CA CloudMinder Advanced Authentication › Strong Authentication Mechanisms

Strong Authentication Mechanisms

The Advanced Authentication service provides strong authentication by using ArcotID PKI and ArcotID OTP, which are based on the patented Cryptographic Camouflage key concealment technology. You can request an authentication mechanism that best suits the security requirements of your organization. In Cryptographic Camouflage, the keys are encrypted such that only one key decrypts it correctly, but can produce many keys that look valid enough to fool an attacker. In this manner, the Cryptographic Camouflage technique protects an end user's private key against dictionary attacks and Man-in-the-Middle (MITM) attacks, as a smartcard does, but entirely in the software format.

Primary authentication

Primary authentication refers to the typical authentication flow in which an end user accessing a protected resource is prompted for the user name and password (or OTP, if the ArcotID OTP credential is used). ArcotID PKI and ArcotID OTP are the supported primary authentication mechanisms.

Secondary authentication

Secondary authentication refers to the additional authentication that is performed in the following cases:

An end user has either forgotten or wants to reset the password or PIN.
An end user’s ArcotID PKI or ArcotID OTP credential has expired.
A roaming end user is trying to authenticate from a device that is different from the one used to enroll with the system or already marked trusted during a previous roaming attempt.
Risk evaluation is enabled, and it generates an advice to increase authentication for the transaction that the end user is trying to perform.

As secondary authentication is typically invoked when performing sensitive tasks, it is recommended that a combination of these authentication mechanisms be chained together for enhanced security. CloudMinder supports the enforcement of two-step authentication for a selected flow. When two-step authentication is enabled, an end user is authenticated consecutively using two different authentication methods.

Note: Every time secondary authentication is invoked in a flow, one or more secondary authentication mechanisms are exhausted. Therefore, ensure that you enable as many secondary authentication mechanisms as possible. An error occurs if secondary authentication is invoked and no mechanism left.

Security Question (question and answer pairs) and Security Code, which is similar to a one-time password, are the supported secondary authentication mechanisms.

The sections that follow describe the primary and secondary authentication mechanisms that the Advanced Authentication service provides. You can request a combination of these authentication mechanisms.

This section contains the following topics:

ArcotID PKI

ArcotID OTP

Security Code

Security Question (Question and Answer Pairs)