EmpowerID Products and Solutions
- Learning Center
Welcome to the Learning Center
Properly identifying a user (authentication) is the critical step that precedes providing access to resources (authorization) and is a primary element in securing corporate resources and assets. Studies have repeatedly shown the weakness of passwords alone for protecting access and this has brought forth a variety of alternative methods for verifying identity. While any single method can be defeated, the likelihood of unauthorized access is significantly reduced by the combination of two or more methods for verifying identity. EmpowerID is an open platform that flexibly accommodates multi-factor authentication, allowing organizations to decide which identity verification methods are best suited for protecting their resources.
EmpowerID’s industry standards-based multi-factor authentication capabilities are built into the core platform and eliminate the costs associated with third-party licenses. EmpowerID’s flexible authentication options make this important capability easier and less expensive to implement and include support for hardware tokens and smartcards, as well as non-physical options like software tokens and one-time passwords sent to mobile devices.
EmpowerID makes it easy and hassle free for end users to have a more secure login experience with multi-factor authentication. Organizations can enable token self-registration, allowing end users to self-service their request and to activate a software token on their mobile device, all without administrative intervention. In the event users don’t have a token, the system can send a one-time password to their mobile device to continue the self-registration process.
EmpowerID allows you to choose from a variety of second-factor options that balances the sensitivity of the resources you want to protect with the overall ease of use and the needs of your user base:
EmpowerID’s token server adheres to open standards to support any OATH-compliant hardware token you prefer, allowing you to choose the best token for your needs.
The software tokens issued by the EmpowerID server are OATH compliant and can be used in any free OATH mobile client such as Google Authenticator for Android, iPhone and Blackberry. Software token registration is simple and can begin with either a welcome email that provides links to install and register the token on the mobile device, or by scanning a QR code using the device’s integrated camera to initiate the installation and registration process. Once installed, users simply read a six-digit number from their phone screen when prompted during the login process.
One-time passwords are a simple and cost effective authentication factor where a one-time use code is sent to the user’s registered mobile phone.
Security questions can be used as an authentication method, or to verify a user’s identity during the forgotten password reset process. Enrollment is simple and EmpowerID supports forced user enrollment during the login process.
In addition to other forms of authentication, users can be required by policy to verify ownership of a new PC or mobile device. With the first time attempt to login from a new device, they will be prompted to enter a one-time password to validate their identity. When the password is correctly entered, an encrypted cookie is written to the device so that the device is recognized and tracked for future logins.
For organizations that want smartcard authentication, including governmental entities, EmpowerID provides a built-in Smartcard Identity Provider. Users logging in with their smartcard can still be prompted for other authentication factors, as defined by flexible security policies.
Login requirements such as multi-factor authentication are handled by the EmpowerID policy engine. Different policies can be assigned automatically to users based on their roles, group membership, or HR data. Policies define the login requirements for a user based on who they are, the device they log in from, and also the applications they are attempting to access. The login workflow is a unique feature of the EmpowerID platform with rules being triggered during the login process that force a user through any number of steps, that can include: on-demand provisioning, forced password reset, review and agreement to corporate policies, and forced password reset enrollment. The workflow policies are applied regardless of the authentication mechanism that was used as the first factor (AD, LDAP, EmpowerID, Facebook, etc.).
EmpowerID’s multi-factor authentication services are not limited to users performing web single sign-on in their browser. It works for all types of authentication including:
Comprehensive, seamless authentication for all enterprise applications accessed from the public Internet are supported for both SSL and regular VPN devices. SSL VPN devices are supported by the EmpowerID federation server and traditional VPN device can leverage EmpowerID’s integrated RADIUS server or Virtual LDAP server.
LDAP and RADIUS Clients
EmpowerID supports Pluggable Authentication Modules (PAM) – you specify that services and users defined on your Unix/Linux systems will be authenticated by a PAM LDAP.
Multi-factor authentication for web applications extends to applications leveraging EmpowerID for SSO either via federation, password vaulting or Web Access Management.
Custom applications can plug into the multi-factor authentication capabilities in a variety of ways including through the EmpowerID API. EmpowerID exposes multifactor authentication features for developers to use as web services.
In addition to native MFA support, EmpowerID’s architecture makes it easy to integrate with other MFA solutions. Demonstrated examples of the extensibility of the EmpowerID platform include the integration of external identity proofing services, such as those offered by Equifax and RSA, into the identity registration and forgotten password reset workflow processes.