Large Scale Password Management With Hitachi ID Password Manager

Large Scale Password Management
With Hitachi ID Password Manager
© 2014 Hitachi ID Systems, Inc. All rights reserved.

As users access ever more systems and applications, they accumulate passwords and other authentication
factors. Complexity that arises in managing multiple login technologies leads to IT support and security
problems: high help desk call volumes, written passwords, lost or stolen OTP tokens and smart cards, etc.
Effective password management addresses these problems by helping users to manage all of their authen-
tication factors in an integrated manner. Passwords are synchronized, so there are fewer to remember.
Self-service allows users to reset their own forgotten or locked out passwords or PINs and unlock PCs with
encrypted disks. A single process is used to enroll security questions, mobile phone numbers and biometric
samples. The entire solution is made available from full screen or mobile phone web browsers, phone calls
or PC login screens.
Contents
1 Introduction 1
2 Business Drivers: IT Support for Passwords and PINs 2
3 Technical Challenges: Hard-To-Support Passwords 3
3.1 Locked Out Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
3.2 Cached Credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
3.3 Replication Delays . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
3.4 Forgotten Passwords for Full Disk Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . 4
3.5 Mobile, Disconnected Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
3.6 Managing PKI Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
4 Hitachi ID Password Manager Features 6
4.1 Password Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
4.2 Self-service Password Reset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
4.3 Self-Service, Anywhere: Supporting Mobile Users and Encrypted Disks . . . . . . . . . . . 7
4.4 Assisted Password Reset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
4.5 Password Policy Enforcement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
4.6 Password Expiration / Aging Enforcement . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
4.7 Preventing Password Reuse . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
5 Solution Architecture 10
6 Self-Service: Access and Authentication 12
6.1 Access For Locked Out Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
i

Large Scale Password Management With Password Manager
6.2 Authenticating Users Without Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
6.3 Authentication Chains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
7 User Enrollment: Maximizing Adoption 17
8 Telephony Integration 18
9 Managing PKI Certiﬁcate Passwords 21
10 Support for Mobile, Disconnected Users 22
11 Overcoming Active Directory Replication Delays 25
12 Built-in Single Sign-on Technology 26
13 Return on Investment 28
14 Platform Support 30
15 Rapid Deployment 32
© 2014 Hitachi ID Systems, Inc. All rights reserved.

1 Introduction
This white paper describes self-service management of authentication factors in general and Hitachi ID
Password Manager in particular. It shows how product features and best practices address business prob-
lems.
Hitachi ID Password Manager is solution for managing all of a user’s authentication factors. This lowers IT
support cost and improves security through:
• Password synchronization: Helping users to maintain a single, strong password across multiple
systems and applications.
• Single sign-on: Automatically signing users into applications.
• Password policy enforcement: Ensuring that new passwords are hard to guess, are changed fre-
quently and that old passwords are not reused.
• Self-service password and PIN reset: Enabling users who have forgotten their password, forgotten
the PIN for their hardware token or smart card or who have triggered an intruder lockout to authenticate
themselves and resolve their problem – from any location, using any device, without calling the help
desk.
• Cryptographic key recovery: Allowing users who forgot the password that activates their PC at boot
time to resolve their problem without speaking to a support analyst.
• Assisted password and PIN reset: Streamlining IT support calls to resolve login problems.
© 2014 Hitachi ID Systems, Inc.. All rights reserved. 1

Large Scale Password Management With Hitachi ID Password Manager
2 Business Drivers: IT Support for Passwords and PINs
Users who must manage multiple passwords to corporate systems and applications have usability, security
and cost problems.
Users have too many passwords. Each password may expire on a different schedule, be changed with a
different user interface and be subject to different rules about password composition and reuse.
Some systems are able to force users to select hard-to-guess passwords, while others are not. Some
systems require that users change their passwords periodically, while others cannot enforce expiration.
Users have trouble choosing hard-to-guess passwords.
Users have trouble remembering passwords, because they have too many of them or because they chose
a new password at the end of the day or week, and didn’t have an opportunity to use it a few times before
going home.
These problems drive users to choose trivial passwords, to avoid changing their passwords and to write
down their passwords. All of these behaviors can compromise network security.
When users do comply with policy and regularly change their passwords to new, hard-to-guess values, they
tend to forget their passwords and must call the help desk.
Password and login problems are the top incident type at most IT help desks, frequently accounting for 25%
or more of total call volume.
In addition to the above security and support cost problems, users simply don’t like memorizing and typing
passwords. Password management is a nuisance that contributes to a negative perception of IT service.
Despite all these problems, passwords will continue to be needed for years to come:
1. Passwords are signiﬁcantly less expensive to deploy and support than other technologies.
2. Other authentication technologies, such as biometrics, smart cards and hardware tokens, are typically
used along with a password or PIN. i.e., “something you have” (smart card, token) or “something you
are” (biometric) plus “something you know” (password, PIN).
3. Passwords are an important backup to other authentication technologies:
(a) Hardware devices can be lost or stolen or simply left at home.
(b) Some devices from which users need to access corporate systems, such as smart phones and
home PCs, may not support more advanced authentication methods.
Since passwords are not going away and remain difﬁcult for users to manage, solutions are needed to help
users more effectively manage their passwords.

3 Technical Challenges: Hard-To-Support Passwords
Enabling synchronization and self-service reset for passwords on centralized servers is reasonably straight-
forward. Technical problems arise, however, with locked out users, mobile users, cached credentials and
PKI.
3.1 Locked Out Users
Users often forget their initial network login password or inadvertently trigger an intruder lockout. These
users should be able to get assistance, reset their network or local password, clear intruder lockouts and
get back to work.
Since these users have a problem with their workstation login, they cannot access a conventional web
browser or client/server application with which to resolve their problem. The problem these users face is
how to get to a user interface, so that they can ﬁx their login problem and subsequently access their own
workstation desktop.
This problem is especially acute for mobile users, who use cached domain passwords to sign into their
workstation and who may not be attached to the corporate network when they experience a forgotten
password problem.
3.2 Cached Credentials
Windows workstations cache user passwords – typically the primary password a user types at the login
screen, which was authenticated against Active Directory. This is done for two reasons:
1. To enable users to log into their workstation while detached from the network (example: traveling
laptop).
2. To automatically sign the user into resources, such as shared ﬁle and print services, without having to
ask the user to retype his password.
When a user changes his password using the network client software on the workstation (e.g,. ctrl-alt-del
method), the network client automatically updates its cached password.
On the other hand, if a user is logged into his workstation and simultaneously his password is reset else-
where on the network – for example by the help desk or by the user himself on a second concurrently logged
in workstation, then the cached password on the workstation will not change – it will simply be wrong.
Similarly, if the user forgets his password and it is reset on the network while his PC is disconnected (e.g.,
remote), the new password will not be copied to the workstation until it is re-attached to the network.
An invalid, cached password causes several problems:
1. If the user’s PC is not attached to the network when his password changes, the user will be unable to
use the new password on his PC until he re-attaches to the network.

