Configuring External OTP Tokens

ID token-enabled users authenticating to Imprivata use their domain usernames instead of their ID token system usernames (these may be the same values anyway). In all other ways there is no changes to the user experience.

There are two steps to configuring the Imprivata appliance to work with an ID token server:

  1. Configure the external ID token server to recognize the Imprivata appliance, as detailed in Configuring the External OTP Token Server to Recognize the Imprivata Appliance.
  2. Configure the Imprivata appliance to recognize the ID token system, as detailed in Configuring the Imprivata Appliance to Recognize the External OTP Token Server.

Supported External OTP Tokens

Imprivata supports the following external OTP tokens:

  • RSA ID® tokens with RSA Authentication Manager®.
  • Secure Computing SafeWord® tokens with PremierAccess® and RemoteAccessservers.
  • External RADIUS hosts, including PhoneFactor (PhoneFactor is not supported by Imprivata Enterprise Access Management with MFA, formerly Imprivata Confirm ID).

Hardware Requirements

Each user needs a SecurID token. The tokens are powered by an integral battery and require no user maintenance. Tokens last between 2-5 years. There is no reader; the passcode is entered like a password, along with an optional personal PIN.

Monitoring and Reporting SecurID Token Authentications

You can get real-time notifications of a variety of network events, including enrollment for ID tokens.

PhoneFactor adds a second factor of authentication to your corporate login. Instead of the user entering a passcode from an ID Token, your PhoneFactor server calls the user’s phone with a passcode and instructions for secure authentication. Imprivata supports second-factor authentication with PhoneFactor.

Configuring the External OTP Token Server to Recognize the Imprivata Appliance

Follow the procedure specific to the type of external OTP token you are enrolling.

The RSA Authentication Manager cannot communicate with the Imprivata appliance until the RSA Authentication Manager has been configured to recognize it. In the RSA Authentication Manager system, appliances must be deployed as Agent Hosts.

To configure the Imprivata appliance as an agent host:

  1. Open the RSA Authentication Manager Admin UI (Start >Programs > RSA Security > RSA Authentication Manager Host Mode).

  2. From Agent Host, select Add Agent Host.

  3. In the Add Agent Host screen, enter the host name and network address of the Imprivata appliance.

  4. Use the Group Activations or User Activations buttons to activate any groups or users who will be using Imprivata OneSign.

  5. From RADIUS, select Manage RADIUS Server.

  6. Expand RSA RADIUS Server Administration menu and select RADIUS Clients.

  7. Click Add. The Add RADIUS dialog opens.

  8. Enter the name, description, and IP address of the Imprivata appliance.

  9. Enter a shared secret encryption key. You will use the key in step 4 of Configuring the Imprivata Appliance to Recognize the ID Token Server.

  10. Repeat Step 1 through Step 9 to configure all other appliances as agent hosts for the RSA Authentication Manager. Use the same value for the encryption key.

    11. NOTE: Refer to your RSA Authentication Manager documentation for additional information about the RSA Authentication Manager system.

The PhoneFactor agent cannot communicate with the Imprivata appliance until the PhoneFactor agent has been configured to recognize it. In the PhoneFactor agent, your Imprivata appliances must be deployed as RADIUS clients.

To configure the Imprivata appliance as a PhoneFactor RADIUS client:

  1. Open PhoneFactor agent (Start > Programs > PhoneFactor > PhoneFactor Agent).

  2. From RADIUS Authentication, make sure Enable RADIUSauthentication is selected.

  3. On the Clients tab, below the list of clients, select Add to add the Imprivata appliance as a RADIUS client.

  4. In the Add RADIUS Client window, enter the IP address of the Imprivata appliance. Enter a shared secret encryption key. You will use the key in Step 4 of The PhoneFactor agent cannot communicate with the Imprivata appliance until the PhoneFactor agent has been configured to recognize it. In the PhoneFactor agent, your Imprivata appliances must be deployed as RADIUS clients. .

