Your browser is not supported

For the best experience, use Google Chrome or Mozilla Firefox.

NetIQ Advanced Authentication’s Framework

One-Time-Passwords

A one-time password, often abbreviated to OTP, is a code that can be used once for a session or transaction and then expires. They are usually made up of alphanumeric OTP code (letters and numbers). NetIQ Advanced Authentication HOTP (hash-based) and TOTP (time-based) are RFC 6238 compliant.

NetIQ Mobile App - OTP

Has multiple capabilities: TOTP, Push, Geo-Fencing and SMS/Email. Phone is seeded by QR scan or executing link.

Windows OTP Tool

Native Windows app that has shared seed and generated a token. Works offline. Some security managers believe on device is less secure.

EMail OTP

Uses an SMTP server to send a server generated code. Uses unencrypted delivery. Low security but a good second factor.

Voice OTP

Uses a call to a use to send server generated code. Uses voice service for delivery. Low security, but good second factor.

Microsoft Live - OTP

Validation from mobile app using push, biometrics, or OTP. Augment or replace passwords with two-step verification from your mobile phone.

Google Auth - OTP

Validation from mobile app OTP. Augment or replace passwords with two-step verification from your mobile phone.

RADIUS Client

Provides integration with 3rd party RADIUS solutions (RSA, Vasco, etc.). AA prompts user and validates against 3rd party. Most often used in migrations.

Hard Token- OTP

TOTP or HOTP, OATH or Proprietary – all are supported. Vendor sends seed file – imported into AA and user claims (associates) themselves.

3rd Party Soft Token OTP

Validation from mobile app using OTP. Augment or replace passwords with two-step verification from your mobile phone.

Mac OSX OTP Tool

Native OSX app that has shared seed and generated a token. Works offline. Some security managers believe on device is less secure.

Biometrics

Biometric are the distinctive, measurable characteristics used to identify individuals. The ones listed below are supported active biometrics.

Face

Face recognition systems extract features then perform matching. Faces have fewer uniquely measurable features its reliability is slightly lower than other biometrics.

Face via Windows Hello

WH devices use the camera and near-infrared light to scan your face. This allows WH face recognition to work, even in the dark. AA integrates with WH & WHfB

MS Windows Biometric Framework

WBF provides a consistent interface and user experience for biometric devices. AA can operate with any WBF compatible devices.

Fingerprint – KSI Keyboards

KSI manufactures durable multi-function keyboards that have card and biometrics integrated. AA is tested with KSI-1700.

Fingerprint – Lumidigm / HID

Lumidigm optical readers have multispectral imaging that can read through materials and provide liveness detection. AA is compatible with V and M series readers.

Fingerprint – Digital Persona / HID

DP optical readers are popular due to their durable metal casing, silicon coating, size and price. AA works with DP 4500 and 5300 readers.

Fingerprint – NEXT Biometric

Membrane reader with WBF driver and SDKs for image capture. One-to-one and one-to-many modes are supported. AA works with 100 and 100 Pro models.

Apple Touch ID

Natively Touch ID supports unlock and purchase functions. It can be trained to recognize up to five different fingers. AA supports all the native functions.

Fingerprint - BioEnable

Support for multi-finger scanners. High quality optical scanners used by multiple governments. AA supports scanning and separation of the individual fingerprints.

Fingerprint – MS Surface Keyboard

Membrane sensor designed to work with WBF. Provides very quick reads. Bluetooth connected.

Fingerprint – MS Modern Keyboard

Membrane sensor designed to work with WBF. Provides very quick reads. Bluetooth or USB connected.

Mobile Device Fingerprint

Administrator can configure the AA Mobile App to demand Biometric. Based upon the platform, fingerprint or face will be required for authentication.

Cards

Identity cards are quite popular among all types of organizations such as corporations, healthcare, student campuses. They are a reliable way to identify identities for services as well as multi-factor use cases. In general, cards work in one of two ways: frequency transmission or certificate storage. Customers need to match their card readers to the specific cards they use.

PKI / PKCS11

Public-Key Cryptography Standard 11 is used with certificate authority to access the keys or to enroll/use user certificates. Generally used with Smartcards.