2. If the user’s PC is attached to the network and the user attempts to access a network resource (file
server, print queue, etc.), the workstation may send an incorrect, cached password to the network
resource, which will increment the user’s “number of invalid login attempts” counter. Repeated con-
nection attempts will trigger an intruder lockout.
3.3 Replication Delays
Active Directory does not propagate cleared intruder lockout flags on an expedited schedule. This can
create problems for remote users who inadvertently trigger a lockout and subsequently call a central help
desk for assistance. The help desk will typically clear the user’s lockout on a domain controller near the
help desk. This lockout may take a long time (hours) to reach the domain controllers against which the user
wishes to authenticate or which service network resources that the user wishes to access.
This problem is especially acute in global organizations, with hundreds of domain controllers that employ a
global IT support function.
Note that AD password change replication is described here:
http://technet.microsoft.com/en-us/library/cc772726.aspx
3.4 Forgotten Passwords for Full Disk Encryption
Organizations deploy full disk encryption (FDE) software to protect against data leakage in the event that a
corporate laptop is lost or stolen. Users with FDE on their PCs normally have to type a password to unlock
their hard disk, before they can boot up an operating system. This password is normally synchronized with
the user’s primary Windows password, so that the user only has to remember and type a single password
at login.
If a user forgets his hard disk encryption unlock password, the user will be unable to start their operat-
ing system or use their computer. This is a serious service disruption for the user and can contribute to
significant support costs for the IT help desk.
3.5 Mobile, Disconnected Users
Traveling users typically log into their workstations using cached Active Directory passwords. If they forget
the cached password, technical support may be expensive, insecure or simply impossible:
1. Expensive: the user must physically bring (or mail) the laptop to a corporate location, the PC can
re-authenticate to the AD domain and cache the user’s newly reset password.
2. Insecure: alternately, the help desk can give the traveling user the login ID and password of an
alternate login ID, which is defined on the user’s PC (not a domain account), whose security will
henceforth be compromised.
3. Impossible: the user is unable to bring his PC to the office and the help desk cannot or will not offer
an alternate, local user ID.

While the frequency of password reset incidents for traveling users is typically low, the cost per incident is
much higher than for network-attached users.
3.6 Managing PKI Passwords
Public key infrastructures typically deploy certificate files on PCs and smart cards. This enables users to
access encrypted documents, send and receive encrypted e-mail and (with smart cards) perform multi-
factor authentication, even while disconnected from the corporate network.
Certificate files are typically encrypted and decrypted using a user’s personal password or smart card PIN.
In other words, users have a “PKI password,” which is not necessarily stored on any server. Rather, this
password is used to unlock the user’s personal certificate file.
This is true of both standards-based PKI, using x.509 certificates and proprietary PKI, using Lotus Notes
ID files.
“PKI passwords,” including Lotus Notes ID file passwords, are difficult for IT organizations to support be-
cause they cannot be administratively reset:
1. The PKI certificate may exist in multiple locations – more or more PCs, network home directories,
USB flash drives, smart cards, etc.
2. Some of these locations may be inaccessible to a password management server on the network.
3. The PKI certificate must be decrypted, using the current password, before it can be re-encrypted, with
the new password. In other words, there is no notion of an administrative password reset, which does
not rely on knowledge of the current password.

4 Password Manager Features
Hitachi ID Password Manager is designed to reduce the cost and improve the security of password systems:
4.1 Password Synchronization
Password synchronization is any process or technology that helps users to maintain a single password,
subject to a single security policy, across multiple systems.
Password synchronization is an effective mechanism for addressing password management problems on
an enterprise network:
• Users with synchronized passwords tend to remember their passwords.
• Simpler password management means that users make signiﬁcantly fewer password-related calls to
the help desk.
• Users with just one or two passwords are much less likely to write down their passwords.
There are two ways to implement password synchronization:
• Transparent password synchronization, where native password changes, that already take place on
a common system (example: Active Directory) are automatically propagated through the password
management system to other systems and applications.
• Web-based password synchronization, where users are asked to change all of their passwords at
once, using a web application, instead of continuing to use native tools to change passwords.
One of the core features of Hitachi ID Password Manager is password synchronization.
Password Manager implements both transparent and web based password synchronization.
4.2 Self-service Password Reset
Self-service password reset is deﬁned as any process or technology that allows users who have either
forgotten their password or triggered an intruder lockout to authenticate with an alternate method and repair
their own problem, without calling the help desk.
Users who have forgotten their password or triggered an intruder lockout may launch a self-service applica-
tion using an extension to their workstation login prompt, using their own or another user’s web browser or
through a telephone call. Users establish their identity, without using their forgotten or disabled password,
by answering a series of personal questions, using a hardware authentication token or by providing a bio-
metric sample. Users can then either specify a new, unlocked password or ask that a randomly generated
one be set.

Self-service password reset expedites problem resolution for users after a problem has already occurred
and reduces help desk call volume. It can also be used to ensure that password problems are only resolved
after strong user authentication, eliminating an important weakness of many help desks: social engineering
attacks.
One of the core features of Password Manager from Hitachi ID Systems is self-service password reset.
4.3 Self-Service, Anywhere: Supporting Mobile Users and Encrypted Disks
Hitachi ID Password Manager includes key features to assist mobile users:
1. E-mail notification to users about upcoming password expiry, since the notice displayed at the Win-
dows login prompt is not shown to users away from the office.
2. Support for resetting forgotten encryption keys for users whose PCs are protected with full disk en-
cryption.
3. Support for resetting forgotten passwords or PINs from the login prompt, even if the user is away from
the office and is not physically attached to the Internet.
4.4 Assisted Password Reset
Hitachi ID Password Manager includes an assisted password reset web portal, which allows IT support staff
to help callers without having direct administrative access to target systems:
• Support staff sign into Password Manager with a web browser.
• Support staff can be authenticated using IDs and passwords internal to Password Manager or use
pass-through authentication to an existing system.
For example, support staff may sign into Password Manager using their Active Directory ID and pass-
word, with Password Manager validating the membership of each support technician in a designated
AD security group and granting appropriate Password Manager privileges based on that group mem-
bership.
• From the Password Manager web interface, support staff can search for the caller’s profile by login ID
or full name.
• Support staff can be required to authenticate the caller – for example by keying answers to some of the
user’s personal questions, which Password Manager can validate against its own back-end database
or an external database, directory or web service.
Note that the same, different or overlapping security questions can be used for assisted and self-
service authentication processes.
• Once both the support technician and caller have been authenticated, support staff can reset the
caller’s password, lock or unlock the caller’s access to Password Manager or update the caller’s profile.
Assisted password resets may be configured to also expire the new password, requiring the user to
change it on the next login.

