Strong Authentication Methods

Transparent

Transparent Authentication

Transparent authenticators validate users without requiring day-to-day user involvement. Transparent authenticators include:

Digital Certificates
Entrust IdentityGuard can leverage existing X.509 digital certificates issued from Entrust's managed digital certificate service or a third-party to authenticate users. Certificates can be stored locally or on secure devices like smart cards and USB tokens. Organizations without an in-house PKI can obtain certificates via the Entrust Managed Services PKI.

IP-Geolocation
Authenticated users can register locations where they frequently access the corporate network. During subsequent authentications the Entrust IdentityGuard server compares current location data — country, region, city, ISP, latitude and longitude — to those previously registered. Organizations can step up authentication only when values don't match.

With IP-geolocation organizations can create blacklists of regions, countries or IPs based on fraud histories, or leverage the Entrust Open Fraud Intelligence Network (OFIN) to receive updated lists of known fraudulent IPs based on independent professional analysis.

Device Authentication
Authenticated users can register a computer or device that is frequently used to access the corporate network. A sophisticated encrypted profile of the registered computer is created and stored. During subsequent authentication, the Entrust IdentityGuard server creates a new profile and compares it against the stored value. Step-up authentication is required only when the values don't match.

IP-geolocation and machine authentication, deployed in combination, offer an effective and transparent authentication method for users.

Physical

Physical Form Factor Authenticators

Physical form factors are tangible devices that users carry and use when authenticating. Entrust offers a number of physical authentication devices to meet diverse corporate user requirements. Physical form factor authenticators include:

One-Time-Passcode Tokens
Entrust offers two versions of the popular one-time-passcode (OTP) token. Starting at just $5, the Entrust IdentityGuard Mini Token is OATH-compliant and generates a secure eight-digit passcode at the press of a button. The OATH-compliant Pocket Token offers additional features including PIN unlock prior to generating the passcode, in addition to a challenge-response mode.

DisplayCard
The Entrust DisplayCard provides the same functionality as the popular token in a credit card format. In addition to providing an OATH-compliant, one-time passcode, the Display Card includes a magnetic stripe and can optionally include a PKI or EMV chip for greater versatility.

Grid Authentication
The Entrust-patented grid card is a credit card-sized authenticator consisting of numbers and characters in a row-column format. Upon login, users are presented with a coordinate challenge and must respond with the information in the corresponding cells from the unique grid card they possess.

One-Time-Passcode List
End-users are provisioned with a list of randomly generated passcodes or transaction numbers (TANs) that are typically printed on a sheet of paper and distributed to end-users. Each passcode is used just once.

Non-Physical

Non-Physical Form Factor Authenticators

Non-physical form factor authentication provides methods of verifying user identities without requiring them to carry an additional physical device. Non-physical form factor authenticators include:

Knowledge-Based Authentication
Knowledge-based authentication challenges users to provide information an attacker is unlikely to possess. Questions presented to the user at the time of login are based on information (referred to as authentication secrets) that was supplied by the user at registration or based on previous transactions or relationships. Entrust IdentityGuard allows the administrator to determine the number and type of questions asked.

Out-of-Band Authentication
Out-of-band authentication leverages an independent and pre-existing means to communicate with the user to protect against attacks that have compromised the primary channel. Entrust IdentityGuard supports this capability by allowing for the generation of one-time confirmation numbers that can be transmitted along with a transaction summary to the user. This can be done directly via e-mail or SMS, or sent through voice to a registered phone number. Once the confirmation number has been received, it is simply entered by the user and the transaction is approved.

Entrust IdentityGuard Mobile
Whether for consumer, government or enterprise environments, Entrust IdentityGuard Mobile is the most convenient, easy-to-use strong authentication method available today. Leveraging standards-based, out-of-band techniques, and without requiring any specialized hardware, Entrust IdentityGuard Mobile is one of the only authentication solutions on the market today that addresses the MITB malware threat — effectively and without user inconvenience

SMS Soft Tokens
Similar to the platform's out-of-band authentication capabilities, Entrust IdentityGuard also includes SMS soft tokens, which enable the transmission of a configurable number of one-time passcodes (OTP) to a mobile device for use during authentication. Automatically replenished as needed, this dynamic soft-token approach delivers the strength of out-of-band authentication without the concern for constant network availability, delivery timing or software deployment to a mobile device.

eGrid
An alternative to hardware tokens, eGrid cards are sent to users via the Web or as a PDF, which can be easily stored on a machine or mobile device for convenient access and eliminating the need to carry a physical form factor.

Strong Username & Password
Entrust IdentityGuard typically provides a strong second factor of authentication to an organization's existing username and password infrastructure. The versatile authentication platform can provide strong username and password login for companies without an existing solution.

Mutual

Mutual Authentication

Your organization needs to have confidence in the user's identity. Likewise, users must be confident that they are transacting with their organization or intended online site; not a fraudulent organization or spoofed site. Mutual authentication provides methods for your organization to confirm your legitimacy to users. Entrust provides organizations with a range of options for mutually authenticating with their customers, including:

Image Replay
Upon registration, the user selects an image from an extensive image bank supplied with
Entrust IdentityGuard. During subsequent logins the image is presented to the user.

Message Replay
Upon registration, the user creates a message. During subsequent logins the message is presented to the user.

Grid Serial Number Replay
During login, the serial number of the user's unique grid card is presented to the user.

Grid Location Replay
During login, the user is presented with the values of a number of cells from their unique grid card.

Extended Validation (EV) SSL Certificates
Organization can deploy Extended Validation SSL certificates, which confirm the Web site's authenticity by displaying a green address bar — an obvious trust indicator for the end-user.