Because new authentication purchases often originate within a business unit, they are often solved from a tactical objective. This approach leaves organizations with multiple authentication silos (building access, remote access, compliance requirements, etc.). While it’s true that these disjointed implementations impose higher administrative overhead and inefficient processes, more importantly, they create vulnerabilities due to inconsistent authentication policies.
In today’s connected world fraught with persistent cyber threats, authentication strategies have become a core component of protecting against them. And since such a significant portion of digital information is protected by government privacy laws, compliance with multifactor authentication (MFA) mandates has played a significant role in its adoption.
Beyond government MFA mandates, momentum for using this same passwordless technology for single-factor authentication scenarios is also gaining traction. When implemented properly, not only is passwordless authentication highly resistant to phishing, but it offers a noteworthy jump in usability, alleviating the burden of users having to remember their credentials for the mobile app or services they are accessing.
Another business driver for MFA adoption comes from organizations that prioritize the privacy of their secrets. They view secrets such as intellectual property and customer information as sensitive enough worthy of substantial investment for greater protections. Whether they view strong security as good for business or the top management simply observes the demise of their industry peers who lost their position from damaged consumer trust or competitive advantage.
NetIQ Advanced Authentication is natively integrated with these Opentext products:
Access Manager, AutoPass, CIFS, Client Login Extension (CLE), Desktop Automation Service (DAS), Domain Services for Windows (DSfW), Directory and Resource Administrator (DRA), Enterprise Messaging, Filr Advanced, Groupwise, Identity Governance (IG/IGA), Identity Manager (IDM), iPrint, Management and Security Server (MSS), OES Server, OES Client, Privileged Account Manager (PAM), Risk Service, Rumba, SecureLogin (NSL), Serena Connector for z/OS, Self Service Password Reset (SSPR), StarTeam.
NetIQ Advanced Authentication also integrates with third party products via RADIUS, SAML, OIDC/OAuth2, ADFS, Kerberos, REST, MobileAPIs, comAPIs and native Microsoft plug-ins.
The NetIQ Advanced Authentication framework supports the following methods out-of-the-box, as well as additional specialized integrations. Partners and customers also have the option to leverage AA’s API’s to configure their own integration.
A one-time password, often abbreviated to OTP, is a code that can be used once for a session or transaction and then expires. They are usually made up of alphanumeric OTP code (letters and numbers). NetIQ Advanced Authentication HOTP (hash-based) and TOTP (time-based) are RFC 6238 compliant.
NetIQ Mobile App - OTPHas multiple capabilities: TOTP, Push, Geo-Fencing and SMS/Email. Phone is seeded by QR scan or executing link. |
Windows OTP ToolNative Windows app that has shared seed and generated a token. Works offline. Some security managers believe on device is less secure. |
EMail OTPUses an SMTP server to send a server generated code. Uses unencrypted delivery. Low security but a good second factor. |
Voice OTPUses a call to a use to send server generated code. Uses voice service for delivery. Low security, but good second factor. |
Microsoft Live - OTPValidation from mobile app using push, biometrics, or OTP. Augment or replace passwords with two-step verification from your mobile phone. |
Google Auth - OTPValidation from mobile app OTP. Augment or replace passwords with two-step verification from your mobile phone. |
RADIUS ClientProvides integration with 3rd party RADIUS solutions (RSA, Vasco, etc.). AA prompts user and validates against 3rd party. Most often used in migrations. |
Hard Token- OTPTOTP or HOTP, OATH or Proprietary – all are supported. Vendor sends seed file – imported into AA and user claims (associates) themselves. |
3rd Party Soft Token OTPValidation from mobile app using OTP. Augment or replace passwords with two-step verification from your mobile phone. |
Mac OSX OTP ToolNative OSX app that has shared seed and generated a token. Works offline. Some security managers believe on device is less secure. |
Biometric are the distinctive, measurable characteristics used to identify individuals. The ones listed below are supported active biometrics.
FaceFace recognition systems extract features then perform matching. Faces have fewer uniquely measurable features its reliability is slightly lower than other biometrics. |
Face via Windows HelloWH devices use the camera and near-infrared light to scan your face. This allows WH face recognition to work, even in the dark. AA integrates with WH & WHfB |
MS Windows Biometric FrameworkWBF provides a consistent interface and user experience for biometric devices. AA can operate with any WBF compatible devices. |
Fingerprint – KSI KeyboardsKSI manufactures durable multi-function keyboards that have card and biometrics integrated. AA is tested with KSI-1700. |
Fingerprint – Lumidigm / HIDLumidigm optical readers have multispectral imaging that can read through materials and provide liveness detection. AA is compatible with V and M series readers. |
Fingerprint – Digital Persona / HIDDP optical readers are popular due to their durable metal casing, silicon coating, size and price. AA works with DP 4500 and 5300 readers. |
Fingerprint – NEXT BiometricMembrane reader with WBF driver and SDKs for image capture. One-to-one and one-to-many modes are supported. AA works with 100 and 100 Pro models. |
Apple Touch IDNatively Touch ID supports unlock and purchase functions. It can be trained to recognize up to five different fingers. AA supports all the native functions. |
Fingerprint - BioEnableSupport for multi-finger scanners. High quality optical scanners used by multiple governments. AA supports scanning and separation of the individual fingerprints. |
Fingerprint – MS Surface KeyboardMembrane sensor designed to work with WBF. Provides very quick reads. Bluetooth connected. |
Fingerprint – MS Modern KeyboardMembrane sensor designed to work with WBF. Provides very quick reads. Bluetooth or USB connected. |
Mobile Device FingerprintAdministrator can configure the AA Mobile App to demand Biometric. Based upon the platform, fingerprint or face will be required for authentication. |
Identity cards are quite popular among all types of organizations such as corporations, healthcare, student campuses. They are a reliable way to identify identities for services as well as multi-factor use cases. In general, cards work in one of two ways: frequency transmission or certificate storage. Customers need to match their card readers to the specific cards they use.