• All transactions – IT support login, user profile lookup, successful or failed password reset and more
may trigger e-mails to the user, to the support technician or to a third party, such as a security offi-
cer. The same events can also trigger automatic creation, update or closure of tickets in an incident
management system.
• Since only a single, simple web interface is used, an assisted password reset is normally completed
in 1–2 minutes.
• The right of one user to reset another user’s password may be global (e.g., global IT support team)
or based on the requester/recipient relationship (e.g., departmental or regional IT support can only
assist in-scope users). Moreover, which passwords a given user can reset can be controlled by policy.
• At no point in the process does an IT support technician require administrative access to the systems
where passwords are being reset. Instead, Password Manager uses its own credentials to sign into
target systems and these are encrypted in an internal Password Manager database.
Assisted password reset reduces the cost of password support calls and ensures that such calls are handled
in a consistent, secure fashion.
4.5 Password Policy Enforcement
Hitachi ID Password Manager is normally configured to enforce a uniform password policy across all sys-
tems, to ensure that any new password will be acceptable to every integrated system. This provides the
most clear and understandable experience to users. Password Manager is configured such that it will never
accept or attempt to propagate a password that will not meet this global password policy.
For instance, in the case of an organization that has both Windows Active Directory (AD) and z/OS pass-
words, where users may enter very long passwords on AD but only 8 characters on the (older) main-
frame, Password Manager can require that passwords be exactly 8 characters long. Alternately, Password
Manager can support longer passwords, but truncate them when it updates the mainframe. (Users generally
prefer the preset length rule, as it is easier to understand than automatic truncation).
In general, systems enforce one of two types of password rules:
• Complexity requirements ensure that users do not select easily-guessed passwords. Example rules
are: disallowing any permutation of the user’s login ID, password history, requiring mixed letters and
digits, forbidding dictionary words, etc.
• Representational constraints limit what can be physically stored in a password field on a given system.
Usually there are just two such rules: maximum length and allowable character set.
A global password policy is normally created by combining and strengthening the best-of-breed complexity
requirements from each system affected by the policy. Password Manager then combines these with the
most restrictive representational constraints. This forces users to select strong, secure passwords on every
system.
The alternative, of defining different password policies for every target system or for groups of target sys-
tems, is considered to be user-unfriendly. To update their passwords, users must select a system, choose

a password, wait for the password update to complete, possibly re-authenticate, choose another system,
choose a different password, etc. Users must then remember multiple passwords and will continue to ex-
perience many password problems. It has been shown that users with many passwords have a strong
tendency to write down their passwords.
4.6 Password Expiration / Aging Enforcement
To enforce password expiration and to get users to trigger web-based password synchronization, Hitachi ID
Password Manager is configured to detect upcoming password expiration on individual systems (e.g., Win-
dows, AD, LDAP, etc.) or based on the last time a user changed his passwords using Password Manager
and to remind users to change their passwords using the Password Manager web UI.
Password expiration is normally configured so that users change their passwords with Password Manager
web portal on a shorter expiry interval than the native password expiry on any system. This way, Password
Manager prompts users to change passwords before any other system does and users are never prompted
to change expired passwords by other systems or applications.
Early notification of upcoming password expiration is a viable alternative to transparent password synchro-
nization, especially in cases where it is impossible to trigger synchronization from the primary login system
that users most often use.
Users can be notified of upcoming password expiration by e-mail. Alternately, a small client program can
be triggered at user login time, which checks whether the user currently logging in is on the list of “soon to
expire” users and – if so – opens the user’s default web browser to a URL that asks the user to change his
passwords.
The same small program can be used to make the password change mandatory, by opening a kiosk-mode
web browser to the password change web portal and requiring the user to change passwords before they
can close this browser and access their desktop.
4.7 Preventing Password Reuse
In Hitachi ID Password Manager, password history is “infinite” by default. Unless specifically allowed, users
are prevented from reusing passwords at all. Where password reuse is allowed, it is based on a time
interval, rather than the number of intervening password changes. Password history is stored in a one-way,
non-reversible hash (SHA-1 plus 64-bit random salt).

5 Solution Architecture
Hitachi ID Password Manager is designed for:
• Security:
Password Manager is installed on hardened servers. All sensitive data is encrypted in storage and
transit. Strong authentication and access controls protect business processes.
• Scalability:
Multiple Password Manager servers can be installed, using a built-in data replication facility. Workload
can be distributed using any load-balancing technology (IP, DNS, etc.). The end result is a multi-
master, distributed architecture that is very easy to setup, as replication is handled at the application
layer.
• Performance:
Password Manager uses a normalized, relational and indexed database back end. All access to the
database is via stored procedures, which help to minimize communication overhead between the
application and database. All Password Manager code is native code, which provides a 2x to 10x
performance advantage as compared to Java or .NET
• Openness:
Open standards are used for inbound integration (SOAP) and outbound communications (SOAP,
SMTP, HTTP, etc.).
• Flexibility:
Both the Password Manager user interface and all functionality can be customized to meet enterprise
requirements.
• Low TCO:
Password Manager is easy to set up and requires minimal ongoing administration.
Figure 1 on Page 11 illustrates the Password Manager network architecture:
• Users normally access Password Manager using HTTPS from a web browser.
• Multiple Password Manager servers may be load balanced using either an IP-level device (e.g., Cisco
Local Director, F5 Big/IP) or simply using DNS round-robin distribution.
• Users may call an IVR (interactive voice response) system with a telephone and be authenticated
either using touch-tone input of personal information or using a voice print. Authenticated users may
initiate a password reset.
• Password Manager connects to most target systems using their native APIs (application programming
interfaces) and protocols and thus requires no software to be installed locally on those systems.
• Local agents are provided and recommended for Unix servers and z/OS mainframes. Use of these
agents improves transaction security, speed and concurrency.