PKI / PKCS7

Public-Key Cryptography Standard 7 is used with certificate authority to access the keys or to enroll/use user certificates. Generally used with Smartcards.

RFID - 125 kHz

Radio Frequency Identification uses a transmitting antenna for receiving signals, and an RFID with the tag’s ID. AA receives a validation code from the transmit device.

NFC - 13.56 MHz

Near Field Communication enables short-range communication. AA receives a validation code from an ‘active’ device triggered by a ‘passive’ device.

MIFARE

Near Field Communication enables short-range communication. AA receives a validation code from an ‘active’ device triggered by a ‘passive’ device.

BankID

BankID is the leading electronic identification in Sweden. 8 million people use BankID for private and public services. AA provides BankID validation for all connected services.

Swisscom Mobile ID

Swisscom is a major telecommunications provider in Switzerland. Mobile IW uses a PKI- based, “mobile signature” secure encryption technology on the SIM card.

Windows Passwordless

Use Windows passwordless methods to provide convenient authentication or as part of a two-factor authentication (2FA) set on Windows 10 PCs. User cam tied their credential to their Windows device(s) along with a PIN, a fingerprint, or face recognition. Enhance Microsoft domain login with WHfB using PKI.

Windows Passwordless

Our solution maintains the user’s domain relationship so at the time of workstation login a user only needs supply their Username and any single MFA method.

Windows Hello and WHfB

WH uses a local template match and WHfB uses WH match result to open a Domain based PKI Login. AA can call this same system for validation at any time.

Windows Azure

Integration with Azure MFA provides prevalent methods for authentication but lacks the flexibility and the features to support Zero Trust, Adaptive or continuous authentication.

Passive Methods

As organizations seek to extend their engagement with consumers, they often turn to low friction authentication types to verify identities. Additionally, as continuous authentication is adopted as part of zero trust initiatives low friction method become essential, providing a smooth user experience while raising security.

Geo-Fencing

Admin’s can configure geo zones that are allowed and disallowed. The user will be pinged on their mobile device to validate their position.

Bluetooth

User enrolls their Mobile device. When challenged the mobile is background pinged for validation.

Smartphone

Our smartphone App supports ‘Push’, TOTP, Geo Fencing and Bluetooth (in order of popularity).

Device Authentication

AA generates a keypair on the device using a TPM which is then used as a method in a chain.

Windows Hello and WHfB

WH and WHfB login framework supports multiple biometric methods (face and fingerprint). AA calls WH for validation and uses the result.

Face

Face recognition systems extract features then perform matching. Faces have fewer uniquely measurable features its reliability is slightly lower than other biometrics.

FIDO

 

FIDO U2F

Universal 2nd Factor is an open standard that strengthens and simplifies 2FA and provides internet users secure access to many online services with one security key

FIDO2

FIDO2 consists of the W3C (WebAuthn) Web Auth standard and the FIDO Client. Uses FIDO to unlock the PKI cert for authentication.

Federation

 

SAML

When SAML is used as a method, AA will act as the relying party and can accept authentication from an external IDP (IE: Facebook, workday, LinkedIn, etc.).

OAuth2

Advanced Authentication applies RFC6749 for OAuth 2.0 authentication. When used AA acts as the relying party and can accept authentication from an external IDP

LOA1

LDAP Password

User can use their configured (attached Repo) password as an authentication method. Often used as first factor.

PIN Code

User enrolls private PIN code. AA will prompt the user when the Chain is used to protect a resource.

Voice Call

AA generates an RFC based OTP and sends it via the configured ‘voice service’ to the user’s stored phone number.

Challenge Response

AA challenges the user with the admin configured number of their previously stored questions. User must answer correctly for validation.

Emergency Password

User calls ‘Help Desk’ who use the Help Desk Portal to create an Emergency Password. Valid period is configurable.

Additional Resources

release-rel-2021-9-2-6904 | Thu Sep 23 00:40:37 PDT 2021
6904
release/rel-2021-9-2-6904
Thu Sep 23 00:40:37 PDT 2021