Hitachi ID Password Manager has an open authentication architecture, and can plug into existing password systems, corporate directories, two-factor authentication tokens, PKI certificates and biometric engines.

Login options

Users may authenticate into Password Manager as follows:

  • On the web portal:
    • By typing their current password to a trusted system (e.g., Windows/AD, LDAP, RAC/F, etc).
    • By answering security questions.
    • Using the Hitachi ID Mobile Access smart phone app to scan a cryptographic challenge displayed on the user's PC screen as a QR code.
    • Using third party smart phone apps, such as Duo Security or Google Authenticator.
    • Using a hardware or software security token (e.g., RSA SecurID).
    • Using a smart card with a PKI certificate.
    • Using Windows-integrated authentication.
    • Using a SAML or OAuth assertion issued by another server.
    • By typing a PIN that was sent to their mobile phone via SMS.
    • Using a device/browser fingerprint and/or cookie, for example to compare current login to previous events.

  • Using a telephone, calling an automated IVR system:
    • By keying in numeric answers to a series of security questions (e.g., employee number, date of hire, driver's license number).
    • By speaking one or more phrases, where the Password Manager server compares the new speech sample to one on record (biometric voice print verification)

  • Using a telephone, calling an IT support technician:
    • By answering a series of security questions, where the technician must type the answers into a web portal to authenticate the caller.

Two factor authentication for everyone

Password Manager supports multi-factor authentication for all users, at no extra cost. This is typically done by combining multiple credentials, as follows:

  1. If the user connects from the Extranet, start with a CAPTCHA.
  2. Next, prompt for the user's login ID.
  3. Fingerprint the user's browser -- if the indicated user has signed on from the same browser before, this can act as an unobtrusive authentication factor.
  4. If the user connects from a browser not seen before, prompt for another factor, which may be any of the following:
    1. If the user has been activated to use a third party 2FA technology, such as a one time password token (e.g., RSA SecurID) or a third party app (e.g., Duo Security or Google Authenticator), use that.
    2. If the user had previously enrolled their mobile phone number, send a PIN to the user's phone, via SMS and prompt the user to enter it.

    3. If the user had previously enrolled their personal e-mail address, send a PIN to that address, on the assumption that the user has e-mail access on their phone.
    4. If the user had previously installed Mobile Access on their phone, either use push notification to display a PIN on their phone or display a cryptographic challenge in the login screen as a QR code, which the user scans with the app.
  5. Users may be prompted to select one of several 2FA options, or one of several alternatives for the same option (e.g., send a PIN via SMS to one of multiple mobile numbers or e-mail addresses).
  6. Finally, depending on whether the user remembers his password, prompt the user to enter it or answer a series of security questions.