Novell Documentation: Novell SecureLogin 6.0 - Application Re-authentication

7.4 Application Re-authentication

With SecureLogin, a user normally runs an application and SecureLogin seamlessly retrieves the user's application credentials. The credentials are authenticated in the background and the user is not prompted to enter a password. SecureLogin can also be configured to prompt the user (or a supervisor) for stronger authentication to all or specific applications. SecureLogin can be configured to request application re-authentication using SecureLogin's Application Definition AAVerify command.

The AAVerify command can enforce stronger application-based re-authentication such as biometrics, tokens, or smart cards when the native application cannot enforce strong verification. AAVerify works by requesting the preconfigured strong re-authentication method before SecureLogin will retrieve and enter the username and password for the application.

You can configure which applications require AAVerify (re-authentication) and which do not. The application itself is not changed and no additional modules are required on the application servers.

NOTE:SecureLogin 6.0 and above require SecureLogin Advanced Authentication 1.93.5 and above to utilize AAVerify

For more information on AAVerify, see AAVerify in the Novell SecureLogin 6.0 SP1 Application Definition Guide.

7.4.1 Re-authenticating Individual Applications

SecureLogin 6.0 SP1 now allows you to set the re-authentication method for user's individual applications by using SecureLogin's Administrative Management utility, Application > Settings. Individual applications can be re-authenticated against an advanced authenticating device, where SecureLogin is used in conjunction with SecureLogin Advanced Authentication or NMAS without running a dedicated application definition.

Figure 7-8 Re-authentication of Individual Applications

7.4.2 Scripting for One-Time Passwords

The SecureLogin Application Definition GenerateOTP command has been enhanced to incorporate the one-time password soft token generation functionality that is embedded in ActivClient smart cards.

This one-time password functionality can only be used with ActivClient and smart cards that have been set up using a card management system to include a one-time password applet on the smart card.

Synchronous Mode

Synchronous authentication or time-plus-event authentication replaces static alphanumeric passwords with a pseudo-random code that is dynamically generated at configured time intervals, generally about 60 seconds. The code is based on a shared encryption key and the current time.In Synchronous mode, the GenerateOTP command requires the administrator to pass a mode variable to the command.

Asynchronous mode

Asynchronous authentication or challenge/response authorization replaces static alphanumeric passwords with a pseudo-random code that is dynamically generated based on a shared encryption key, the current time, and a challenge/response combination. In asynchronous mode the challenge is passed to the GenerateOTP command as an argument.

For more information on OTP functionality, refer and specific examples on the use of Application Definitions incorporating the GenerateOTP command, refer GenerateOTP in the Novell SecureLogin 6.0 SP1 Application Definition Guide.