Configuring External OTP Tokens

Sites that have deployed Secure Computing SafeWord or RSA Security SecurID strong authentication tokens can leverage these existing investments. Imprivata includes built-in RADIUS integration to Secure Computing’s Premier Access and Remote Access Servers and RSA's Authentication Manager for token authentication. Imprivata can provide a seamless single-step desktop login using two-factor one-time passcodes for logging in to any SSO-enabled client/server, web, or legacy application from any Imprivata-enabled desktop. ID token-enabled users authenticating to Imprivata use their domain usernames instead of their ID token system usernames (these may be the same values). In all other ways Imprivata makes no changes to the user experience.

CAUTION:

When configuring external OTP tokens that are allowed for e-prescribing controlled substances, you are required to attest that the OTP token server is FIPS-compliant and that OTP tokens are properly enrolled per DEA EPCS regulations. This action is logged in the Imprivata audit records. FIPS 140-2 Level 1 compliant tokens are required when used to e-prescribe controlled substances. See Configuring External OTP Tokens for more information.

NOTE: If you are transitioning from RSA SecurID or Secure Computing SafeWord tokens to VASCO Digipass tokens, you can use both SecurID or SafeWord and OneSpan (previously VASCO) OTP tokens in the same Imprivata system.

NOTE: The names OneSpan and VASCO may be used interchangeably in Imprivata documentation and in the Imprivata Admin Console interface.

There are two steps to configuring the Imprivata appliance to work with an ID token server:

  1. Configuring the ID Token Server to Recognize the Imprivata Appliance.

  2. Configuring the Imprivata Appliance to Recognize the ID Token Server

Supported External OTP Tokens

Imprivata supports the following external OTP tokens:

  • RSA ID® tokens with RSA Authentication Manager®

  • Secure Computing SafeWord® tokens with PremierAccess® and RemoteAccess™ servers

  • External RADIUS hosts, including PhoneFactor (PhoneFactor tokens cannot be used for Enterprise Access Management with MFA workflows.)

Hardware Requirements

Each user needs a SecurID token. The tokens are powered by an integral battery and require no user maintenance. Tokens last between 2-5 years. There is no reader; the passcode is entered like a password, along with an optional personal PIN.

Monitoring and Reporting SecurID Token Authentications

You can get real-time notifications of a variety of network events, including enrollment for ID tokens.

PhoneFactor adds a second factor of authentication to your corporate login. Instead of the user entering a passcode from an ID Token, your PhoneFactor server calls the user’s phone with a passcode and instructions for secure authentication. Imprivata supports second-factor authentication with PhoneFactor.

Configuring the ID Token Server to Recognize the Imprivata Appliance

Follow the procedure specific to the type of external OTP token you are enrolling.

The RSA Authentication Manager cannot communicate with the Imprivata appliance until the RSA Authentication Manager has been configured to recognize it. In the RSA Authentication Manager system, appliances must be deployed as Agent Hosts.

To configure the Imprivata appliance as an agent host:

  1. Open the RSA Authentication Manager Admin UI (Start >Programs > RSA Security > RSA Authentication Manager Host Mode).
  2. From Agent Host, select Add Agent Host.
  3. In the Add Agent Host screen, enter the host name and network address of the Imprivata appliance.
  4. Use the Group Activations or User Activations buttons to activate any groups or users who will be using Enterprise Access Management.
  5. From RADIUS, select Manage RADIUS Server.
  6. Expand RSA RADIUS Server Administration menu and select RADIUS Clients.
  7. Click Add. The Add RADIUS dialog opens.
  8. Enter the name, description, and IP address of the Imprivata appliance.
  9. Enter a shared secret encryption key. You will use the key in step 4 of Configuring External OTP Tokens.
  10. Repeat Step 1 through Step 9 to configure all other appliances as agent hosts for the RSA Authentication Manager. Use thesame value for the encryption key.

    11. NOTE: Refer to your RSA Authentication Manager documentation for additional information about the RSA Authentication Manager system.

The PhoneFactor agent cannot communicate with the Imprivata appliance until the PhoneFactor agent has been configured to recognize it. In the PhoneFactor agent, your Imprivata appliances must be deployed as RADIUS clients.

