Hitachi ID Password Manager has an open authentication architecture, and can plug into existing password systems, corporate directories, two-factor authentication tokens, PKI certificates and biometric engines.
Users sign into the Password Manager web portal using any combination of the following methods (which sequences are available is a matter of policy, based on user context):
- By typing their current password to a trusted system (e.g., Windows/AD, LDAP, RAC/F, etc).
- By answering security questions.
- Using the Hitachi ID Mobile Access smart phone app to scan a cryptographic challenge displayed on the user's PC screen as a QR code.
- Using third party smart phone apps, such as Duo Security or Google Authenticator.
- Using a hardware or software security token (e.g., RSA SecurID).
- Using a smart card with a PKI certificate.
- Using Windows-integrated authentication.
- Using a Security Assertions Markup Language (SAML) or OAuth assertion issued by another server.
- By typing a PIN that was sent to their mobile phone via SMS.
- Using a device/browser fingerprint and/or cookie, for example to compare current login to previous events.
Two factor authentication for everyone
Password Manager supports multi-factor authentication for all users, at no extra cost. This is typically done by combining multiple credentials, as follows:
- If the user connects from the Extranet, start with a CAPTCHA.
- Next, prompt for the user's login ID.
- Fingerprint the user's browser -- if the indicated user has signed on from the same browser before, this can act as an unobtrusive authentication factor.
- If the user connects from a browser not seen before, prompt for
another factor, which may be any of the following:
- If the user has been activated to use a third party 2FA technology, such as a one time password token (e.g., RSA SecurID) or a third party app (e.g., Duo Security or Google Authenticator), use that.
- If the user had previously enrolled their mobile phone number,
send a PIN to the user's phone, via SMS and prompt the user to
- If the user had previously enrolled their personal e-mail address, send a PIN to that address, on the assumption that the user has e-mail access on their phone.
- If the user had previously installed Mobile Access on their phone, either use push notification to display a PIN on their phone or display a cryptographic challenge in the login screen as a QR code, which the user scans with the app.
- Users may be prompted to select one of several 2FA options, or one of several alternatives for the same option (e.g., send a PIN via SMS to one of multiple mobile numbers or e-mail addresses).
- Finally, depending on whether the user remembers his password, prompt the user to enter it or answer a series of security questions.