BIIM Support     Overview Installation Using the BIIM MFA Authentication - TPM - Biometrics - SmartCards / Tokens Windows Client Logon Single Sign On Secure eWallet Document Manager Managing My Identity BioCert BIIM Settings AD & LDAP Integration

BioCert® Intelligent Identity Manager Support

Multifactor Authentication

Authentication is crucial to secure communication. The user must be able to provide a verified identity to others and must be able to verify the identity of others in order to prevent an unethical person from intercepting messages or impersonating another person or entity.

BioCert® Identity fully supports multifactor user authentication, including any combination of user Windows passwords, Trusted Platform Modules, smart cards, USB tokens, virtual tokens, and biometrics. The robust feature set also employs alternative authentication methods, providing the possibility for multiple user access privileges for the same application or service.

To log on to BioCert® Identity from any of the registered credentials collected on a particular workstation, two conditions must be met:

• The user must have administrator-granted permissions to register the selected type of credentials.
• The workstation should be equipped with the hardware and supporting software in order to register the selected credentials. For example, to register smart card credentials, the workstation should have a smart card reader connected, as well as drivers installed for the particular type of smart card being used by the user.

The following topic sections provide additional information about all authentication methods supported by BioCert® Identity:

Configuring Multifactor Authentication

BioCert® Identity increases system security through the use of Multifactor Authentication. A system administrator can assign multifactor authentication policies to user categories (users and administrators). For example, an administrator may allow regular users to be authenticated with any supported authentication method while administrators must use authentication policy which includes both password and fingerprint. By default each user category is allowed to be authenticated with any authentication method. BioCert® Identity has are several predefined authentication policies to choose from, plus, an administrator can specify a custom authentication policy.

To configure multifactor authentication policy:

1. In BioCert® Identity, select Authentication and Credentials.
2. Select Authentication tab.
3. In Select category drop-down list, select the user category to which the authentication policy will be applied.
4. Select one of the predefined policies from the list, or select Custom.
5. If you've selected Custom policy, click Configure. In the Custom Authentication dialog box, select the desired authentication methods and choose how they are combined in the authentication policy using "AND" or "OR" clause.

    Note
Authentication policy elements, which are not available due to the missing hardware and/or drivers, are not shown in the list.

Password Authentication

What is a password?

A password is a code created to restrict entry into a system. Passwords add a level of security to the computer. When a computer is shared, a password-protected logon account secures the customized settings, computer programs, and system resources of each user.

Using a password for authentication

The password authentication method validates the user's identity, adding a level of security to the computer. System resources are more secure when the user logs on with a password or user account name. The user can log on to the system through the BioCert® Identity interface from the following places:

• BioCert® Identity Logon dialog box (if selected during installation)
• BioCert® Identity icon in the taskbar notification area
• My Identity panel

Usually only the Windows password is available for very first logon to BioCert® Identity. As soon as the user enters the Windows password into the BioCert® Identity dialog, the user can register other types of credentials for any supported authentication methods.

To log on with password authentication:

1. Launch the BioCert® Logon Wizard.
2. On the Introduce Yourself dialog box, type the user name, select a domain name, type your password, and then click Next.

You can also select password authentication from the list of all available logon methods for the user.

1. On the Introduce Yourself dialog box, select Click here link. The Logon Policy dialog box is displayed.
2. Select Password authentication and then click Next. The Enter Password dialog box is displayed.
3. Type your password and then click Finish.

    Note
   On the Logon Policy dialog box, only the credentials that have already been registered for this account can be seen.

Biometrics Authentication

Fingerprint templates

The system captures a sample of the biometric characteristic during the enrollment process. Unique features are extracted and converted into a mathematical code. Fingerprint templates created during the enrollment process are stored as an attribute of a user account.

Using fingerprints for authentication

During the logon process, a live fingerprint capture is authenticated against the user's stored fingerprint templates, and then access to the BioCert® Identity is either granted or denied depending on the result of this authentication process.

The user can log on to BioCert® Identity from the following places in the system:

• BioCert® Identity Logon dialog box (if selected during installation)
• BioCert® Identity icon in the taskbar notification area
• My Identity panel

When the BioCert® Logon Wizard is launched, follow the instructions on the screen.

To log on with fingerprint authentication:

1. On the Introduce Yourself dialog box, type your user name and select a domain name.
2. Click the large icon with fingerprint sensor image or select Click here link to display a list all available logon methods for the user.
3. On the Logon Policy dialog box, select Fingerprints authentication, and then click Next.

   Note
   On the Logon Policy dialog box, only credentials that are already registered for this account can be seen.

4. On the Present your fingerprints dialog box, place the previously registered finger on the fingerprint reader until the matching operation is complete.

   Note
   Depending on the model of the fingerprint reader, the user may be prompted to swipe the finger over the reader instead of placing the finger on the fingerprint reader.

TPM Authentication

Trusted Platform Module

The Trusted Platform Module (TPM) provides the ability to run the system or applications more securely and makes communications more trustworthy. The TPM provides for authenticity validation, platform integrity metrics checking, user confidentiality, and privacy. The TPM also provides protection of information and authentication for individual platforms.