To configure the Imprivata appliance as a PhoneFactor RADIUS client:

  1. Open PhoneFactor agent (Start > Programs > PhoneFactor > PhoneFactor Agent).
  2. From RADIUS Authentication, make sure Enable RADIUS authentication is selected.
  3. On the Clients tab, below the list of clients, select Add to add the Imprivata appliance as a RADIUS client.
  4. In the Add RADIUS Client window, enter the IP address of the Imprivata appliance. Enter a shared secret encryption key. You will use the key in Step 4 of The PhoneFactor agent cannot communicate with the Imprivata appliance until the PhoneFactor agent has been configured to recognize it. In the PhoneFactor agent, your Imprivata appliances must be deployed as RADIUS clients. .
  5. (Optional) Select Require PhoneFactor user match.
  6. Click OK.
  7. Repeat Step 1 through Step 6 to configure all other appliances in your Imprivata enterprise as RADIUS clients. Use the same value for the shared secret.

To configure the Imprivata appliance to recognize the ID token server:

  1. Open the Configure external OTP tokens page in the Imprivata Admin Console (Devices menu > Configure external OTP tokens).

  2. Enter the host name (or IP address) for the ID token server.

  3. Enter the authenticationport for the ID token system RADIUS server.

    4. NOTES:

    • The most commonly used authentication ports are 1812 and 1645.
    • For RSA SecurID OTP tokens, you can find the port number in the RSA Authentication Manager Configuration Management tool, under the entry for RADIUS in the Services section.

  4. Enter an encryption key that you used in Configuring the ID Token Server to Recognize the Imprivata Appliance.

  5. (PhoneFactor tokens) There may be a delay for the user to answer the phone and enter the code. Enter a value in the Additional time to wait... field to suit the needs of your users.

  6. Specify whether or not the OTP token is allowed for authenticating when e-prescribing controlled substances. If you select Allowed for EPCS, then when you click Save, you are prompted to attest that the OTP token server is FIPS-compliant and that OTP tokens are properly enrolled per DEA EPCS regulations. This action is logged in the Imprivata audit records.

  7. Specify how users enroll with external ID tokens:

    1. (PhoneFactor tokens) Leave Enroll users automatically selected. Use the username format that matches the usernames in the PhoneFactor agent users list.

    2. (RSA SecurID tokens) Select users enroll themselves. See Allowing Users to Enroll Their Own External OTP Tokens for Use with Enterprise Access Management.

  8. Click Save.

You assign token authentication and all other authentication methods via the user policies that you assign to each user. ID Token must be selected on the Authentication tab of a user policy for each authentication type for which you are using OTP tokens.

NOTE: PhoneFactor authentication is controlled like an ID Token, so PhoneFactor users must have ID token authentication selected in their user policies.

Revoking ID Token Authentication Privileges

Revoke ID Token authentication privileges via the user policies that you assign to each user. Create a different user policy and assign it to the user. See Creating and Managing User Policies.

You can have users enroll their own external OTP tokens. Select Users enroll themselves in the Enrolling users section of the Configure external OTP tokens page of the Imprivata Admin Console.

To self-enroll:

  1. Log into the computer to invoke an Enterprise Access Management authentication.
  2. Use your password to log in. The Imprivata enrollment utility prompts you to enroll the OTP token.
  3. Follow the utility prompts to enroll the OTP token.

    4. NOTE: The ID token system username may not be the same as your Windows username. Your ID token system Administrator will have this information.

Authenticating to Enterprise Access Management with OTP Tokens

Authenticating to Enterprise Access Managementwith OTP tokens differs slightly depending on the type of ID token you are using.

When the user is enrolled, the authentication process is straightforward. To authenticate via your SecurID token:

  1. Log into your computer. The Imprivata OneSign Log On window opens.
  2. Click Use my OTP at the bottom of the window.
  3. In the Passcode field, enter your passcode.

When you are authenticated, the authentication window closes.

To authenticate via PhoneFactor:

  1. Log into your computer. The Imprivata log on window opens.
  2. Enter your username and password.
  3. Click Use my OTP at the bottom of the window.
  4. Click OK, and wait for your phone to ring. Within a few moments, your phone will ring with further instructions. When you are authenticated, the authentication window closes.