Password-based authentication technologies may be easy to use, but they have some major flaws. You can overcome those flaws by using secure hardware devices and digital certificates for user authentication:
- Your devices and certificates are much less likely to be compromised.
- If they do get compromised (for example, if a device has been lost), you will learn about it immediately, and your information security administrator can take appropriate measures to block the affected device.
- The device PIN code is usually easy to remember, but the PIN code alone is useless without physical access to the token.
- Users can easily change their PIN code and do not need to remember multiple PIN codes since all certificates and authentication data for all corporate services are stored on a single device.
- Authentication requires a hardware device, and even if this device is compromised, it will be hard to use it from a workstation that has not been expressly set up for access to corporate resources (except for public web resources).
If Indeed Access Manager is used together with Indeed Certificate Manager, you will get a special hardware tool enabling two-factor authentication in the target services of your corporate IT infrastructure.
Certificate-based authentication for Windows
The Indeed Certificate Manager platform supports integration with your in-house certificate authorities based on the Windows CA functionality. Out-of-the-box authentication based on certificates issued by Windows CA is also supported in the Active Directory domain infrastructure.
Indeed Certificate Manager can help you centrally manage how the digital certificates get issued by Microsoft CA and are subsequently handled. These certificates can be stored on a protected device containing all other certificates.
This way, the device can also be used for Windows authentication.
Smart cards and digital certificates for app authentication
Even today, the default authentication mechanism in many information systems and services is simple password protection. Some systems may not support any other authentication scenarios or protocols (RADIUS, SAML, ADFS, Active Directory, X.509, etc.).
On the same note, applications that do support digital certificate authentication may require certificates issued by a third-party certificate authority. This is a standard situation in the case of document flow between various state departments or public procurement.
Indeed Certificate Manager can help you monitor and control the use of all your digital certificates, even those issued by third-party certificate authorities (including accredited CAs).
Thanks to the Indeed Access Manager platform, you can use hardware secure storage devices for end-to-end authentication in any password-protected application or web application. You can do this by using:
- the supported authentication protocols (ADFS, SAML, etc.) or
- the Enterprise Single Sign-On (ESSO) module
ESSO can intercept GUI password entry forms and map it to the back-end credentials. This single sign-on solution also supports secure storage of the above credentials and takes care of the routine updates (new passwords are added in the same way − through interception of GUI password entry forms).
This way, one and the same device can be used for secure authentication across all corporate applications and web applications.
A single device for storing identification and authentication data
The Indeed Access Manager platform enables all authentication scenarios involving a secure hardware device in all target resources (via appropriate integration modules). It also supports integration with the AMCS; in this case, the same hardware devices can be used both for authentication and gaining physical access to the AMCS-protected premises.
If your company chooses to use both products, you can opt to have all digital certificates available to a given end user stored on one smart card; the same device can also be used as an authenticator for all Windows-based workstations, as well as target applications and web applications.
Using a single device for identification and authentication can help you not only make your access certification in all corporate resources much more effective, but also strengthen the loyalty of your end users, not to mention that the overall information security at your company will improve, thanks to a thorough monitoring of all authentication events in particular.
Encryption and electronic signature
The Indeed Certificate Manager platform can help you take under control not only your internal digital certificates, but also certificates issued by third-party certificate authorities, including accredited CAs.
Digital certificates stored on a single device can be used for other tasks in addition to user authentication in the target systems:
- Encrypt and sign your emails
- Encrypt and sign your electronic documents
- Sign your business transactions (for example, transfers to bank accounts)
- Encrypt your files and drives
- Set up a VPN connection
Qualified digital certificates confer legal value to your electronic signature. This means that you can use it to arrange legally binding electronic document flow, take part in public procurement, and receive other electronic public services.
When your IT infrastructure incorporates both Indeed Access Manager and Indeed Certificate Manager, you can opt to assign multiple functions to a single protected device, such as user identification, authentication, and other business tasks:
- Authenticate on Windows-based workstations
- Authenticate in enterprise applications and web applications
- Authenticate in public web services
- Electronically sign documents
- Encryption for messages, files, and drives
- Connect to a VPN
- AMCS identification
- Have a debit card linked to a bank account
The final list of available features depends on the technical parameters of a specific hardware device, i.e. its form factor, whether or not it has an RFID chip, a secure certificate storage space, a magnetic stripe, or a chip for linking it to a bank account, etc.
The resulting device can also serve as a corporate ID (or card). Your employees can use this ID to receive all the services offered by your company, as well as gain access to all corporate resources.
Warding off the risk of loss or damage of the device
On the one hand, using a single device for gaining access to all corporate services and performing other business tasks can have its perks both for the end users and the entire company:
- You can significantly boost the efficiency of your corporate resource usage
- You can enhance the labor productivity of your personnel in terms of access to resources
- The use of a protected device containing all user identification and authentication data can improve your company’s information security
On the other hand, having one device fit for various tasks may pose security threats should the token be lost or stolen. Things can get even worse if the device supports remote access to corporate resources, and the attacker resorts to blatantly stealing the device from your employee.
Our products allow for centralized monitoring of the device usage. Should a compromised smart card be detected, you can use Indeed Access Manager and Indeed Certificate Manager to promptly block the device and revoke the certificates. As both platforms support integration with SIEM software, you will immediately learn about all security incidents and compromised devices, even without involving end users.