Implement two-factor
authentication based
on smart cards

The solution based on Indeed AM and Indeed CM uses the combination of different authentication methods, including cryptographic smart cards and USB tokens with private key for digital signature

schedule demo
prew-product

Task

Corporate IT infrastructure today may include various services and information systems with their own user account directories, which requires the use of multiple credentials for system authentication. Some services may support authentication via digital certificates issued by both in-house and third-party certificate authorities. These certificates can also be used in electronic document management.

Certain password requirements are usually in place to ensure adequate security of password-based authentication. The list of requirements may include mandatory characters, password length, update frequency, forbidden popular sequences, such as «admin» and «123456», etc. Even with a single password, meeting all of these requirements may prove a real challenge, let alone multiple usernames and passwords. Likewise, it’s not uncommon when routine password updates in different systems and services are scheduled at different times (without synchronization or control dates).

Your personnel may also need to use multiple hardware devices for secure storage of keys and electronic signature certificates, for example, different tokens or smart cards for each qualified certificate.

According to internal regulations and administrative documents, your employees are expected to maintain the security of storage and use of their passwords and authentication devices on their own. But this only looks good on paper; in real life, you may encounter the following issues:

  • If the relevant policies have not been properly set up, your employees may choose to ignore the security requirements for passwords to corporate systems and services.
  • Your employees may intentionally or unintentionally fail to regularly update their passwords if this process has not been properly automated.
  • Despite meeting all password security requirements, your employees may use a physical medium or a text file for storing their passwords.
  • Your employees may forget their passwords and keep asking your IT/IS team to reset them (they may even forget to create a new password if this is not enforced by default after the first login).
  • In case your employees use multiple devices, they may mix up their passwords or store them in unsafe places.

On top of that, each new secure hardware device requires additional investments − you need to buy (or replace) it every time. And if you have more than one authentication device, your expenses are bound to increase, not to mention the challenges associated with keeping all tokens and smart cards on file and duly managed.

Unsolved issues related to password use and administration, as well as digital certificate and token management, can make your IT infrastructure less manageable and adversely affect your information security. A first-choice solution in this case is to use a combination of specialized software suites that rely on Public Key Infrastructure Management, Authentication Management, Access Management, and Two-Factor Authentication (2FA) technology.

Multi-factor authentication solutions can help you not only manage your authenticators (more than just passwords) and PKI infrastructure more effectively, but also upgrade your overall cyber security framework.

Solution

A software suite designed for managing user authentication, access certification, and public key infrastructure will equip you with a centralized tool for effectively addressing most common tasks related to access security.

In this case, using Indeed Access Manager in combination with the Indeed Certificate Manager platform may be a good idea.

product-content-img

Even though these products are two separate solutions in terms of technology — an authentication management system and a public key infrastructure management system, — they can exchange data about users, user activity, and relevant authenticators and certificates.

Using the Indeed AM and Indeed CM solutions together, you can effectively solve the following cyber security tasks:

  • Two-factor authentication across all corporate resources, even those that do not support multi-factor authentication and rely on passwords only, including desktop applications without embedded Single Sign-On functionality.
  • Having a single secure token for storing electronic signature certificates, identification and authentication data, as well as for physical access.
  • Controlled handling and use of digital certificates and tokens.
  • Addressing the key issues and vulnerabilities of password-based authentication technology.

For end users, the benefits of having a single device that can be used both for authentication and as a corporate ID lie on the surface. Your employees will no longer need to spend their working time trying to address issues that have nothing to do with their actual job:

  • They no longer need to come up with new passwords to all corporate resources.
  • They no longer face the risk of forgetting their password and getting unwanted idle time.
  • They get a universal secure device for all tasks related to user access control and storage of electronic signatures.

This combined technological solution can also offer a number of benefits to cyber security staff and IT administrators:

  • Two-factor authentication helps boost the overall information security.
  • Since end users are no longer responsible for creating and using their passwords, they cannot disclose them to third parties.
  • All password generation requirements in the target systems that do not support other authentication technologies will be successfully met.
  • Your IT team no longer needs to monitor compliance with password security and handling requirements.
  • Your IT team no longer needs to spend their working hours on resetting user passwords.
  • You get unified consoles for monitoring and managing user authentication and identification devices.

