Passphrases are an important security component in the implementation of SecureLogin. Passphrases are unique question and answer combinations created to verify and authenticate the identity of a user. In a directory environment, you can create passphrase questions for users. Users can select one of these questions and provide an answer for it. You can also permit users to provide a question of their choice and the answer for it.
Passphrases protect user credentials from unauthorized use. For example, in an Microsoft Active Directory environment, an administrator can reset the users network password and then log in as that user and gain access to the users information.
However, this cannot happen when you are using SecureLogin. If someone other than the actual users tries to reset the network password, SecureLogin triggers the passphrase question. The user must provide the correct answer before successfully logging in. Even an administrator cannot access the user’s single sign-on-enabled applications without knowing the user’s passphrase answer.
When SecureLogin is launched for the first time on a user’s workstation, the Passphrase Setup dialog box is displayed.
NOTE:
In a Microsoft Windows Vista or higher environment, when you log in to SecureLogin in an offline mode with an incorrect password, you are prompted to provide the passphrase answer. If an incorrect passphrase answer is specified, you are prompted to retry the authentication. However, if you again provide a wrong password, instead of seeing a prompt for the passphrase answer, you are prompted to specify the password (that is, instead of the passphrase dialog box, the password dialog box is displayed). Close and relaunch SecureLogin to be prompted for the password first, then prompted for the passphrase answer if the incorrect password is specified
SecureLogin using the Novell Client does not support non-password-based NMAS logins if the passphrase options are disabled. This is not supported because SecureLogin either fails to open the local cache or opens the local cache file without any password.
Also, Offline authentication does not work if you do a non-password-based NMAS authentication with the Passphrase Security System disabled. This is because SecureLogin in offline mode accepts only passphrases for non-password-based NMAS authentication. This scenario occurs only if SecureLogin is installed in Novell Client mode.
Passphrases are used to authenticate when:
A user is working either remotely or offline in an eDirectory or non-Microsoft Active Directory LDAP environment.
Someone other than the actual user resets the network password.
An individual cannot access a user’s credentials by resetting the network password.
Passphrases can be used in conjunction with SecureLogin Self-Service Password Reset, which enables users to reset their network password after answering the passphrase question.
You can use this functionality to disable access to user credentials if the computer is stolen.
NOTE:You can disable the passphrase security system, but it also removes the features mentioned in the preceding section.