Hitachi ID Password Manager has an open authentication architecture, and can plug into existing password systems, corporate directories, two-factor authentication tokens, PKI certificates and biometric engines.

Login options

Users sign into the Password Manager web portal using any combination of the following methods (which sequences are available is a matter of policy, based on user context):

  • By typing their current password to a trusted system (e.g., Windows/AD, LDAP, RAC/F, etc).
  • By answering security questions.
  • Using the Hitachi ID Mobile Access smart phone app to scan a cryptographic challenge displayed on the user's PC screen as a QR code.
  • Using third party smart phone apps, such as Duo Security or Google Authenticator.
  • Using a hardware or software security token (e.g., RSA SecurID).
  • Using a smart card with a PKI certificate.
  • Using Windows-integrated authentication.
  • Using a Security Assertions Markup Language (SAML) or OAuth assertion issued by another server.
  • By typing a PIN that was sent to their mobile phone via SMS.
  • Using a device/browser fingerprint and/or cookie, for example to compare current login to previous events.

Two factor authentication for everyone

Password Manager supports multi-factor authentication for all users, at no extra cost. This is typically done by combining multiple credentials, as follows:

  1. If the user connects from the Extranet, start with a CAPTCHA.
  2. Next, prompt for the user's login ID.
  3. Fingerprint the user's browser -- if the indicated user has signed on from the same browser before, this can act as an unobtrusive authentication factor.
  4. If the user connects from a browser not seen before, prompt for another factor, which may be any of the following:
    1. If the user has been activated to use a third party 2FA technology, such as a one time password token (e.g., RSA SecurID) or a third party app (e.g., Duo Security or Google Authenticator), use that.
    2. If the user had previously enrolled their mobile phone number, send a PIN to the user's phone, via SMS and prompt the user to enter it. note

    3. If the user had previously enrolled their personal e-mail address, send a PIN to that address, on the assumption that the user has e-mail access on their phone.
    4. If the user had previously installed Mobile Access on their phone, either use push notification to display a PIN on their phone or display a cryptographic challenge in the login screen as a QR code, which the user scans with the app.
  5. Users may be prompted to select one of several 2FA options, or one of several alternatives for the same option (e.g., send a PIN via SMS to one of multiple mobile numbers or e-mail addresses).
  6. Finally, depending on whether the user remembers his password, prompt the user to enter it or answer a series of security questions.