt the user to
Note: an SMS broker is required to do this, which may cost as much as a few cents per message.
- If the user had previously enrolled their personal e-mail address, send a PIN to that address, on the assumption that the user has e-mail access on their phone.
- Users may be prompted to select one of several MFA options or one of several alternatives for the same option (e.g., send a PIN via SMS to one of multiple mobile numbers or e-mail addresses).
- Finally, depending on whether the user remembers his password, prompt the user to enter it or answer a series of security questions. Using a second, "knowledge" factor reduces the risk of compromised authentication due to lost or stolen phones or hardware tokens.
- Many included connectors:
Password Manager ships with built-in integrations for over 130 systems and applications. That means that it can manage passwords, PINs, smart cards and other login credentials on most servers, directories, network devices, databases and applications without customization.
- Token and smart card PIN reset:
Users with a token who have forgotten their PIN or need an emergency pass code can access self-service PIN reset with a web portal or using a telephone. Users with a smart card can also reset their own PIN using an ActiveX control embedded in a web browser -- launched from their Windows desktop or login screen.
- Self-service unlock of encrypted drives
- Assisted password reset:
Authorized IT support staff can sign into a Password Manager web portal to look up a caller's profile, authenticate the caller by keying in answers to security questions and reset one or more passwords or clear an intruder lockout. A ticket can be automatically submitted to the help desk incident management system. The help desk analyst does not require any privileges on the affected directories, systems or applications.
- Password policy enforcement:
Password Manager normally enforces a global password policy to supplement the various policies enforced on each system and application. This policy ensures that passwords accepted by Password Manager will work on every system.
The built-in policy enforcement includes over 50 built-in rules regarding length, mixed-case, digits, dictionary words and more. Regular expressions and plug-ins enable organizations to define new rules. Password history is infinite by default.
- Password change notification / early warning:
Password Manager can remind users to change their passwords, either using a native password change dialog or via the Password Manager web portal. Warnings are normally sent to users before their password actually expires on AD, LDAP or other systems. These invitations can be sent via e-mail, SMS, or launched in a web browser when users sign into their PCs. Users can even be forced to change passwords by launching a kiosk-mode web browser when the user signs into their PC.
Password change reminders are normally only sent at the start of users' work day and work week, to discourage users from changing passwords right before leaving work and subsequently forgetting the new password.