Intended use

Two-factor authentication

Password-based authentication technologies may be easy to use, but they have some major flaws. You can overcome those flaws by using secure hardware devices and digital certificates for user authentication:

  • Your devices and certificates are much less likely to be compromised.
  • If they do get compromised (for example, if a device has been lost), you will learn about it immediately, and your information security administrator can take appropriate measures to block the affected device.
  • The device PIN code is usually easy to remember, but the PIN code alone is useless without physical access to the token.
  • Users can easily change their PIN code and do not need to remember multiple PIN codes since all certificates and authentication data for all corporate services are stored on a single device.
  • Authentication requires a hardware device, and even if this device is compromised, it will be hard to use it from a workstation that has not been expressly set up for access to corporate resources (except for public web resources).

If Indeed Access Manager is used together with Indeed Certificate Manager, you will get a special hardware tool enabling two-factor authentication in the target services of your corporate IT infrastructure.

Certificate-based authentication for Windows

The Indeed Certificate Manager platform supports integration with your in-house certificate authorities based on the Windows CA functionality. Out-of-the-box authentication based on certificates issued by Windows CA is also supported in the Active Directory domain infrastructure.

Indeed Certificate Manager can help you centrally manage how the digital certificates get issued by Microsoft CA and are subsequently handled. These certificates can be stored on a protected device containing all other certificates.

This way, the device can also be used for Windows authentication.

Smart cards and digital certificates for app authentication

Even today, the default authentication mechanism in many information systems and services is simple password protection. Some systems may not support any other authentication scenarios or protocols (RADIUS, SAML, ADFS, Active Directory, X.509, etc.).

On the same note, applications that do support digital certificate authentication may require certificates issued by a third-party certificate authority. This is a standard situation in the case of document flow between various state departments or public procurement.

Indeed Certificate Manager can help you monitor and control the use of all your digital certificates, even those issued by third-party certificate authorities (including accredited CAs).

Thanks to the Indeed Access Manager platform, you can use hardware secure storage devices for end-to-end authentication in any password-protected application or web application. You can do this by using:

  • the supported authentication protocols (ADFS, SAML, etc.) or
  • the Enterprise Single Sign-On (ESSO) module

ESSO can intercept GUI password entry forms and map it to the back-end credentials. This single sign-on solution also supports secure storage of the above credentials and takes care of the routine updates (new passwords are added in the same way − through interception of GUI password entry forms).

This way, one and the same device can be used for secure authentication across all corporate applications and web applications.

A single device for storing identification and authentication data

The Indeed Access Manager platform enables all authentication scenarios involving a secure hardware device in all target resources (via appropriate integration modules). It also supports integration with the AMCS; in this case, the same hardware devices can be used both for authentication and gaining physical access to the AMCS-protected premises.

If your company chooses to use both products, you can opt to have all digital certificates available to a given end user stored on one smart card; the same device can also be used as an authenticator for all Windows-based workstations, as well as target applications and web applications.

Using a single device for identification and authentication can help you not only make your access certification in all corporate resources much more effective, but also strengthen the loyalty of your end users, not to mention that the overall information security at your company will improve, thanks to a thorough monitoring of all authentication events in particular.

Encryption and electronic signature

The Indeed Certificate Manager platform can help you take under control not only your internal digital certificates, but also certificates issued by third-party certificate authorities, including accredited CAs.

Digital certificates stored on a single device can be used for other tasks in addition to user authentication in the target systems:

  • Encrypt and sign your emails
  • Encrypt and sign your electronic documents
  • Sign your business transactions (for example, transfers to bank accounts)
  • Encrypt your files and drives
  • Set up a VPN connection

Qualified digital certificates confer legal value to your electronic signature. This means that you can use it to arrange legally binding electronic document flow, take part in public procurement, and receive other electronic public services.

Corporate ID

When your IT infrastructure incorporates both Indeed Access Manager and Indeed Certificate Manager, you can opt to assign multiple functions to a single protected device, such as user identification, authentication, and other business tasks:

  • Authenticate on Windows-based workstations
  • Authenticate in enterprise applications and web applications
  • Authenticate in public web services
  • Electronically sign documents
  • Encryption for messages, files, and drives
  • Connect to a VPN
  • AMCS identification
  • Have a debit card linked to a bank account

The final list of available features depends on the technical parameters of a specific hardware device, i.e. its form factor, whether or not it has an RFID chip, a secure certificate storage space, a magnetic stripe, or a chip for linking it to a bank account, etc.

The resulting device can also serve as a corporate ID (or card). Your employees can use this ID to receive all the services offered by your company, as well as gain access to all corporate resources.

Warding off the risk of loss or damage of the device

On the one hand, using a single device for gaining access to all corporate services and performing other business tasks can have its perks both for the end users and the entire company:

  • You can significantly boost the efficiency of your corporate resource usage
  • You can enhance the labor productivity of your personnel in terms of access to resources
  • The use of a protected device containing all user identification and authentication data can improve your company’s information security

On the other hand, having one device fit for various tasks may pose security threats should the token be lost or stolen. Things can get even worse if the device supports remote access to corporate resources, and the attacker resorts to blatantly stealing the device from your employee.

