Configuring Authentication Methods in User Policies

Offline authentication allows a user to log into Enterprise Access Management even when the Imprivata agent cannot connect to the Imprivata server. The Imprivata agent uses cached encrypted credentials until it can again contact the server. This is especially useful for laptop users and others who might spend a lot of time disconnected from the network.

Offline authentication can be used with the following authentication methods, singly or in combination. Any of these authentication methods can be used as first factor or second factor for offline authentication, except as described for passive proximity card:

• Password

• OneSpan/VASCO OTP token (but not other ID tokens; see Managing an Individual OneSpan (VASCO) OTP Token)

• Fingerprint

• Passive proximity card (when used as a first factor for offline authentication, this requires and supports only password or PIN as second factor authentication)

• The Spine Combined Workflow

Offline authentication cannot be used with:

• FIDO Security Keys

• ID Token (except OneSpan (VASCO) OTP, if you have the optional VASCO OTP Token Authentication licensed option)

• Security questions (Q&A) for emergency access

• Anonymous Citrix sessions

When the Imprivata agent cannot connect to any appliance, the service will continue in offline mode if offline authentication is allowed. This is rarely needed when two appliances are located at the same site. Agents will also go into offline mode when:

• There is only one appliance at a site; and

• The appliance goes offline during an upgrade; and

• Failover between sites is not enabled. See Configuring Imprivata Sites.

Enabling Offline Authentication

To enable offline authentication:

1. Go to the User policies page > Authentication tab > Desktop Access authentication section.

2. Select Allow offline authentication.

3. Click Save.

Select the authentication method(s) that you want to enable for users in the user policy:

• Password

• Configuring Enterprise Access Management Fingerprint Verification

• Proximity Card

• Security Key

• Enterprise Access Management Authentication for Smart Cards or USB Tokens with Microsoft Active Directory (AD) Certificates

• Authentication for Smart Cards or USB Tokens with External Certificates

• External OTP tokens

• OneSpan (VASCO) OTP tokens

• Security questions (Q&A)

You can configure the security questions presented to users in the policy.

Nineteen default questions are available. You can configure the language of each question and specify whether or not the question is mandatory. You can also add and delete questions.

To enable security questions:

1. Click the Authentication tab and go to the Desktop Access authentication section.

2. Select Answer security questions.

Adding a Security Question

To add a new question to be used for password self-services:

1. Click View and modify security questions to open the list of security questions.

2. Click Add a New Question.

3. Enter the question for the required languages. The languages selection is sticky. When a user selects a locale in Windows, all subsequent use of the password self-services feature for that user uses the language associated with that locale (until the user selects another locale).

4. Optional – Select Mandatory to require users to answer the question.

Deleting a Security Question

To delete a question from the password self-services list:

1. Click View and modify security questions to open the list of security questions.

2. Click the X in the far-right column to delete the question. A window opens in which you can select the translations of the question to delete.

3. Click Delete to delete all the checked translations.

Configuring Settings for Security Questions

The options for the security questions desktop authentication method are located in the Authentication method options section of the Authentication tab under Security questions. Settings include:

• Number of questions required to enroll — The number of questions the user must answer when enrolling their security questions for the first time.

• Number of questions that must be answered to authenticate — The number of questions that the user must answer when authenticating using security questions.

• Maximum security question logins per month — You can restrict the number of times in one month that a user can authenticate using security questions. You can further increase security at some workstations by configuring more secure authentication methods than required in user policy with the Override and Restrict feature. See Setting Computer Policies to Override User Policies.

Deleting Emergency Access Enrollment Data for a User

Occasionally a user wants to change the answers to emergency access questions or to select different questions to answer. In this situation, you need to delete the existing data to make way for the new data.

You can delete a user’s emergency access enrollment data from the user's user record. Click Save when you are finished.

Resetting the Emergency Access Usage Counter

If a user has exhausted the number of emergency access uses permitted by your policy, you can reset the usage counter in the user's user record to 0. Click Save when you are finished.

Preventing Emergency Access at Some Computers

You can restrict emergency access at individual computers by deselecting the Answer security questions option in a computer policy applied to the affected computers (computer policy Override and Restrict tab > Desktop Access Authentication Restrictions section).

You can configure an Imprivata PIN as a secondary factor of authentication. An Imprivata PIN can be used with select primary authentication factors, including Imprivata ID (MFA workflows only).

• By default, when a user policy supports an Imprivata PIN, assigned users are prompted to enroll it when logging in for the first time. Users must complete the enrollment to login.

• If users are not required to enroll an Imprivata PIN, they can use the Imprivata enrollment utility to create it at any time.

Configure the settings in the Authentication method options > Imprivata PIN section in the Authentication tab of a user policy:

1. Enter a minimum and maximum value in the PIN length field.

2. Verify that the default values of Require users to enroll Imprivata PIN and PIN expiration meet your requirements.

3. (Optional) Configure the following settings to meet numeric PIN composition rules only. The following do not apply to PINs that contain letters and special characters (complex PINs):
   • Repeated digits – Prevents users from creating a PIN by using the same number for the entire PIN.

     Example – The minimum/maximum PIN length is 5. A valid PIN is 11112. An invalid PIN is 11111.

   • Consecutive numbers – Prevents users from creating a PIN using consecutive numbers.

     Example – The default minimum/maximum PIN length is 5. A valid PIN is 12347. An invalid PIN is 12345.