PKI / PKCS11Public-Key Cryptography Standard 11 is used with certificate authority to access the keys or to enroll/use user certificates. Generally used with Smartcards. |
PKI / PKCS7Public-Key Cryptography Standard 7 is used with certificate authority to access the keys or to enroll/use user certificates. Generally used with Smartcards. |
RFID - 125 kHzRadio Frequency Identification uses a transmitting antenna for receiving signals, and an RFID with the tag’s ID. AA receives a validation code from the transmit device. |
NFC - 13.56 MHzNear Field Communication enables short-range communication. AA receives a validation code from an ‘active’ device triggered by a ‘passive’ device. |
MIFARENear Field Communication enables short-range communication. AA receives a validation code from an ‘active’ device triggered by a ‘passive’ device. |
BankIDBankID is the leading electronic identification in Sweden. 8 million people use BankID for private and public services. AA provides BankID validation for all connected services. |
Swisscom Mobile IDSwisscom is a major telecommunications provider in Switzerland. Mobile IW uses a PKI- based, “mobile signature” secure encryption technology on the SIM card. |
||
Use Windows passwordless methods to provide convenient authentication or as part of a two-factor authentication (2FA) set on Windows 10 PCs. User cam tied their credential to their Windows device(s) along with a PIN, a fingerprint, or face recognition. Enhance Microsoft domain login with WHfB using PKI.
Windows PasswordlessOur solution maintains the user’s domain relationship so at the time of workstation login a user only needs supply their Username and any single MFA method. |
Windows Hello and WHfBWH uses a local template match and WHfB uses WH match result to open a Domain based PKI Login. AA can call this same system for validation at any time. |
Windows AzureIntegration with Azure MFA provides prevalent methods for authentication but lacks the flexibility and the features to support Zero Trust, Adaptive or continuous authentication. |
As organizations seek to extend their engagement with consumers, they often turn to low friction authentication types to verify identities. Additionally, as continuous authentication is adopted as part of zero trust initiatives low friction method become essential, providing a smooth user experience while raising security.
Geo-FencingAdmin’s can configure geo zones that are allowed and disallowed. The user will be pinged on their mobile device to validate their position. |
BluetoothUser enrolls their Mobile device. When challenged the mobile is background pinged for validation. |
SmartphoneOur smartphone App supports ‘Push’, TOTP, Geo Fencing and Bluetooth (in order of popularity). |
Device AuthenticationAA generates a keypair on the device using a TPM which is then used as a method in a chain. |
Windows Hello and WHfBWH and WHfB login framework supports multiple biometric methods (face and fingerprint). AA calls WH for validation and uses the result. |
FaceFace recognition systems extract features then perform matching. Faces have fewer uniquely measurable features its reliability is slightly lower than other biometrics. |
|
FIDO U2FUniversal 2nd Factor is an open standard that strengthens and simplifies 2FA and provides internet users secure access to many online services with one security key |
FIDO2FIDO2 consists of the W3C (WebAuthn) Web Auth standard and the FIDO Client. Uses FIDO to unlock the PKI cert for authentication. |
|
SAMLWhen SAML is used as a method, AA will act as the relying party and can accept authentication from an external IDP (IE: Facebook, workday, LinkedIn, etc.). |
OAuth2Advanced Authentication applies RFC6749 for OAuth 2.0 authentication. When used AA acts as the relying party and can accept authentication from an external IDP |
LDAP PasswordUser can use their configured (attached Repo) password as an authentication method. Often used as first factor. |
PIN CodeUser enrolls private PIN code. AA will prompt the user when the Chain is used to protect a resource. |
Voice CallAA generates an RFC based OTP and sends it via the configured ‘voice service’ to the user’s stored phone number. |
Challenge ResponseAA challenges the user with the admin configured number of their previously stored questions. User must answer correctly for validation. |
Emergency PasswordUser calls ‘Help Desk’ who use the Help Desk Portal to create an Emergency Password. Valid period is configurable. |
Control the costs of your password administration. NetIQ Self Service Password Reset (SSPR) is a simple, secure, easy-to-deploy self-service password management tool that helps users reset or re-enable their own network passwords without having to call the help desk. Self Service Password reset is designed to work hand in hand with Advanced Authentication by providing self-service credential management services to who have forgotten their passwords or are otherwise locked out of their account. It alleviates overhead that would otherwise go to the Help Desk.