  5. (Optional) Select Require PhoneFactor user match.

  6. Click OK.

  7. Repeat Step 1 through Step 6 to configure all other appliances in your Imprivata enterprise as RADIUS clients. Use the same value for the shared secret.

Configure the Imprivata Appliance to Recognize the ID Token Server

  1. Open the Configure external OTP tokens page in the Imprivata Admin Console (Devices menu > Configure external OTP tokens).

  2. Enter the host name (or IP address) for the ID token server.

  3. Enter the authenticationport for the ID token system RADIUS server.

    4. NOTES:

    • The most commonly used authentication ports are 1812 and 1645.
    • For RSA SecurID OTP tokens, you can find the port number in the RSA Authentication Manager Configuration Management tool, under the entry for RADIUS in the Services section.

  4. Enter an encryption key that you used in Configuring the External OTP Token Server to Recognize the Imprivata Appliance.

  5. (PhoneFactor tokens) It takes some moments for the user to answer the phone and enter the code. Enter a value in the Additional time to wait... field to suit the needs of your users.

  6. Specify whether or not the OTP token is allowed for authenticating when e-prescribing controlled substances. If you select Allowed for EPCS, then when you click Save, you are prompted to attest that the OTP token server is FIPS-compliant and that OTP tokens are properly enrolled per DEA EPCS regulations. This action is logged in the Imprivata audit records.

  7. Specify how users enroll with external ID tokens:

    1. (PhoneFactor tokens) Leave Enroll users automatically selected. Use the username format that matches the usernames in the PhoneFactor agent users list.

    2. (RSA SecurID tokens) Select users enroll themselves. See Allowing Users to Enroll Their Own External OTP Tokens for Use with Imprivata OneSign

  8. Click Save.

Assigning External OTP Token Authentication Privileges

You assign token authentication and all other authentication methods via the user policies that you assign to each user. ID Token must be selected on the Authentication tab of a user policy for each authentication type for which you are using OTP tokens.

NOTE: PhoneFactor authentication is controlled like an ID Token, so PhoneFactor users must have ID token authentication selected in their user policies.

Revoking ID Token Authentication Privileges

Revoke ID Token authentication privileges via the user policies that you assign to each user. Create a different user policy and assign it to the user.

User policies are detailed in Creating and Managing User Policies.

Allowing Users to Enroll Their Own External OTP Tokens for Use with Imprivata OneSign

You can have users enroll their own external OTP tokens. Select Users enroll themselves in the Enrolling users section of the Configure external OTP tokens page of the Imprivata Admin Console.

The self-enrollment process consists of the following steps:

  1. Log into the computer to invoke a Imprivata OneSign authentication.
  2. Use your password to log into Imprivata OneSign.
  3. Imprivata OneSign logs you into Windows and offers you the opportunity to enroll for ID Token authentication. Accept it and click Next. The ID Token Enrollment screen opens.
  4. Enter the username for the RSA SecurID system.

    5. NOTE: The ID token system username may not be the same as your Windows username. Your ID token system Administrator will know this information.

  5. Enter your passcode (with PIN if required).
  6. Click OK.

Authenticating to Imprivata OneSign with OTP Tokens

Authenticating to Imprivata OneSign with OTP tokens differs slightly depending on the type of ID token you are using.

After the user has enrolled, the authentication process is straightforward.

To authenticate via your SecurID token:

  1. Log into your computer. The Imprivata OneSignLog On window opens.
  2. Click Use my OTP at the bottom of the window.
  3. In the Passcode field, enter your passcode.

When you are authenticated, the authentication window closes.

To authenticate via PhoneFactor:

  1. Log into your computer. The Imprivata OneSignlog on window opens.
  2. Enter your username and password.
  3. Click Use my OTP at the bottom of the window.
  4. Click OK, and wait for your phone to ring. Within a few moments, your phone will ring with further instructions. When you are authenticated, the authentication window closes.