Single Sign-on includes two identity verification methods to help
ensure that the user is authorized to use Single Sign-on:
- Previous password
- Security questions
You can also choose to bypass identity verification by using the
automatic key management feature.
You can allow users to choose the identity verification method
(previous passwords or security questions) they prefer to use when
authenticating. This option is available as part of Secondary Data Protection
property in the user configuration.
With this method, users verify their identities by typing their
previous primary password.
Caution: When previous password is the only method
available to your users, users who forget their previous primary password are
locked out of the system. Their user data must be deleted from the central
store and from all client devices on which it is stored, and they must reenter
their credentials for all of their applications.
When users change their primary passwords, you can confirm your
users’ identities by prompting them to answer security questions in the form of
a questionnaire you create. This questionnaire appears the first time your
users launch the plug-in software. Users answer the required number of security
questions and are prompted to reenter this information at specific password
The questions in your questionnaire should be of a nature that
ensures the person answering the question is the only person who knows or could
easily provide the answer. You can use the default questions Single Sign-on
provides or create your own.
Bypassing Identity Verification
Important: Automatic key management is not as secure as
other key recovery mechanisms such as security questions and previous password.
If you want Single Sign-on to bypass identity verification and
retrieve user encryption keys automatically, you can specify the Secondary Data
Do not prompt users; restore primary data protection
automatically over the network.
This method, known as
automatic key management, is available when you install
the Key Management Module and you create a user configuration with this option
With this method, users log on to the network and have immediate
access to applications managed by Single Sign-on. There are no questions to
answer. When users change their primary passwords, the plug-in software detects
these password changes and recovers the users’ encryption keys using the Single
Automatic key management provides users with the easiest and fastest
access to their applications. However, it does not protect against access by an
unauthorized user because there is no user secret to protect the user’s network
password. To help prevent this potential problem, implement automatic key
management in combination with the Self-Service Module. This module requires
question-based authentication to allow your users to confirm their identity
when resetting their primary passwords or unlocking their domain accounts.