Face Recognition as an Authentication Method

Applies to iOS and Android devices.

Imprivata Mobile Access Management supports face recognition as an authentication method for device check out, using the integration with Imprivata Enterprise Access Management as the identity provider.

Face Recognition Authentication Methods for Device Check Out

Some combinations of authentication factors available in Imprivata Enterprise Access Management are not supported by Mobile Access Management for device Check Out.

The following table illustrates the EAM primary and secondary authentication method selections and the resulting Check Out behaviors in MAM when used with face recognition.

Primary Secondary Device Check Out Behavior
Check Out is initiated by the user taking a device out of the Smart Hub

Face recognition

Password
  • User taps Unlock with password on the Imprivata Locker lock screen.

  • User enters username and password.

  • Imprivata Locker app prompts for face authentication.

    • If the user's face is already enrolled, the user's facial biometric is successfully captured and the device unlocks.

    • If the user's face is not enrolled, Imprivata Locker prompts the user to enroll their face and to consent to the biometric capture. The user's facial biometric is successfully captured and the device unlocks.

Check Out is initiated by the user tapping their proximity card on a Launchpad
Face recognition Proximity Card
  • User taps their proximity card on the Launchpad's proximity card reader.

  • The device is selected.

  • Imprivata Locker lights up the device's display screen.

  • Imprivata Locker app prompts for face authentication.

    • If the user's face is already enrolled, the user's facial biometric is successfully captured and the device unlocks.

    • If the user's face is not enrolled, Imprivata Locker prompts the user to enroll their face and to consent to the biometric capture. The user's facial biometric is successfully captured and the device unlocks.

Face recognition Security Key or Imprivata PIN or Proximity Card
  • User taps their proximity card on the Launchpad's proximity card reader.

  • The device is selected.

  • Imprivata Locker lights up the device's display screen.

  • Imprivata Locker app prompts for face authentication.

    • If the user's face is already enrolled, the user's facial biometric is successfully captured and the device unlocks.

    • If the user's face is not enrolled, Imprivata Locker prompts the user to enroll their face and to consent to the biometric capture. The user's facial biometric is successfully captured and the device unlocks.

Prerequisites

Take note of the following prerequisites:

Requirements

  • The Imprivata Cloud Connect service to your tenant on the Imprivata Cloud Platform must be up and running.

  • Users in a policy enabled for face recognition must be synced from Active Directory (AD) to Entra ID.

  • The cloud must be synced from AD to Entra ID with Entra Connect.

  • Users must already have their username and password enrolled with Imprivata Enterprise Access Management SSO, and they must have used their username and password against the Imprivata appliance at least once. This includes logging into their desktop, or logging into the Imprivata enrollment utility.

  • Internet access is required for facial biometric authentication.

    If the device cannot connect with your Imprivata Cloud Platform, an error message will appear during authentication. In this scenario, the user can select another authentication method (password / Imprivata PIN, etc) to complete the authentication.

  • Imprivata Licensing: Face recognition authentication requires an Authentication Management license and a Confirm ID for Remote Access license.

  • Imprivata Locker app requirements:

    • iOSImprivata Locker for iOS 4.0 or later.

    • AndroidImprivata Locker for Android 2.0 or later.

    • The user must grant access to the device's camera to use face recognition.

Additional Resources

For more information, see the Imprivata Enterprise Access Management online help.

Before You Begin

Face recognition authentication for MAM requires:

  1. The Imprivata appliances in your Imprivata enterprise must be running Imprivata Enterprise Access Management 25.2 or later.

    For more information on upgrading your Imprivata appliances, see the Imprivata Upgrade portal.

  2. Complete the connection between your Imprivata enterprise and your tenant on the Imprivata Control Center. See Secure Connection to Imprivata Cloud Platform.

Secure Connection to Imprivata Cloud Platform

Configure the secure connection between your Imprivata appliance and the Imprivata Cloud Platform. To confirm whether this connection is complete, on the Imprivata Admin Console, see the Status panel on the right-hand side. Look for a green checkmark icon for Access Management integration.

Setup Wizard

Contact Imprivata Services. Services will create a Cloud Tenant for your enterprise, and send a Welcome email with a link to the Cloud Tenant Setup wizard. Click the link in the email and follow the wizard to complete the secure connection.

Before You Begin

  • You need a PNG, JPG, or GIF of your organization logo (200 x 100 pixels or smaller, max 100KB).

  • You need access to your Imprivata Admin Console.

Wizarding Steps

The setup wizard leads you through the following steps:

  1. Agree to the Data Processing Addendum

  2. In the Imprivata Admin Console, go to the gear icon > Imprivata Access Management integrations.

  3. On the Imprivata Access Management integration page, you will see the following status message: Unable to verify integration. Unable to connect to Imprivata Access Management.

    On this page, copy the Enterprise integration ID to your clipboard.

  4. In the Cloud Tenant Setup Wizard, paste the Enterprise integration ID.

  5. Click Create integration token and then Copy integration token.

  6. In the Imprivata Admin ConsoleImprivata Access Management integration page, paste the integration token, and click Integrate.

  7. To enable SSO to the Imprivata Control Center using your SAML IdP: Before you leave this page, select Administrator console single sign-on using SAML

  8. Copy the Imprivata SP metadata URL and provide it to your IdP.

    NOTE:
    • Sign On URLhttps://access.imprivata.com

    • Logout URL — copy your ACS URL, and replace /saml2/acs with /saml2/slo/redirect

    • Recommended — Configure Group ID (rather than group name) as the source attribute for group claims.

  9. Enter your IdP's SAML metadata in the wizard.

  10. Configure the groups that identify users with administrative access.

  11. Add your organization's business email address, user-facing name, and logo.

Stopping and Restarting This Connection

You can stop and restart this connection for the whole enterprise from any Imprivata Appliance Console, or on an appliance-by-appliance basis. The two statuses for the connection are Running or Disabled (stopped).

  1. In the Imprivata Appliance Console, go to System > Operations > Imprivata Cloud Connect.

  2. Imprivata Cloud Connect status is either Running or Disabled (stopped).

  3. Select Stop/restart options.

  4. Select from:

    • Stop Imprivata Cloud Connect on this appliance

    • Restart Imprivata Cloud Connect on this appliance

    • Stop Imprivata Cloud Connect on all appliances

    • Restart Imprivata Cloud Connect on all appliances

      NOTE:

      In this context, "Restart" means "start this stopped connection" and also "restart this connection that is already running".

  5. Click Go.

Configure Microsoft Entra ID

Configure Enterprise Access Management