Imprivata Confirm ID Authentication Methods

Imprivata Confirm ID supports a wide variety of authentication methods described in the sections below. Depending on federal and/or state regulations, some methods are not available for certain EMR signing workflows.

NOTE: The network passwords for Imprivata Confirm ID providers associated with DEA-regulated workflows must meet DEA requirements.

Two-Factor Authentication

Imprivata Confirm ID offers a two-factor authentication solution that strengthens IT security by requiring users to provide a second form of identification for authentication.

First Factor Second Factor
Fingerprint Authentication
One-time password (OTP) token (VASCO OTP Tokens*, Symantec VIP Credential, or External ID Tokens)
  • Any available authentication method the token has, for example, a PIN‡
  • Network password
  • Imprivata PIN
  • Imprivata ID°
Passive Proximity Cards
  • None
  • Fingerprint
  • Network password
  • Imprivata PIN
Security Questions (Q&A) None
SMS Code
  • None
  • Network password
  • Imprivata PIN
Password Authentication

* Providers who complete identity proofing via Norton Secure Login cannot e-prescribe controlled substances using a VASCO OTP token.

° The Ohio State Board of Pharmacy does not currently allow Hands-Free Authentication with Imprivata ID as an authentication method for non-EPCS workflows.

‡ Not accepted for e-prescribing controlled substances.

For the list of authentication methods that can and cannot be used for offline authentication and related details, see Offline Authentication.

For lists of authentication methods allowed for Imprivata Confirm ID workflows such as for EPCS, EPCS access control, and remote access login, see the Workflows Overview section of E-Prescription of Controlled Substances.

For a table of two-factor authentication methods supported for Imprivata OneSign and for links to other authentication method topics for Imprivata OneSign, see Imprivata OneSign Authentication Methods.

Authentication Method Overviews

The following sections describe the supported authentication methods and provide links to topics with additional information.

Hands Free Authentication automatically and securely retrieves a one-time password (OTP) from the provider's device to authenticate when signing electronic prescription orders. The OTP, which is generated every 30 seconds by the Imprivata ID app, is validated over an encrypted, low-energy Bluetooth connection between the endpoint computer and the provider's device. This workflow results in minimal disruption to the clinical workflow, as the provider does not have to touch or handle the device.

For complete information, see Hands Free Authentication for Imprivata Confirm ID.

Licensing Hands Free Authentication to Some or All Imprivata ID Users

Hands Free Authentication is an available licensed option for some or all of your Imprivata ID users.

In a user policy, go to the Authentication tab > Licensed options. Imprivata ID is not a licensed option per se, but the checkbox Hands Free Authentication controls whether the users in this policy can use Hands Free Authentication with their Imprivata ID:

  • User policy with Hands Free Authentication license — Hands free authentication, Push authentication, and manual entry of one time password available.
  • User policy without Hands Free Authentication license — Push authentication, and manual entry of one time password available.

Imprivata ID Push Authentication

During the Remote Access or Imprivata ID for Windows Access workflow, the user can still authenticate with the Imprivata ID app even though his mobile device is outside your enterprise network. A notification is sent to the user's device to authenticate; he can accept or reject the authentication by pressing the notification, then accepting or rejecting. The low-energy Bluetooth connection between the Imprivata ID app and the Imprivata agent is not required.

Imprivata ID with Symantec Tokens

Imprivata Confirm ID supports authentication with Symantec tokens in the Imprivata ID app. For complete information, see Hands Free Authentication for Imprivata Confirm ID.

The Remote Access workflow supports SMS text notifications to any iOS or Android device that accepts SMS messaging, including devices not supported by Imprivata ID. With SMS text notifications, the user receives a code on his device, and enters the code on his computer to authenticate during the Remote Access workflow.

Imprivata and Symantec have partnered to provide OTP tokens for e-prescribing controlled substances. Before Symantec VIP Credentials can be enrolled, you need to configure the connection between Imprivata and Symantec.