Our products allow for centralized monitoring of the device usage. Should a compromised smart card be detected, you can use Indeed Access Manager and Indeed Certificate Manager to promptly block the device and revoke the certificates. As both platforms support integration with SIEM software, you will immediately learn about all security incidents and compromised devices, even without involving end users.

Technical parameters

  • Сertificate authorities: Microsoft Windows CA, CAmelot
  • Removable hardware tokens: eToken (SafeNet), ESMART (SafeNetISBC), Yubikey (Yubico), ID Prime (Gemalto), and ePass (Feitian).
  • Authentication protocols: RADIUS, SAML, ADFS, OpenID Connect, Kerberos (Active Directory)
  • Authentication in the target systems: Microsoft Windows Logon, Microsoft RDS, MS IIS, VPN, Web Application, and Desktop Application
  • Integration with access security tools, smart card printers, authentication management tools (Indeed Access Manager), and identity management tools − IdM (via API)

Get the budget estimation of your project

get questionnaire
prew-product-work

Industries

Learn how multiple industries enjoy benefits from implementing our products

Prev
Next

industry about us

quot-mark
avt-1
Andy Woo
Regional Director of Pacific Tech

At Pacific Tech, we are continuously evolving and bringing new solutions to our partners and customers in the region. We are delighted to be partnering with Indeed Identity. With Indeed Identity, we found a comprehensive access management solution which perfectly complements the growing population of Singapore work-from-home workers. As a leading cyber security solution provider, this strategic partnership is perfect for our two companies.

read more
quot-mark
avt-2
KC KuppingerCole Report
Executive view

Indeed Identity’s innovative approach towards designing its whole product portfolio as a highly modular open application platform allows the customers to pick and choose the modules as needed and grow in the future as their business needs expand. Even out of the box, Indeed Certificate Manager provides comprehensive yet convenient management capabilities for both administrators and end users.

read more
quot-mark
avt-3
Michael Bürger
Founder & Sales Partner at EU-HUB Network

Since approximately 5 years now I’m working with Indeed Identity quite successfully. First as my vendor client and next as a trusted innovative software partner. Now we are re-selling Indeed Identity software as a Distributor for the EU and beyond. Often I met Indeed Identities CEOs, CTO, Product Management, Partner Managers and System Engineers, on the the phone and even in person in London and Munich and always my feeling was that this is are smart people, an excellent organized company, straight forward thinking and | don’t have any doubt that together we will be very successful this decade in the 2020s on everything we target.

quot-mark
avt-4
Leo Querubin
Executive Director for Business Development of Pointwest Technologies Corporation

The products of Indeed Identity, like Indeed Access Manager, a software for strong and multi-factor authentication (MFA), can provide the structural changes that force everyone to follow necessary cybersecurity procedures. Customers get the best of both worlds — the world-class cybersecurity products of Indeed Identity and the experience and expertise of the local cybersecurity landscape of Pointwest.

read more
quot-mark
avt-4
Volkan Duman
Information Technologies General Manager at vMind

As a result of the long-term laboratory tests and studies that we conducted, we believe that Indeed Identity products should certainly be on the Turkish market. Thanks to our partnership with Indeed Identity, we sought to expand the access control and certificate management market, which is located in a narrow profile in the country, as well as add value by transferring technology to our country. When we compare Indeed Identity products with similar products, we can safely say that they contain much more different features and are more inclusive.

read more
quot-mark
avt-4
Marko Pust
Director of OSI.SI

We have a long partnership with Indeed Identity for more than 2 years already. I can confidently say that Indeed CM is one of the best and technologically enhanced products for managing digital certificates and smart cards on the EU market. This product has a number of unique features such as Client Agent and Indeed AirCard Enterprise network-attached smart card that are highly valued by our customers. One of the customers said that Indeed CM brought automation and visibility to their PKI life.

quot-mark
avt-4
Heng Lie
Director of Synnex Metrodata Indonesia

I believe that Indeed Access Manager is an excellent solution for many of our clients. It manages access to all information systems of the enterprise and protects companies from internal and external cyber threats. It is a flexible platform combining different authentication scenarios and methods.

quot-mark
avt-4
Sergey Yeliseyev
X–Infotech Owner, Business Development Director, Government eID solutions

Indeed Identity is the company of professionals in the field of information security. They provide top-level solutions for PKI management and access control to corporate resources. We recommend this company as a reliable partner.