Share a generic account without sharing passwords and without autologon
How Evidian secures a login to a generic account on a PC shared by several users ?
Demonstration of a shared generic account without sharing passwords and without autologon
Hospital, retail stores and production lines need to share a PC between multiple users. With Evidian, users share a generic account on the same PC but they do not share password. There are no more autologon or always open sessions.
The video shows the sharing of a generic account with a RFID authentication. When a user presents his/her RFID badge, he/she can access to the generic account with a fast user switching in a few seconds.
Each access is personal and audited by user name.
How to share a generic account without sharing passwords and without autologon?
The Evidian solution
The solution combines Evidian Authentication Manager for strong authentication with RFID and Evidian Enterprise SSO for Single Sign-On. After RFID authentication, users will not have to enter login/passwords to access their applications.
This solution is adapted to a PC used in public access. In this mode, the generic session remains open, but the SSO context and the opening and the closing of the session are handled individually for each user, as illustrated in the figure.
Upon detection of a smart card or an active RFID device, Enterprise SSO starts and prompts the user for his/her PIN (smart card) or password (RFID). Once the user is authenticated, he/she can access his/her own applications in the generic session. When the device is removed, Enterprise SSO is closed.
3 advanced solutions
One PC - used by several users
Branch employees, sales staff in outlets, workers in manufacturing industry and others share a same PC in their Enterprise. They use a shared account with autologon to access the Windows session without password to save time. However, knowing who authenticated to the PC and at what time cannot be audited. Evidian with its multi-user desktop solves this problem with a fast user switching in a few seconds and a strong authentication method like a RFID badge to unlock the shared session.
One user – using multiple PCs successively
The day-to-day tasks of some employees may require them to move around within a site, such as doctors in a hospital, production managers at an industrial site, store vendors, and others. On each PC, they must log in to access their session and log out. As it takes time, an alternative solution must be found. Evidian offers a simple solution with a roaming session avoiding multiple login.
One user – using multiple PCs at once
Some employees need multiple PCs and monitors in order to work. These may include trading room workers, control room operators in industry, in transport, in video surveillance and others. It is unrealistic to ask these employees a multiple login to all PCs. Evidian offer a solution with a single login to multiple computers at once.
Evidian Enterprise SSO uses an enterprise-directory-based architecture. Experience has shown that this simpler solution is quicker to deploy, while maintaining the highest security level.
Why passwordless strong authentication methods?
Passwords are the weak point of many authentication policies. Single or shared Windows passwords create a risk of intrusion and make it almost impossible to precisely verify the use of Windows accounts.
Replace passwords with strong authentication: devices or biometrics. With Evidian Authentication Manager, users can prove their identity by what they have (smart card), who they are (biometrics) and what they know (password).
2FA - 2 factor authentication (or MFA)
Authentication Manager grants you the capability to use 2 factor authentication (or more). With this feature, your users will have to use 2 methods of authentication in order to login to their Windows session.
Even for sensitive applications
You can use a strong authentication to reauthenticate users when accessing sensitive applications and not only at Windows session login. And this transparently to the application by adding the Enterprise Single Sign-On module.
By choosing Evidian Authentication Manager, you are not bound to a technology. You deploy the right authentication in the right place. Your authentication policy is applied from a central point for all methods.
More than 5 million employees use Evidian authentication products
Most popular authentication
|Simple, even rustic, its biggest flaw is that the security level depends directly on the complexity of the password. The result is that too many overly complex passwords make users take various measures to remember passwords, such as writing them down on Post-It™ notes or entering them in an Excel file or a smartphone.
A login and password combination is the most commonly used method of authentication. Single sign-on (SSO) solutions can reduce the increased number of passwords.
|An OTP can prevent a password from being stolen and reused. An OTP system (usually a specialized calculator) provides a password upon request. This password is valid for a limited period of time and can only be used once.OTP is generally used for initial authentication for external access via VPN. It does not require any configuration of the workstation or smartphone concerned.|
|X.509 certificates are often used to encrypt or sign messages without having to share a secret. The login ID is a public certificate that is signed and therefore guaranteed by a recognized certification authority. The user must provide a secret piece of information in order to use the cryptographic elements, such as the PIN code of its smart card or its USB key. In companies, smart cards are typically used more often than USB keys for authentication, even though the chip itself is often the same in both cases.This solution is frequently used for initial authentication or for access to email or web applications. It requires a Public Key Infrastructure (PKI).|
|Storing the login and password on a smart card completely secures the authentication process. The password can be very complex, and it can be automatically and randomly changed very frequently. Without the card and its PIN code, there is no longer access to the password.This solution is usually used for authentication on PCs without having to deploy a key infrastructure.|
|A cell phone can serve as an authentication object. There are two main methods used:
The cell phone method is often used if the user forgets his password or smart card, particularly for access on the Internet.
|Authentication using biometrics is based on verifying a part of the user's body. The most often type used is the digital fingerprint. The user's biometric data is stored on a central server (with major legal constraints), on the workstation, or on a smart card.Biometrics is typically used for initial authentication or to protect access to highly sensitive applications.|
|A chip that is embedded into a contactless card contains a code that identifies a user. Therefore this is an identification method that, paired with a password, can be used in authentication procedures. There are two versions of this technology. With active RFID, the card has its own power unit. This enables detection over a longer range (e.g. when entering a room or office).Active RFID can be used to detect absence for workstations in areas accessible to the general public.With passive RFID (HID, MIFARE, etc.), the card does not have its own power unit. When it is read, it is powered by an electromagnetic field generated by the reader.Passive RFID is often used to control physical access using a pass or for payment in a company cafeteria. This type of card can be detected from a few centimeters away|