Symantec VIP Credentials can be managed from the Symantec VIP Credentials page.

When you first install the Imprivata agent, all users are authorized for password authentication. The default username and password are the user's current user directory credentials.

You can disallow password authentication for some or all users via user policy; however, all enabled users must have at least one authentication method. Password authentication is often used as a second factor for two-factor authentication.

There is no separate enrollment step for password authentication. All users automatically enroll the first time they log into Windows after installing the Imprivata agent.

Password Authentication for Imprivata Confirm ID

Imprivata Confirm ID users can always log into the Imprivata Confirm ID enrollment utility using their username and network password.

Password authentication for signing workflows must be enabled per each supported workflow in the Imprivata Confirm ID workflow policy.

Imprivata fingerprint verification allows users to enter their login credentials while adding a layer of security by verifying their identity through a fingerprint scan. This is a "one-to-one" verification as Imprivata checks the fingerprint against the credentials provided by the user.

Imprivata supports passive proximity card authentication with most standard proximity cards and USB card readers from RF IDeas Inc. Proximity card authentication can be combined with password, Imprivata PIN (as an alternative to a password), or finger biometrics as second factors to provide strong two-factor authentication.

See Configuring Passive Proximity Card Authentication

Imprivata includes built-in RADIUS integration to Secure Computing’s Premier Access and Remote Access Servers and RSA's Authentication Manager for token authentication. Imprivata can provide a seamless single-step desktop login using two-factor one-time passcodes for logging in to any SSO-enabled client/server, web, or legacy application from any Imprivata-enabled desktop. ID token-enabled users authenticating to Imprivata use their domain usernames instead of their ID token system usernames (these may be the same values). In all other ways Imprivata makes no changes to the user experience.

Before users can use an ID token to authenticate, you need to configure a connection to the ID token server. See Configuring External OTP Tokens.

These are global settings for the entire Imprivata enterprise. You can override these settings locally for specific site, as detailed in Overriding an ID Token Server Connection.

Imprivata provides support for VASCO (now known as OneSpan) OTP tokens out-of-the-box. Imprivata embeds VASCO's VACMAN middleware and management components within the Imprivata appliance. There is no separate token management server to purchase or maintain.

You can manage VASCO OTP tokens on the VASCO OTP tokens page of the Imprivata Admin Console (Devices menu > VASCO OTP tokens)

For more information, see Managing VASCO OTP Tokens

When security questions are enabled as an authentication method, users enroll security questions that they can later answer to authenticate in signing workflows. See Configuring the Workflow Policy for complete details.

You can set different security questions with different settings for different user policies. When you create a new user policy with emergency access privileges, the new policy uses the settings in the default policy as a starting point.

See Configuring Authentication Methods in User Policies for information about configuring options for security questions.

Enabling and Configuring Authentication Methods for Imprivata Confirm ID

Authentication methods for Imprivata Confirm ID are enabled and configured in different locations in the Imprivata Admin Console, depending on the type of user and the authentication methods allowed.

Users

The authentication methods available for each user to enroll for Imprivata Confirm ID workflows are controlled by a combination of user policy and the Imprivata Confirm ID workflow policy.

  • In Imprivata Confirm ID workflow policy, select authentication methods for each workflow your enterprise uses in your environment. To enable your users for these workflows, associate Imprivata Confirm ID user policies with these workflows. See Configuring the Workflow Policy.
  • In Imprivata Confirm ID user policy, select authentication methods to allow those users to enroll them and authenticate.

Enrollment Supervisors

The authentication methods allowed for witnessing and attesting to provider enrollment of authentication methods for Imprivata Confirm ID are specified on the Confirm ID enrollment supervisors page in the Imprivata Admin Console. You do not need to make any selections in user policy or the Imprivata Confirm ID workflow policy for enrollment supervisors to use these authentication methods.