User
Password
Synch
Trigger
Systems
Load
Balancer
SMTP or
Notes Mail
Incident
Management
System System of
Record
IVR
Server
Reverse
Web Proxy
Target Systems
with local agent:
OS/390, Unix,
older RSA
Firewall
TCP/IP + AES
Various Protocols
Secure Native Protocol
HTTPS
Remote Data Center
Firewall
Local Network
Target Systems
with remote agent:
AD, SQL, SAP, Notes, etc
Target Systems
Emails
Tickets
Lookup & Trigger
Native
password
change
AD, Unix,
OS/390,
LDAP,
AS400
Validate PW
Web Services
Proxy Server
(if needed)
Hitachi ID
Application
Server(s)
SQL/Oracle
SQL
DB
SQL
DB
Cloud-hosted,
SaaS apps
VPN
Server
Figure 1: Network architecture diagram
• A local agent is mandatory on older RSA SecurID servers (version 7.x and later exposes a remote
API).
• Where target systems are remote and communication with them is slow, insecure or both, a Password
Manager proxy server may be co-located with the target system in the remote location. In this case,
servers in the main Password Manager server cluster initiate fast, secure connections to the remote
proxies, which decode these transactions and forward them to target systems locally, using native,
slow and/or insecure protocols.
• Password Manager can look up and update user profile data in an existing system, including HR
databases (ODBC), directories (LDAP) and meta-directories (e.g., WMI to Microsoft ILM).
• Password Manager can send e-mails to users asking them to register or to notify them of events
impacting their profiles. Over 189 events can trigger e-mail notification.
• Password Manager can create tickets on most common incident management systems, either record-
ing completed activity or requesting assistance (security events, user service follow-up, etc.). Over
189 events can trigger ticket generation. Binary integrations are available for 17 help desk applications
and open integration is possible using mail, ODBC, SQL and web services.

6 Self-Service: Access and Authentication
6.1 Access For Locked Out Users
When users forget their primary password or trigger an intruder lockout, they are in a Catch-22 situation:
they cannot log into their computer and open a web browser but cannot open a web browser to ﬁx their
password and make it possible to log in.
Hitachi ID Password Manager includes a variety of mechanisms to address the problem of users locked out
of their PC login screen. Each of these approaches has its own strengths and weaknesses, as described
below:
Option Pros Cons
1 Do nothing: users continue to
call the help desk.
• Inexpensive, nothing to
deploy.
• The help desk continues to
ﬁeld a high password reset
call volume.
• No solution for local
passwords or mobile users.
2 Ask a neighbor: Use someone
else’s web browser to access
self-service password reset.
• Inexpensive, no client
software to deploy.
• Users may be working alone
or at odd hours.
• No solution for local
passwords or mobile users.
• Wastes time for two users,
rather than one.
• May violate a security policy
in some organizations.
3 Secure kiosk account (SKA):
Sign into any PC with a generic
ID such as “help” and no
password. This launches a
kiosk-mode web browser
directed to the password reset
web page.
• Simple, inexpensive
deployment, with no client
software component.
• Users can reset both local
and network passwords.
• Introduces a “generic”
account on the network,
which may violate policy, no
matter how well it is locked
down.
• One user can trigger an
intruder lockout on the
“help” account, denying
service to other users who
require a password reset.
• Does not help mobile users.

Option Pros Cons
4 Personalized SKA: Same as
the domain-wide SKA above,
but the universal “help” account
is replaced with one personal
account per user. For example,
each user’s “help” account
could have their employee
number for a login ID and a
combination of their SSN and
date of birth for a password.
• Eliminates the “guest”
account on the domain,
which does not have a
password.
• Requires creation of
thousands of additional
domain accounts.
• Requires ongoing creation
and deletion of domain
accounts.
• These new accounts are
special – their passwords do
not expire and would likely
not meet strength rules.
5 Local SKA: Same as the
domain-wide SKA above, but
the “help” account is created on
each computer, rather than on
the domain.
• Eliminates the “guest”
account on the domain.
• Can be configured to assist
mobile users who forgot
their cached domain
password (by automatically
establishing a temporary
VPN connection).
• Requires a small footprint
on each computer (the local
“help” account.)
6 Telephone password reset:
Users call an automated
system, identify themselves
using touch-tone input of a
numeric identifier, authenticate
with touch-tone input of
answers to security questions
or with voice print biometrics
and select a new password.
• Simple deployment of
centralized infrastructure.
• No client software impact.
• May leverage an existing
IVR system.
• Helpful for remote users
who need assistance
connecting to the corporate
VPN.
• New physical infrastructure
is usually required.
• Users generally don’t like to
“talk to a machine” so
adoption rates are lower
than with a web portal.
• Does not help mobile users
who forgot their cached
domain password.
• Does not help unlock PINs
on smart cards.
8 Physical kiosks: Deploy
physical Intranet kiosks at each
office location.
• Eliminates generic or guest
accounts.
• May be used by multiple
applications that are suitable
for physically-present but
unauthenticated users (e.g.,
phone directory lookup,
badge management, etc.).
• Costly to deploy – hardware
at many locations.
• Does not help mobile users
who forgot their cached
domain password.
• Users may prefer to call the
help desk, rather than
walking over to a physical
kiosk.

Option Pros Cons
9 GINA DLL: Windows XP:
Install a GINA DLL on user
computers, which adds a “reset
my password” button to the
login screen.
• User friendly, intuitive
access to self-service.
their cached domain
VPN connection).
• Works on Windows Terminal
Server and Citrix
Presentation Manager.
• Requires intrusive software
to be installed on every
computer.
• Broken installation or
out-of-order un-installation
will render the computer
inoperable (i.e., “brick the
PC”).
10 GINA Extension Service:
Similar to the GINA DLL, but
uses a sophisticated service
infrastructure to modify the UI
of the native GINA, rather than
installing a GINA DLL.
their cached domain
VPN connection).
• More robust, fault-tolerant
installation process than the
GINA DLL.
• Requires software to be
installed on every computer.
• Does not work on Citrix
Presentation Server or
Windows Terminal Server –
only works on personal
computers.
11 Credential Provider: The
equivalent of a GINA DLL, but
for the login infrastructure on
Windows Vista/7/8.
their cached domain
VPN connection).
• Works on Windows Terminal
Server and Citrix
Presentation Manager.
• More robust infrastructure
than GINA DLLs on
Windows XP.
• Deployment of intrusive
software to every
workstation.
No other product or vendor supports as many options for assisting users locked out of their PC login screen.
6.2 Authenticating Users Without Passwords
Users may authenticate into Hitachi ID Password Manager as follows:

