Authentication management enables implementation of connection procedures using authentication mechanisms with physical tokens (smart cards, USB keys, RFID badges), biometrics or mobile phones, in addition to the standard authentication methods of login/ password. Authentication management is implemented by Evidian Authentication Manager. The video shows several authentication methods implemented by Authentication Manager.
Authentication Manager grants you the capability to use 2 strong authentication methods to access your session, to add layers of security to access a Windows session. With two factor authentication feature your users will have to use two methods of authentication in order to login to there Windows session. You can use any strong authentication methods supported by Evidian Authentication Manager such as Biometrics, RFID, Smart Card, OTP, or the QRentry application as well as a wearable device.
With the Enterprise Single Sign-On module added to Authentication Manager you can use two factor authentication to reauthenticate when accessing sensitive applications.
Users can prove their identity by what they know (password), what they have (smart card), and who
they are (biometrics). The following is a list of the seven authentication methods most commonly found by Evidian in organizations.
|(1) Password||Simple, even rustic, its biggest flaw is that the security level depends directly on the complexity of the password. The result is that too many overly complex passwords make users take various measures to remember passwords, such as writing them down on Post-It™ notes or entering them in an Excel file or a smartphone.|
A login and password combination is the most commonly used method of authentication. Single sign-on (SSO) solutions can reduce the increased number of passwords.
|(2) One-Time Password OTP)||An OTP can prevent a password from being stolen and reused. An OTP system (usually a specialized calculator) provides a password upon request. This password is valid for a limited period of time and can only be used once.OTP is generally used for initial authentication for external access via VPN. It does not require any configuration of the workstation or smartphone concerned.|
|(3) PKI certificates on a smart card or USB key||X.509 certificates are often used to encrypt or sign messages without having to share a secret. The login ID is a public certificate that is signed and therefore guaranteed by a recognized certification authority. The user must provide a secret piece of information in order to use the cryptographic elements, such as the PIN code of its smart card or its USB key. In companies, smart cards are typically used more often than USB keys for authentication, even though the chip itself is often the same in both cases.This solution is frequently used for initial authentication or for access to email or web applications. It requires a Public Key Infrastructure (PKI).|
|(4) Login and password on a smart card or USB key||Storing the login and password on a smart card completely secures the authentication process. The password can be very complex, and it can be automatically and randomly changed very frequently. Without the card and its PIN code, there is no longer access to the password.This solution is usually used for authentication on PCs without having to deploy a key infrastructure.|
|(5) Cell phone||A cell phone can serve as an authentication object. There are two main methods used:|
The cell phone method is often used if the user forgets his password or smart card, particularly for access on the Internet.
|(6) Biometrics||Authentication using biometrics is based on verifying a part of the user's body. The most often type used is the digital fingerprint. The user's biometric data is stored on a central server (with major legal constraints), on the workstation, or on a smart card.Biometrics is typically used for initial authentication or to protect access to highly sensitive applications.|
|(7) Contactless card||A chip that is embedded into a contactless card contains a code that identifies a user. Therefore this is an identification method that, paired with a password, can be used in authentication procedures. There are two versions of this technology. With active RFID, the card has its own power unit. This enables detection over a longer range (e.g. when entering a room or office).Active RFID can be used to detect absence for workstations in areas accessible to the general public.With passive RFID (HID, MIFARE, etc.), the card does not have its own power unit. When it is read, it is powered by an electromagnetic field generated by the reader.Passive RFID is often used to control physical access using a pass or for payment in a company cafeteria. This type of card can be detected from a few centimeters away|
To know more about authentication management, we recommend this white paper: "Strong Authentication - Reducing hidden costs".