User Challenges
Challenges are managed on the Challenges tab of a user policy. Challenges help to ensure the current user is indeed the person who authenticated at the start of the session. Challenges help to maintain security in situations where more than one user has access to a computer.
When a challenge occurs, the user's Imprivata OneSign session is paused until the user successfully re-authenticates.
If you have a Single Sign-On license, then while the session is paused, the user does not have SSO to any applications. The challenge does not affect any applications that the user is already logged into at the time of the challenge. Applications continue to run normally.
Types of Challenges
Imprivata OneSign supports two types of challenges:
- Period of Inactivity — If a desktop has been inactive for this period, then the user must re-authenticate before being allowed to continue. Any user can authenticate at the challenge dialog box.
- For example, if you set this to five minutes, then the agent will demand re-authentication if the mouse or keyboard are not used for five minutes. Low values can be annoying to users and are best suited to settings where users are accustomed to the demands of high security.
-
NOTE: To disable this feature, set it to 0 minutes.
- Time Interval — You can set a confirm-identity challenge to occur at the end of a specified time window. Only the current user can confirm identity; the username in the dialog box cannot be changed.
- For example, if you set the Time interval between Challenges to 60 minutes, the challenges will always be one hour apart.
-
NOTE: To disable this feature, set it to 0 minutes.
Setting a Hot Key to Lock a Workstation
The hot key feature locks a user session so nobody else can access the open applications, but it does not end the session unless another authorized user logs in. If no other authorized user authenticates, then the original user can return to the original open session.
The workstation hot key user policy setting allows users to suspend a session by pressing a single key. Access to the user’s desktop is prohibited until the user returns. If another user logs into the workstation, then the original user is logged out. In a Imprivata OneSign SSO environment, all applications that are profiled within Imprivata OneSign are shut down.
The hot key to lock the workstation or log off the user can be configured on the Challenges tab of the User policies - edit page.
Locking the Workstation
On shared kiosk workstations, when a user presses the hot key, you can have Imprivata OneSign either:
- Lock Workstation/Suspend Imprivata OneSign Session — The session is suspended, but all applications remain available pending the return of the user. If another authorized user attempts to log into Imprivata OneSign in the first user’s absence, then Imprivata OneSign closes the first user’s session before allowing the new user to gain access.
- Log Off User/Terminate Imprivata OneSign Session — The user is logged out of Windows.
NOTE: User education is important in ensuring that users lock their workstations.
Setting the Hot Key
To set a hot key, enter a supported key in the Hot Key to Lock Workstation or Log Off User edit box. The hot key keystroke glossary shows you how to enter the most common keys.
Hot keys can be:
-
Any letter, number, or punctuation key, Backspace, Enter, Shift, Caps Lock, Tab, but none of the bottom row of keys except the Spacebar.
-
Esc, F1 through F11 (but not F12), and Scroll Lock (but not Print Screen or Pause)
-
Insert, Delete, Page Up, Page Down, and the four Arrow keys
-
All 16 keys of the number pad
Using Modified Keys
You can also use any supported key modified by a preceding Alt, Shift, and/or Ctrl key.
To specify a modified hot key sequence:
- The sequence can have multiple modifier keys, but only one non-modifier key.
- Accented keys are not supported.
- It can have zero or more of the Ctrl(^), Alt(%), and Shift(+) control key modifiers.
- The control key modifiers must be specified before the key.
NOTES:
- Do not use F12, %F4 (Alt-F4) or ^F4 (Ctrl-F4) for the hot key since these are reserved to shut down applications in Windows.
- Do not use the Home or End key if you have the Imprivata OneSign Single Sign-On licensed feature; Imprivata OneSign uses the Home key in some credential proxying operations; logging into an application could lock the user’s desktop.
The following are hot-key examples:
|
Sends Key Sequence |
Acceptable? |
|
|
F4 |
Yes |
|
|
+F4 |
Shift-F4 key combination |
Yes |
|
^+%F4 |
Ctrl-Shift-Alt-F4 |
Yes |
|
Abc |
Abc |
No, multiple non-control keys |
|
A+ |
A-Shift |
No, modifier in wrong position |
Hot Keys on Virtual Desktops and Remote Sessions
Hot key behavior can be confusing on virtual desktops and RDP sessions. The following tables show the behavior in four common scenarios using F4 and F3 as hot keys.
Citrix Published Full Desktop or Citrix XenDesktop
|
Endpoint Hot-Key |
Virtual Desktop Hot Key |
User Action |
Full Screen mouse click on XenDesktop |
Not Full Screen mouse click inside XenDesktop |
Not Full Screen mouse click outside XenDesktop |
|
F4 |
F4 |
F4 |
EP locked EP locked (registry configurable) |
EP Locked EP locked (registry configurable) |
|
|
F4 |
F3 |
F3 |
EP locked VD locked* |
EP locked VD locked* |
Nothing happens |
|
F4 |
F3 |
F4 |
EP Locked |
EP Locked |
EP Locked |
|
F4 |
Disabled |
F4 |
EP Locked |
EP Locked |
EP Locked |
* This behavior is configured in the registry. Set LockVirtualSessionWithHotkey to 1 in HKEY_LOCAL_MACHINE\SOFTWARE\SSOProvider\ISXAgent.
RDP Session or VMware Horizon with RDP and PCoIP Protocols
| Endpoint Hot Key | Virtual Desktop Hot Key | User Action |
FULL SCREEN mouse click anywhere but black bar on top |
NOT FULL SCREEN mouse click inside VD |
NOT FULL SCREEN mouse click outside VD |
|---|---|---|---|---|---|
|
F4 |
F4 |
F4 |
EP locked VD locked* |
EP Locked VD locked* |
|
|
F4 |
F3 |
F3 |
EP locked VD locked* |
EP locked VD locked* |
Nothing happens |
|
F4 |
F3 |
F4 |
No reaction |
No reaction |
EP Locked |
|
F4 |
Disabled |
F4 |
No reaction |
No reaction |
EP Locked |
* This behavior is configured in the registry. Set LockVirtualSessionWithHotkey to a value of 1 in HKEY_LOCAL_MACHINE\SOFTWARE\SSOProvider\ISXAgent.
Challenging Users Coming Online
You can allow some users to continue to enjoy Imprivata OneSign services even when their computers are not connected to the Imprivata OneSign server. Users who enjoy offline privileges eventually return online. You can require a re-authentication challenge, or allow a period during which re-authentication is not necessary.
Select a value for the Always challenge users when transitioning from offline to online? setting based upon your requirements for security and user convenience:
- Yes — This high-security setting ensures that no user comes online without re-authenticating.
- No, don’t challenge if it is within d days and h hours since their last successful online authentication — For user speed and convenience you can allow challenge-free re-authentication within a time window specified here. To disable re-authentication challenges for users with this user policy, set these values to 0.
- Remember you can allow this convenience for users at some computers while overriding this setting for specific computers with their computer policies; see Setting Computer Policies to Override User Policies.