• On the web portal:
– By typing their current password to a trusted system (e.g., Windows/AD, LDAP, RAC/F, etc).
– By answering security questions.
– Using a security token (e.g., SecurID pass-code).
– Using a smart card with PKI certificate.
– Using Windows-integrated authentication.
– Using a SAML assertion issued by another server.
– By typing a PIN that was sent to their mobile phone via SMS.
– Using a combination of these mechanisms.
• Using a telephone, calling an automated IVR system:
– By keying in numeric answers to a series of security questions (e.g., employee number, date of
hire, driver’s license number).
– By speaking one or more phrases, where the Password Manager server compares the new
speech sample to one on record (biometric voice print verification)
• Using a telephone, calling an IT support technician:
– By answering a series of security questions, where the technician must type the answers into a
web portal to authenticate the caller.
6.3 Authentication Chains
Hitachi ID Password Manager includes a mechanism for authenticating users called authentication chains.
This mechanism works by defining sequences of steps that can be used to authenticate a user and defining
how the authentication process proceeds from one step to the next.
Authentication chains allow Password Manager to:
1. Offer a user multiple authentication mechanisms. For example, type a password, answer security
questions, use a token, etc.
2. Combine authentication mechanisms. For example, a user may be asked to type a password and
answer a subset of the security questions in his profile.
3. Select an authentication mechanism based on context. For example, require a user with elevated
privileges or a user attached via VPN to satisfy a more robust process than an unprivileged user
connected to the corporate network.
Authentication chains allow Password Manager to implement flexible login processes. For example, mobile
phones can be used as an authentication factor:

1. During enrollment, users are asked to identify their mobile phone provider and enter their mobile
phone number.
2. At authentication time, a user is sent a random PIN via SMS, which he must enter correctly and within
a short time window. This establishes that the user is in possession of his phone.
3. A second authentication step is to ask the user to answer a few security questions, which supports
the user’s claimed identity through something he knows.

7 User Enrollment: Maximizing Adoption
In many organizations, deployment of a password management system requires a user enrollment pro-
cess. Users may have to provide personal data such as answers to authentication questions (which can
subsequently be used to authenticate users who forgot their passwords or triggered a lockout). Users may
be asked to attach their non-standard IDs to their profiles. Users may have to provide biometric samples,
likewise used for non-password authentication in the event of a future password problem. Finally, users may
simply be asked to review and agree to some corporate policy, for example regarding password sharing or
writing down their password.
If enrollment is required, it is helpful for the password management system to automate the process by iden-
tifying users who must be enrolled, inviting and reminding them to enroll, provide a strongly authenticated
enrollment user interface, etc.
Hitachi ID Password Manager includes built-in infrastructure to securely and automatically manage the user
enrollment process:
• By monitoring one or more systems of record, Password Manager automatically creates new and
removes old profile IDs.
• New users and existing users with incomplete profiles are automatically invited to complete their
profiles (e.g., by answering security questions).
• Invitations to enroll may be e-mailed to users.
• Users may be more forcefully reminded to enroll by having a web browser automatically open to the
enrollment page when they log into the network.
• Users may be forced to enroll, by opening a kiosk-mode web browser to the enrollment page when
they sign into the network, and blocking access to the Windows desktop until users complete their
profile. This process is typically controlled by placing users into a “mandatory enrollment” AD group
and attaching a suitable GPO to that group.
• To enroll, users must first authenticate. This is normally done by leveraging an existing strong authen-
ticator – such as a network password or a token.
• A single, integrated enrollment system supports collecting answers to security questions, mapping
different login IDs, on different systems back to their owners and collecting biometric voice print sam-
ples.
The enrollment system in Password Manager includes schedule controls. For example, the maximum
number of invitations to send daily can be limited, as can the frequency of invitations per user. Days-of-
week during which to send invitations are identified as are holidays during which no invitations should be
sent.

8 Telephony Integration
A popular option for extending password reset services to locked out users is to extend this service over a
telephone, using an integrated voice response (IVR) system.
Users who forget their passwords can dial an IVR system with any telephone and initiate a password reset.
Authentication using either touch-tone entry of personal secret information or using voice print verification
is supported. Existing IVR systems can be extended using a Hitachi ID Password Manager remote API
or Hitachi ID Telephone Password Manager – a turn-key IVR system specifically designed for password
resets.
Overview:
Telephone Password Manager is a turn-key telephone user interface bundled with the Password Manager
credential management solution. It enables organizations to quickly and inexpensively offer self-service
password reset, PIN reset and disk unlock to users over a telephone, without having to configure a complex
IVR system.
Features:
Telephone Password Manager supports self-service management of authentication factors (credentials)
and recovery of disk encryption keys over a telephone with:
• User identification:
Users who call Telephone Password Manager typically identify themselves by typing a personal iden-
tifier on a touch-tone telephone keypad. The identifier may be a pre-existing numerical ID, such as an
employee number or a letters-to-digits mapping of an alpha-numeric ID, such as the user’s network
login ID.
• User authentication:
Once identified, users must be authenticated. Telephone Password Manager supports authentication
with a hardware token (e.g., RSA SecurID), by asking the user to key in answers to numeric security
questions using a touch-tone telephone keypad on their phone (e.g., driver’s license number, SSN,
date of birth, etc.) or using an optional biometric voice verification module.
• Password reset:
Once authenticated, users can initiate a password reset. This may be for one or all of their passwords
and the new password may either be randomly generated and read out to the user or user-specified.
New passwords may be set to expire after first use.
• PIN reset:
Authenticated users can also use Telephone Password Manager to reset the PINs on their RSA Se-
curID tokens. A randomly-generated or a user-specified PIN may be used.
• Disk unlock:

