The Advanced Authentication service provides strong authentication by using ArcotID PKI and ArcotID OTP, which are based on the patented Cryptographic Camouflage key concealment technology. Tenants can request an authentication mechanism that best suits the security requirements of their organization. In Cryptographic Camouflage, the keys are encrypted such that only one key decrypts it correctly, but can produce many keys that look valid enough to fool an attacker. In this manner, the Cryptographic Camouflage technique protects an end user's private key against dictionary attacks and Man-in-the-Middle (MITM) attacks, as a smartcard does, but entirely in the software format.
Primary authentication
Primary authentication refers to the typical authentication flow in which an end user accessing a protected resource is prompted for the user name and password (or OTP, if the ArcotID OTP credential is used). ArcotID PKI and ArcotID OTP are the supported primary authentication mechanisms.
Secondary authentication
Secondary authentication refers to the additional authentication that is performed in the following cases:
Question and answer pairs, and Security Code, which is similar to a one-time password, are the supported secondary authentication mechanisms.
A tenant can request a combination of these authentication mechanisms.
As secondary authentication is typically invoked when performing sensitive tasks, it is recommended that a combination of these authentication mechanisms be chained together for enhanced security. CloudMinder supports the enforcement of two-step authentication for a selected flow. When two-step authentication is enabled, an end user is authenticated consecutively using two different authentication methods.
The sections that follow describe the primary and secondary authentication mechanisms that the Advanced Authentication service provides.
This section contains the following topics:
|
Copyright © 2015 CA Technologies.
All rights reserved.
|
|