8.4 Application Re-authentication with SLAA or NMAS

With SecureLogin, a user normally runs an application and SecureLogin seamlessly retrieves the user's application credentials. The credentials are authenticated in the background and the user is not prompted to enter a password. SecureLogin can also be configured to prompt the user (or a supervisor) for stronger authentication to all or specific applications. SecureLogin can be configured to request application re-authentication using SecureLogin's application definition AAVerify command.

The AAVerify command can enforce stronger application-based re-authentication such as biometrics, tokens, or smart cards when the native application cannot enforce strong verification. AAVerify works by requesting the preconfigured strong re-authentication method before SecureLogin will retrieve and enter the username and password for the application.

You can configure which applications require AAVerify (re-authentication) and which do not. The application itself is not changed and no additional modules are required on the application servers.

NOTE:SecureLogin 6.0 and above require SecureLogin Advanced Authentication 1.93.5 and above to utilize AAVerify.

8.4.1 Re-authenticating Individual Applications

SecureLogin 6.0 and later now allow you to set the re-authentication method for user's individual applications by using SecureLogin's Administrative Management utility Application > Settings. Individual applications can be re-authenticated against an advanced authenticating device, where SecureLogin is used in conjunction with SecureLogin Advanced Authentication or NMAS without running a dedicated application definition.

8.4.2 Scripting for One-Time Passwords

The SecureLogin application definition GenerateOTP command is enhanced to incorporate the one-time password soft token generation functionality that is embedded in ActivClient smart cards.

This one-time password functionality can only be used with ActivClient and smart cards that have been set up using a card management system to include a one-time password applet on the smart card.

Synchronous Mode

Synchronous authentication or time-plus-event authentication replaces static alphanumeric passwords with a pseudo-random code that is dynamically generated at configured time intervals, generally about 60 seconds. The code is based on a shared encryption key and the current time.In Synchronous mode, the GenerateOTP command requires the administrator to pass a mode variable to the command.

Asynchronous mode

Asynchronous authentication or challenge and response authorization replaces static alphanumeric passwords with a pseudo-random code that is dynamically generated based on a shared encryption key, the current time, and a challenge/response combination. In asynchronous mode the challenge is passed to the GenerateOTP command as an argument.