Authentication Manager: Multi-factor strong authentication (MFA) for PCs and Servers

Authentication Manager: Multi-factor strong authentication (MFA) for PCs and Servers

With Evidian Authentication Manager, secure access to your workstations and servers in any situation. Cover all authentication scenarios (MFA -  Multifactor authentication), for a user accessing one or several PCs, or several users sharing the same PC.

Passwords are the weak point of many authentication policies. Single or shared Windows passwords create a risk of intrusion, and make it almost impossible to precisely verify the use of Windows accounts.

Evidian Authentication Manager with strong authentication resolves these problems by replacing passwords with MFA: devices or biometrics. But strong authentication does have operational constraints. To deploy it and manage thousands of users, it must cover all usage scenarios – otherwise, it may get in the way of employees' work.

Functions adapted to each profession with Evidian Authentication Manager

Branch employees and sales staff in outlets can use a PC in kiosk mode and find their own environment in a few seconds without having to change their Windows session. In hospital, a doctor's working session continues throughout their shift.

Traders and technicians in the control room can open, lock, unlock or close a cluster of PCs with single multi-factor authentication. They can also delegate access to their locked sessions, partially or completely, temporarily or permanently.

Simplify strong multi-factor authentication (MFA)

Evidian Authentication Manager simplifies the use and daily management of strong authentication:

  • Management of the centralised access policy.
  • Authentication profile based on groups.
  • Integrated card management system (inventory, emission, black list, etc.).
  • Centralised audit of all attempts to access the computers.

With Evidian Authentication Manager, you are not restricted to a single technology. You use the right authentication in the right place. Your security policy only needs to be defined once for all access modes.

Reduce usage costs

Evidian Authentication Manager replaces several administration consoles. The helpdesk unlocks or removes access in a few seconds, whether for a Windows password, smartcard, RFID, biometrics or one-time password (OTP).

Windows users can unlock access themselves with emergency passwords in self-service mode (SSPR). This eliminates many support calls.

Secure complex authentication scenarios

Evidian Authentication Manager adapts the use of strong authentication to the professional constraints of users, by allowing scenarios to be developed such as:

  • Switching access when a card is lost, forgotten or doesn't work.
  • Kiosk mode and rapid user switching.
  • Authentication on a cluster of PCs with a single authentication tool.
  • Individual named access to generic Windows accounts.
  • Delegation of Windows accounts between users.
  • Linked to the physical access control.

A broad range of authentication methods.

Most authentication technologies are supported:

  • Secure USB keys and smartcards, with or without certificate
  • Venous and digital biometrics
  • RFID, radio badge
  • Bluetooth
  • Wearable biometric
  • One-time password
  • Questions and answers
  • Login/password

Manage the complete authentication life cycle

Evidian Authentication Manager allows you to manage the life cycle of cards through a single point. You assign cards and manage replacements, black lists, data and certificates.

Specific functionality for each profession

Sales staff and branch employees share a kiosk and obtain their personal desktop in seconds, without restarting the Windows session. When doctors do their rounds, their Windows sessions move with them around the hospital.

Traders and control room staff can access a cluster of PCs with a single authentication. They can lock it, unlock it, or delegate it, partially or completely, temporarily or permanently.

Delegation by the user

When users go on holiday or are absent for any reason, Evidian Authentication Manager allows them to delegate access to their computer under the control of the security policy.

Managing shared accounts

Users can use generic Windows accounts in full security. They don't need to know any passwords and are identified by their names. They can obtain temporary access in this way.

Emergency access ...

When Evidian Authentication Manager is launched on a PC for the first time, the user chooses the questions and answers. If they forget their access token, they can obtain temporary access in this way.

... even without a connection!

Mobile users can reinitialise their access if they are not connected. They reply to questions from the login window of their laptop computer.

Audit all access and administrative actions

Signed audit trails are stored in a central database. Analyse them by access point, application, user, smartcard, etc. The data can be exported to SIEM tools and reports.

Integration with Evidian IAM solutions

Evidian Authentication Manager is part of Evidian's identity and access management solutions. The authentication and identity life cycles converge.

  • With Evidian Enterprise SSO, you can launch your applications without a supplementary password.
  • With Evidian Web Access Manager, you can access your web applications in full security from any browser, without the need for repeat authentication.

Use the existing infrastructure

Evidian Authentication Manager uses your LDAP database or Active Directory. Users are not duplicated.

All the security data is encrypted and stored, and no additional boxes need to be installed. You can begin in one department and then roll out Evidian Authentication Manager to thousands of users.

Evidian Authentication Manager works on most versions of Microsoft Windows, Terminal Server and Citrix XenApp.

Control your Windows access with a QR code

With QRentry™, you access Windows using a QR Code™.

QRentry drastically reduces helpdesk costs: users unlock their own access using a smartphone if they forget their Windows password, or even lose their smartcard or authentication token. By controlling the technicians' access to the local Windows administrator account, QRentry eliminates a common loophole in compliance policies.

QRentry is an Evidian Authentication Manager module, a software solution that facilitates the use of strong authentication and allows authentication scenarios to be developed. QRentry can be downloaded from Google Play or the Apple Store.

Video – QRentry in action:

Permanent emergency access for your users

What: When a user loses their password, smartcard or authentication token, they can unlock their access using a QR code.

Why: QRentry is the ideal partner for the use of strong authentication, which generates numerous calls to the helpdesk such as "lost smartcard" or "biometrics not working".

  • The number of helpdesk calls will be significantly reduced
  • Users unlock their own access, even if they can't reach the helpdesk

Local administrator accounts are now finally secure

What: Technicians must use a QR code to access a PC's local administrator account. A record is kept of all access in a central location in the technician's name, and access rights can be removed in a few seconds. Users can no longer imitate a technician to obtain admin rights.

Why: QRentry makes the "admin / admin" semi-public passwords useless and difficult to modify. Local administrator accounts are no longer the "Achilles heel" of compliance.

  • No need for a network, mouse, USB port or strong authentication
  • Also allows remote support

Main functions

Use without constraints

  • No additional software or hardware on the PC
  • Users register their smartphones themselves
  • No need for network access on the PC or data access (3G, EDGE, etc.) on the smartphone

Security and confidentiality

  • Uses a non-repeatable access code
  • All access is monitored and the history is stored in a central location
  • Access to certain applications can be restricted

Rapid user adoption

  • The use of QR codes is frequent among employees
  • 55 % of mobile users in the USA have a smartphone (Nielsen 2012)
  • Improves the innovating image of your company

Evidian Self-Service Password Reset (SSPR) offers several intuitive procedures to securely allow end-users to reset their Windows password from their web portal, their workstation or their mobile.

More on Evidian Self-Service Password Reset (SSPR).

Evidian Enterprise SSO replaces user passwords with a single authentication such as a password, biometrics, a smartcard or a radio badge. Access is immediate, whether the applications are internal or external to the company.

More on Evidian Enterprise SSO.