Users with a full disk encryption program protecting their computer can use Telephone Password
Manager to automate the key recovery process in the event that they forgot the password that unlocks
their computer.
• Text to speech:
Telephone Password Manager is normally configured to play .WAV audio files as asks for user input.
It also includes a text to speech mechanism that makes it easier to develop new navigation menus
and defer new voice recordings.
• Speech to text:
While text input into Telephone Password Manager is usually made with a touch-tone keypad, Telephone
Password Manager can be configured to recognize small dictionaries of spoken words, so that users
can make alphanumeric input by speaking the names of letters and digits.
• PBX integration:
Telephone Password Manager can be directly integrated into an existing PBX system, by installing the
appropriate (to that PBX system) Dialogic telephony board on each Telephone Password Manager
server.
• VoIP integration:
Telephone Password Manager can also be connected to a voice-over-IP network and configured to
accept VoIP calls.
Benefits:
Telephone Password Manager lowers IT support costs and improves user service by enabling mobile, re-
mote or locked out users to resolve problems with their password, hardware token or encrypted hard disk
on their own, without calling the help desk.
Telephone Password Manager can improve the security of IT support processes by authenticating users
with biometric voice-print verification prior to offering services such as password or PIN reset.
Telephone Password Manager supports self-service management of authentication factors (credentials)
and recovery of disk encryption keys over a telephone with:
• User identification:
Users who call Telephone Password Manager typically identify themselves by typing a personal iden-
tifier on a touch-tone telephone keypad. The identifier may be a pre-existing numerical ID, such as an
employee number or a letters-to-digits mapping of an alpha-numeric ID, such as the user’s network
login ID.
• User authentication:
Once identified, users must be authenticated. Telephone Password Manager supports authentication
with a hardware token (e.g., RSA SecurID), by asking the user to key in answers to numeric security
questions using a touch-tone telephone keypad on their phone (e.g., driver’s license number, SSN,
date of birth, etc.) or using an optional biometric voice verification module.

• Password reset:
Once authenticated, users can initiate a password reset. This may be for one or all of their passwords
and the new password may either be randomly generated and read out to the user or user-specified.
New passwords may be set to expire after first use.
• PIN reset:
Authenticated users can also use Telephone Password Manager to reset the PINs on their RSA Se-
curID tokens. A randomly-generated or a user-specified PIN may be used.
• Disk unlock:
Users with a full disk encryption program protecting their computer can use Telephone Password
Manager to automate the key recovery process in the event that they forgot the password that unlocks
their computer.
• Text to speech:
Telephone Password Manager is normally configured to play .WAV audio files as asks for user input.
It also includes a text to speech mechanism that makes it easier to develop new navigation menus
and defer new voice recordings.
• Speech to text:
While text input into Telephone Password Manager is usually made with a touch-tone keypad, Telephone
Password Manager can be configured to recognize small dictionaries of spoken words, so that users
can make alphanumeric input by speaking the names of letters and digits.
• PBX integration:
Telephone Password Manager can be directly integrated into an existing PBX system, by installing the
appropriate (to that PBX system) Dialogic telephony board on each Telephone Password Manager
server.
• VoIP integration:
Telephone Password Manager can also be connected to a voice-over-IP network and configured to
accept VoIP calls.

9 Managing PKI Certificate Passwords
PKI standards generally relate to certificate format and use, not to the administration of certificates – is-
suance, delivery to users, installation on PCs and smart cards and revocation. Unfortunately, a major cost
of PKI is exactly these processes of managing certificates.
Hitachi ID Password Manager includes a significant and mature infrastructure for managing (provision, man-
age passwords and other attributes, deliver to users and revoke) PKI certificates.
Of necessity, this infrastructure combines a general facility, related to business process and certificate
storage with a set of platform-specific bindings, for individual PKI/certificate authority products. Currently,
Hitachi ID Systems provides a platform binding for Lotus Notes ID files, which is by far the most widely
deployed (though not necessarily standards-based) PKI infrastructure today:
Lotus Notes actually uses two separate passwords for each user:
• HTTPPassword hashes, stored on a Notes / Domino server.
These are a straight-forward password hash in a field in an .NSF file on the server. Password Manager
can be configured to verify, change and reset these passwords directly.
• Passwords used to encrypt ID files, typically stored on user workstations. These cannot be adminis-
tratively reset.
1. Password Manager includes technology to help organizations both build out and maintain a
repository of every user’s ID file, along with a recoverably encrypted password for that ID file.
2. Password Manager simulates password resets on ID files by retrieving an ID file from the repos-
itory, opening it with a password from the repository, changing the password to a new value and
delivering the new ID file to the user.
3. Both collection of ID files from users, to maintain the repository and delivery of updated ID files
back to users, supports multiple mechanisms, including via file synchronization and a shared
staging directory (no client software required) and via a Notes Extension DLL installed on user
workstations (immediate and silent delivery and collection).
Password Manager is the only product to automate not only ID file password resets, but also construc-
tion and maintenance of the ID file repository.
Hitachi ID Systems is working on bindings between the general-purpose PKI administration infrastructure
in Password Manager and other PKI products, from Microsoft, Entrust, Verisign, GeoTrust and other PKI
vendors. Unfortunately, none of these PKI products is currently widely deployed and customer demand for
integrations is therefore limited.

10 Support for Mobile, Disconnected Users
Hitachi ID Password Manager offers a unique set of technologies, collectively referred to as “Self-Service,
Anywhere.” Using these technologies, users can resolve problems with their passwords, smart cards, tokens
or full disk encryption software both at the office and mobile, from any endpoint device.
Self-Service, Anywhere automates problem resolution in a number of technically challenging and business-
critical scenarios:
Mobile users warned of password expiry
Problem Solution Business impact
Mobile users are not notified by
Windows when their passwords
are about to expire. Users who
infrequently connect their laptop
to the office network, instead
checking e-mail with a solution
such as Outlook Web Access,
suffer regular password expiry
and require frequent password
resets.
Password Manager sends users
e-mails warning of imminent
password expiry. Users change
passwords using a web browser.
An ActiveX control refreshes the
password on their laptop.
Fewer login problems that cause
a work interruption. Lower IT
call volume and support cost.
Reset forgotten, cached password while away from the office

Laptop users sometimes
change their password before
leaving the office and may forget
the new password when they
need to use it while not attached
to the corporate network.
Without a technical solution, the
IT help desk cannot resolve
these users’ problem until they
return to the office. User laptops
are rendered inoperable until
they return to the office.
A Password Manager client
software component allows
users who forgot their primary,
cached Windows password and
cannot sign into their PC to
connect to the Internet over a
WiFi hotspot or using an
air-card. Users locked out out of
their PC login screen can also
establish a temporary Internet
connection using their home
Internet connection or a hotel
Ethernet service. Once the
user’s laptop is on the Internet,
Password Manager establishes
a temporary VPN connection
and launches a kiosk-mode (full
screen, locked down) web
browser. The user steps through
a self-service password reset
process and Password Manager
uses an ActiveX component to
reset the locally cached
password to the same new
value as was set on the network
back at the office.
Forgotten passwords are a
major work disruption for mobile
users, since they cannot be
resolved until the user visits the
office. Password Manager
allows users to re-enable their
laptop in minutes.
Unlock encrypted hard disk