Using a Trusted Platform Module for authentication

The user can log on to BioCert® Identity from the following places in the system:

• BioCert® Identity Logon dialog box (if selected during installation)
• BioCert® Identity icon in the taskbar notification area
• My Identity dialog box

When the BioCert® Logon Wizard is launched, follow the instructions on the screen.

To log on with TPM authentication:

1. On the Introduce Yourself dialog box, type your user name and select a domain name.
2. Click the large icon with TPM image or select Click here link to display a list all available logon methods for the user.
3. On the Logon Policy dialog box, select TPM Basic User Key Password authentication, and then click Next.

   Note
   On the Logon Policy dialog box, only credentials that are already registered for this account can be seen.

4. On the Enter TPM Password dialog box, type your Basic User Key password for the TPM, and then click Finish.

Smart Card Authentication

Smart card

 

A smart card is a plastic card about the size of a credit card with an embedded microchip that can be used for storing sign-in passwords, public and private keys, and other personal information. Smart cards provide tamper-resistant and portable security solutions for tasks such as securing e-mail and logging on to a domain. Support for smart cards is a feature of the public key infrastructure (PKI).

 

Using a smart card for authentication

 

The user can log on to BioCert® Identity from the following places in the system:

• BioCert® Identity Logon dialog box (if selected during installation)
• BioCert® Identity icon in the taskbar notification area
• My Identity panel

When the BioCert® Logon Wizard is launched, follow the instructions on the screen.

 

To log on with smart card authentication:

1. Insert your smart card into smart card reader.
2. On the Introduce Yourself dialog box, type your user name and select a domain name.
3. Click the large icon with smart card image or select Click here link to display a list all available logon methods for the user.
4. On the Logon Policy dialog box, select Smart Card authentication, and then click Next.
   Note - On the Logon Policy dialog box, only credentials that are already registered for this account can be seen.
5. On the Select a Smart Card dialog box, type the personal identification number (PIN) for the smart card, and then click Finish.

Note
If the user PIN is entered correctly, the system completes the logon process. If the PIN is entered incorrectly several times in sequence, logon will be denied using that smart card. The number of allowable invalid logon attempts that may be entered before lockout occurs varies with the smart card manufacturer. Contact the administrator for assistance in case of locked out User PIN.

USB Token Authentication

USB token

A USB token is simply a smart card in a different form factor. Rather than deploying the smart chip on a plastic credit platform, the smart chip is inserted into a plastic token, also known as a key. The major difference between a smart card and a USB token is in the access interface. A card requires a reader, while the USB token plugs directly into any USB port. There is no difference in the core functionality of storing and providing credentials.

Using a USB token for authentication

The user can log on to BioCert® Identity from the following places in the system:

• BioCert® Identity Logon dialog box (if selected during installation)
• BioCert® Identity icon in the taskbar notification area
• My Identity dialog box

When the BioCert® Logon Wizard is launched, follow the instructions on the screen.

To log on with USB token authentication:

1. Insert your USB token into any available computer USB port.
2. On the Introduce Yourself dialog box, type your user name and select a domain name.
3. Click the large icon with USB token image or select Click here link to display a list all available logon methods for the user.
4. On the Logon Policy dialog box, select USB Token authentication, and then click Next.

   Note
   On the Logon Policy dialog box, only credentials that are already registered for this account can be seen.

5. On the Select a USB Token dialog box, type the personal identification number (PIN) for the USB token, and then click Finish.

Note
If the user PIN is entered correctly, the system completes the logon process. If the PIN is entered incorrectly several times in sequence, logon will be denied using that USB token. The number of allowable invalid logon attempts that may be entered before lockout occurs varies with the token manufacturer. Contact the administrator for assistance in case of locked out User PIN.

Virtual Token Authentication

Virtual token

A virtual token represents the software emulation of a cryptographic hardware token such as a smart card or USB token. The software token can be stored either in the Windows registry database or in a file and includes the token's location on a hard drive, diskette, USB drive, and so on.

Using a virtual token for authentication

The user can log on to BioCert® Identity from the following places in the system:

• BioCert® Identity Logon dialog box (if selected during installation)
• BioCert® Identity icon in the taskbar notification area
• My Identity dialog box

When the BioCert® Logon Wizard is launched, follow the instructions on the screen.

To log on with Virtual token authentication:

1. On the Introduce Yourself dialog box, type your user name and select a domain name.
2. Click the large icon with Virtual token image or select Click here link to display a list all available logon methods for the user.
3. On the Logon Policy dialog box, select Virtual Token authentication, and then click Next.

   Note
   On the Logon Policy dialog box, only credentials that are already registered for this account can be seen.

4. On the Select a Virtual Token dialog box, select the desired token from the list, type the personal identification number (PIN) for the virtual token, and then click Finish.

Note
If the user PIN is entered correctly, the system completes the logon process. If the PIN is entered incorrectly several times in sequence, logon will be denied using that virtual token. The number of allowable invalid logon attempts that may be entered before lockout occurs varies with predefined system value. Contact the administrator for assistance in case of locked out User PIN.