4. (Optional) Enter password history requirements in the PIN that matches the last x PINs created field.

5. (Optional) Select Allow PIN letters and special characters to enable a complex PIN.

6. Click Save.

The following settings are available in the Authentication method options section of the Authentication tab under Proximity card:

• Specify the number of cards a user is allowed to enroll — The number of proximity cards that a user can enroll.

• Allow users to enroll a replacement card — If you restrict the number of cards assigned to each user, you can allow users with this policy to enroll a replacement card when they first use it to log in. The new card is effective immediately and all other cards assigned to the user are immediately disabled.

  BEST PRACTICE:

  When enabled, the user can only enroll a replacement card if the user can authenticate the enrollment. For example, if your desktop access policy requires two-factor authentication, your users will not be able to enroll a new proximity card if they only have a password.

  Set up another authentication method besides password and proximity card.

  Alternatively, set up a single computer dedicated to proximity card enrollment. A computer policy for this endpoint that allows password-only authentication overrides your user policy that requires two-factor authentication.

Computer policies contain additional settings that you can assign to each computer to manage the sensitivity of proximity card readers.

Proximity card authentication is detailed in Configuring Passive Proximity Card Authentication.

To pre-enroll and allowlist proximity cards in bulk, see Managing Proximity Cards.

Remote Proximity Card Authentication via RDP

For remote proximity card authentication via RDP, see Remote Device Authentication to Imprivata OneSign.

The following settings are available in the Authentication method options section of the Authentication tab under Security Key:

• Allow users to enroll multiple security keys. You can select between 1 - 15 keys, or unlimited keys. Setting this value does not affect the user's previously enrolled security keys.

• You can also allow users to enroll a replacement security key; enrolling a replacement key will remove previously enrolled security keys.

• You can set a grace period for the second authentication factor after successful security key authentication, up to 24 hours 59 minutes.

Security Key authentication is detailed in Configuring FIDO Security Key Authentication.

Fingerprint Authentication settings apply when fingerprint is used for authentication only. If your Imprivata enterprise is licensed for Fingerprint Identification, these settings do not apply.

Fingerprint Authentication Attempts Before Failure

In this scenario, the user types their username in the login screen, and they are prompted to place their finger on the fingerprint reader. This value is used to define how many times a user can unsuccessfully authenticate with their finger before the attempts are counted as a "failure".

Each time a person places the wrong finger or the finger cannot be scanned by the fingerprint reader, a message is displayed "Imprivata could not authenticate you. Try again."

Enterprise Access Management counts these failures to trigger a user account lockout. See User Lockout Policy.

1. On the Authentication tab of a user policy, make sure Fingerprint is selected in the Primary factors section of the Desktop Access authentication section.

2. In the Authentication method options section of the Authentication tab, under Fingerprint, select a value for Number of sequential failed fingerprint authentication attempts before authentication failure. The default value is 2.

3. Edit other settings in this section if necessary, then click OK.

4. Save the user policy.

To configure how many failures will trigger a user account lockout, see User Lockout Policy.

Maximum Allowed Enrolled Fingers

You can limit the number of fingerprints a user can enroll.

Allowing Enterprise Access Management Users to Manage Finger Enrollment Data

When users first enroll for fingerprint authentication, they are required to scan at least one finger. Users may be unable to or unwilling to enroll a second finger immediately.

Select Allow users to manage fingerprints to let users assigned to this user policy access the Imprivata enrollment utility, which lets them manage enrolled fingers.

See Enrolling Authentication Methods to learn about the enrollment utility.

The following options apply only to SSO authentication; they are configured in the Authentication method options section of the Authentication tab under VASCO OTP token.

Allow Self-Enrollment

VASCO OTP token authentication requires one of the following:

• An administrator whom assigns OTP tokens to users.
• Users that self-enroll OTP tokens during EAM authentication.

Selecting Allow users to enroll VASCO OTP tokens enables self-enrollment. During self-enrollment, the user is prompted to enter a VASCO OTP token serial number and passcode. If these match information in the VACMAN server, then the user is authenticated and the OTP token is enrolled.

Allow Offline Authentication to EAM with VASCO OTP Tokens

VASCO OTP token users can take advantage of offline authentication to EAM for the amount of time specified by the Offline data lifespan setting . When the user authenticates to EAM, authentication data sufficient for the offline period is downloaded to and cached on the Imprivata agent.

Configure the Offline Data Lifespan

Users who have VASCO OTP tokens with offline authentication to EAM have a limited amount of time during which the data cached on the user’s Imprivata agent will enable authentication.

If you have the Single Sign-On license, then this value can be less than or equal to that set in the Limit offline single sign-on data lifespan value set on the user policy's Single Sign-On tab. This is described in Limit Offline Single Sign-On Data Lifespan?

Requiring EAM Users to Enroll VASCO OTP Tokens

VASCO OTP tokens must be enrolled with EAM. If an Administrator has not assigned VASCO OTP tokens to users, users must self-enroll. After signing in to EAM, the Imprivata enrollment utility prompts these users to enroll their OTP token.

By default, users can defer enrollment indefinitely by authenticating with a password only. You can prevent deferment by selecting Lock computer if user cancels enrollment.

When set, the Imprivata enrollment utility prompts for two minutes, after which the computer locks, forcing re-authentication.

If this feature is required only on select computers, you can implement it using computer policies that restrict access to specific computers to enrolled VASCO OTP users only.