Organizations deploy full disk
encryption (FDE) software to
protect against data leakage in
the event that a corporate laptop
is lost or stolen. Users with FDE
on their PCs normally have to
type a password to unlock their
hard disk, before they can boot
up an operating system. This
password is normally
synchronized with the user’s
primary Windows password, so
that the user only has to
remember and type a single
password at login.
If a user forgets his hard disk
encryption unlock password, the
user will be unable to start their
operating system or use their
computer. This is a serious
service disruption for the user
and can contribute to signiﬁcant
support costs for the IT help
desk.
Most FDE packages include a
key recovery process at the PC
boot prompt. This normally
involves a challenge/response
process between the FDE
software, the user, an IT support
analyst and a key recovery
server. Password Manager can
front-end this process using an
integrated telephony option, so
that users can perform key
recovery 24x7, from any
location, using their telephone
and without talking to a human
help desk technician.
Key recovery is an essential IT
support service for
organizations that have
deployed FDE. Password
Manager lowers the IT support
cost of key recovery by moving
the process to a self-service
model.
Smart card PIN reset
Organizations deploy smart
cards to strengthen their
authentication processes. Users
typically sign into their PC by
inserting their smart card into a
reader and typing a PIN. If users
forget their PIN or leave their
smart card at home, they cannot
sign into their PC. PIN reset is a
complex support process since
the new PIN has to be physically
installed on the user’s smart
card. This means that IT
support may trigger a physical
visit to the help desk.
Password Manager allows users
to access a self-service web
portal from anywhere, including
from the locked out login screen
of their laptop, even away from
the ofﬁce (even using WiFi, as
described earlier). Once a user
signs into the self-service portal,
Password Manager can
download an ActiveX
component to the user’s web
browser, to communicate with
the smart card and reset the
forgotten PIN. Password
Manager can also be used to
assign a user a temporary login
password (often a very long and
random one) to be used in the
event that a user left his smart
card at home.
While forgotten PINs are
infrequent – PINs are not
usually set to expire – when they
do happen, they are extremely
disruptive. Assigning temporary
passwords is just as important
for users who left their smart
card at home, which happens
quite often.

11 Overcoming Active Directory Replication Delays
Please refer to Subsection 3.3 on Page 4 for an overview of the intruder lockout replication problem in Active
Directory.
Hitachi ID Password Manager uniquely circumvents the problem of slow replication of cleared intruder lock-
outs between Active Directory domain controllers by automatically directing password resets and cleared
intruder lockouts to a select set of domain controllers, which the user is most likely to access:
• DCs on the user’s home site, based on the user’s home directory UNC and the IP address of the
server that hosts this UNC.
• DCs on the user’s current site, based on the user’s web browser IP address (this only applies to
self-service password reset).
• DCs mapped to either of these sites by an administrator-conﬁgured rule set. For example, at global
or regional data centers.

12 Built-in Single Sign-on Technology
Hitachi ID Login Manager, a module included with Hitachi ID Password Manager, is an enterprise single
sign-on solution. It automatically signs users into applications where the ID and/or passwords are the same
ones users type to sign into Windows on their PC.
Login Manager leverages password synchronization instead of stored passwords. This means that it does
not require a wallet and that users can continue to sign into their applications from devices other than their
corporate PC – such as a smart phone or tablet – for which a single sign-on client may not be available.
Login Manager does not require scripting or a credential vault, so has a much lower total cost of ownership
(TCO) than alternative single sign-on tools.
Login Manager automatically fills in application login IDs and passwords on behalf of users, streamlining
the application sign-on process for users.
Login Manager works as follows:
• When users sign into their workstations, Login Manager acquires their network login ID and password
from the Windows login process.
• Login Manager may (optionally) acquire additional login IDs (but not passwords) from the user’s Active
Directory profile.
• Login Manager monitors the Windows desktop for newly launched applications:
– It detects when the user types one of his known login IDs or his Windows password into an
application dialog box, HTML form or mainframe terminal session. When this happens, the
location of the matching input fields is stored on a local configuration file.
– Whenever Login Manager detects an application displaying a previously configured login screen,
it automatically fills in the appropriate login ID and/or the current Windows password.
The net impact of Login Manager is that login prompts for applications with well-known IDs and passwords
that authenticate to AD or are synchronized with AD are automatically filled in. This is done without:
• Interfering with user access to applications from devices not equipped with the SSO software, such
as their smart phones.
• Having to deploy a secure location in which to store application credentials.
• Writing scripts.
Login Manager is installed as a simple, self-contained MSI package. It does not require a schema extension
to Active Directory.
The reduced sign-on process used by Login Manager has several advantages over traditional E-SSO tech-
niques:

• There is no global directory or database with user credentials:
– There is no target for a would-be attacker.
– There is no single point of failure which could cause a widespread disruption to users who wish
to sign into applications.
– There is no need to enroll users by having them provide their passwords.
• There are no manually written scripts:
– No manual configuration is required.
– No infrastructure is required to distribute script files to PCs.
• Continued access to applications:
– Users sometimes need to sign into application from devices other than their work PC.
– Since passwords are synchronized and users know their own password, they can still sign in,
even without the SSO software.
– In contrast, with other E-SSO products, users may not know their own application passwords.
This disrupts application access using a smart phone, home PC, Internet kiosk, etc.
These advantages significantly reduce the cost and risk associated with deploying and managing Login
Manager.

