Enterprise Access Management SSO Authentication Methods
Imprivata Enterprise Access Management offers many administrative tools to simplify and monitor user access to network resources. A wide variety of authentication methods for authenticating to Enterprise Access Management are supported.
- Each user must have at least one authentication method for logging in to Enterprise Access Management and unlocking workstations.
- Users also use their authentication methods when challenged, as described in User Challenges.
Two-Factor Authentication
Enterprise Access Management for SSO offers a two-factor authentication solution that strengthens IT security by requiring users to provide a second form of identification for authentication. Enterprise Access Management supports the following first and second factors for authentication. For some first factors, you can allow a limited user choice for the second factor. For example, if proximity card is the first factor, you can allow fingerprint or network password as the second factor.
| First Factor | Second Factor |
|---|---|
| Network Password |
|
| Fingerprint Authentication |
|
| Passive Proximity Cards |
|
| FIDO Security Key |
|
| Smart Card or Smart USB Token | Any available authentication method the card or token has, for example, a PIN |
| One-time password (OTP) token (OneSpan/VASCO OTP Tokens, Symantec VIP Credential, or External ID Tokens) |
|
| Security Questions (Q&A) | None |
* The Ohio State Board of Pharmacy does not currently allow Imprivata ID as an authentication method for non-EPCS workflows.
Imprivata ID for Windows Access
Imprivata offers two-factor desktop authentication with Imprivata ID:
-
The user logs into the desktop with their username and password.
-
Imprivata ID sends a push notification to the user's device.
-
The user accepts and is granted access.
This workflow can be configured by user policy, by computer policy, or a combination of both. See Imprivata ID for Windows Access.
Additional Authentication
In addition to strong authentication methods, Enterprise Access Management for SSO provides the following methods for securing access to EAM:
-
Remote Device Authentication — Allows remote authentication between any two computers with Imprivata agents, even if the remote computer requires a proximity card, smart card, fingerprint scanner, or other device for authentication.
-
Imprivata OneSign ProveID — Allows external applications or devices to access Enterprise Access Management authentication services.
-
Imprivata ProveID Embedded — Allows thin clients to access virtual desktops, applications, and Enterprise Access Management authentication services. Click the link to see a table of supported first and second factor authentication methods for Imprivata ProveID Embedded.
Note that in Imprivata offline mode, Imprivata ProveID Embedded primary authentication methods are limited to only password or proximity card, and two-factor authentication methods are limited to proximity card plus password.
-
For Persistent Applications — When configuring Imprivata support for persistent applications in Citrix XenApp® published desktops, see the list of supported first and second factor authentication methods in Configuring Persistent Applications for Citrix XenApp with Manually Launched Applications.
-
Offline Authentication — Allows users to log into Enterprise Access Management when the Imprivata agent cannot connect to the Imprivata server. This is useful for users who might spend a lot of time disconnected from the network. Click the link to see the list of authentication methods that can and cannot be used for offline authentication.
-
Walk-Away Security — A comprehensive set of tools for securing unattended workstations.
The Enterprise Access Management for MFA (formerly Confirm ID) Authentication Methods topic provides a table of two-factor authentication methods supported for MFA, plus a link to lists of authentication methods allowed for MFA workflows such as for Electronic Prescription of Controlled Substances (EPCS).