13 Return on Investment
Deploying Hitachi ID Password Manager saves money for three groups of people in an organization:
• Users:
Password synchronization reduces the incidence of password problems. In most organizations, over
80% of problems are eliminated. Accordingly, users waste less time making unsuccessful attempts to
log into systems.
• Support staff:
Both password synchronization and self-service password resets eliminate calls to the help desk.
Together, they normally reduce password-related call volume by over 90%.
Once calls reach the help desk, they are resolved much more quickly, using a single tool that integrates
caller authentication, multiple password resets and creation of problem tickets. Using a web browser,
support staff can resolve password calls in 1-2 minutes.
• System administrators:
Without Password Manager, most support organizations escalate some password calls to system ad-
ministrators. This is done when the support organization does not have training or security clearance
to reset passwords on the systems in question.
Password Manager eliminates password problem escalation.
Example savings calculation
The following example illustrates how Password Manager reduces the cost of password management:
• 10000 users experience 3000 password problems per month. Users spend 10 minutes with a pass-
word problem before calling for help.
• The help desk takes 10 minutes to resolve password problems.
• 1/6 of calls are escalated from the help desk to system administrators.
• Password Manager eliminates 80% of password problems, and reduces problem resolution time 2
minutes.
Monthly cost Initial Password Manager Savings
Users 3000 calls × 20 minutes × $40/hr 600 calls × 12 minutes × $40/hr
= $40,000 = $4,800 $35,200
Help desk 3000 calls × 10 minutes × $40/h 600 calls × 2 minutes × $40/hr
= $20,000 = $800 $19,200
Administrators 500 calls × 5 minutes × $40/hr
= $1,670 0 $1,670
Monthly Total $61,670 $5,600 $56,070

To estimate the cost savings in your organization, try our on-line calculator at:
http://Hitachi-ID.com/Password-Manager/roi/

14 Platform Support
Hitachi ID Password Manager can manage passwords on most systems directly. It includes built-in support
for the following systems:
Directories: Servers: Databases:
Any LDAP, AD, NDS,
eDirectory, NIS/NIS+.
Windows 2000–2012,
Samba, NDS, SharePoint.
Oracle, Sybase, SQL Server,
DB2/UDB, ODBC, Informix.
Unix: Mainframes: Midrange:
Linux, Solaris, AIX, HPUX,
24 more variants.
z/OS with RAC/F, ACF/2 or
TopSecret.
iSeries (OS400), OpenVMS.
ERP: Collaboration: Tokens, Smart Cards:
JDE, Oracle eBiz,
PeopleSoft, SAP R/3, SAP
ECC 6, Siebel, Business
Objects.
Lotus Notes, Exchange,
GroupWise, BlackBerry ES.
RSA SecurID, SafeWord,
RADIUS, ActivIdentity,
Schlumberger.
WebSSO: Help Desk: HDD Encryption:
CA Siteminder, IBM TAM,
Oracle AM, RSA Access
Manager.
BMC Remedy, BMC SDE,
ServiceNow, HP Service
Manager, CA Unicenter,
Assyst, HEAT, Altiris, Clarify,
Track-It!, RSA Envision, MS
SCS Manager.
McAfee, CheckPoint,
BitLocker, PGP.
SaaS: Miscellaneous: Extensible:
Salesforce.com, WebEx,
Google Apps, MS Office
365, SOAP (generic).
OLAP, Hyperion, iLearn,
Caché, Success Factors,
VMWare vSphere.
SSH, Telnet, TN3270,
HTTP(S), SQL, LDAP,
command-line.
Password Manager includes a number of flexible connectors, each of which is used to script integration
with a common protocol or mechanism. These connectors allow organizations to quickly and inexpen-
sively integrate Password Manager with custom and vertical market applications. The ability to quickly and
inexpensively add integrations increases the value of the Password Manager system as a whole.
There are flexible connectors to script interaction with:
API binding: Terminal
emulation:
Web services: Back end
integration:
Command-line:
• C, C++
• Java, J2EE
• .NET
• COM,
ActiveX
• MQ Series
• SSH
• Telnet
• TN3270,
TN5250
• Simulated
browser
• SOAP
• WebRPC
• Pure
HTTP(S)
• SQL
Injection
• LDAP
attributes
• Windows
• Power Shell
• Unix/Linux

Organizations that wish to write a completely new connector to integrate with a custom or vertical market
application may do so using whatever development environment they prefer (J2EE, .NET, Perl, etc.) and
invoke it as either a command-line program or web service.
If an organization develops their own integrations, an effort of between four hours and four days is typical.
Alternately, Hitachi ID Systems offers ﬁxed-cost custom integrations for a nominal fee.

15 Rapid Deployment
Hitachi ID Systems solutions are optimized for rapid deployment – this is a core design principle across
all products in the Hitachi ID Management Suite. Rapid deployment is largely a feature of (a) including as
many built-in features as possible and (b) making common use cases easier to configure.
Hitachi ID Identity Manager minimizes deployment cost using a built-in request portal, a built-in approvals
process and by enabling organizations to define categories of relationships, which then drive what one user
can see of another, what changes one user can submit on behalf of another, who is invited to approve
change requests and more.
Hitachi ID Password Manager minimizes deployment cost using built-in processes for enrollment of security
questions, login IDs, mobile phone numbers and voice biometrics. This is augmented by built-in processes
to control the pace of user invitations.
Hitachi ID Privileged Access Manager minimizes deployment cost using built-in processes for auto-discovery
and automated classification of systems and accounts to be managed. It also includes a robust, built-in pro-
cess for authorizing one-time access requests.
All Hitachi ID Systems products include a rich set of over 110 connectors, built-in reports, a robust and
translation-friendly web portal, e-mail and incident management system integration, multi-node database
replication and more. These are all things that Hitachi ID Systems customers need not hand-craft, reducing
project time and cost.
Password Manager is designed for rapid deployment:
• No client software required, even for access to self-service password reset from the workstation
login prompt.
• Automated discovery of every login ID on every target system, nightly.
• Self-service login ID reconciliation where login IDs on different systems are different and there is
no pre-existing correlation data.
• A built-in identity cache that captures user profile data and eliminates the need to install or manage
a database or directory before installing Password Manager.
• Built-in connectors for every common system and application eliminating the need for customers
to develop their own connectors to common, off-the-shelf target systems.
• Remote connectors mean that Password Manager can manage users and passwords on systems
without requiring the installation of intrusive local software on each target system.
• Flexible connectors enable organizations to integrate Password Manager with custom applications,
vertical market software, application service providers (ASPs) and service bureaus quickly – taking
just 2 hours to 4 days per new target system.
.
www.Hitachi-ID.com
500, 1401 - 1 Street SE, Calgary AB Canada T2G 2J3 Tel: 1.403.233.0740 Fax: 1.403.233.0725 E-Mail: sales@Hitachi-ID.com
File: /pub/wp/documents/white/psynch/hipam-white-22.tex
Date: 2011-05-15

Large Scale Password Management With Hitachi ID Password Manager

Recomendados

Recomendados

Mais conteúdo relacionado

Mais de Hitachi ID Systems, Inc.

Mais de Hitachi ID Systems, Inc. (20)

Último

Último (20)

Large Scale Password Management With Hitachi ID Password Manager