This section contains information about the following:
The Enable Passphrase Security System option determines if users can use a passphrase to decrypt single sign-on data.
If the passphrase system is not used, this exposes the users’ single sign-on data if a third party can to reset the users network password. It is strongly recommended you enforce passphrase system on users environment.
To view or modify this preference:
Launch the Administrative Management utility (SLManager or MMC snap-ins).
Click Preferences.
Select Security > Enable passphrase security system, select Yes or Hidden.
Click Apply.
Click OK.
You can set the Enable Passphrase Security System preference to Yes or Hidden depending on the enterprise security requirements.
If the Enable Passphrase Security System is set to Yes, (which is the default preference) the user is prompted to set the passphrase question and answer when SecureLogin is launched for the first time.
If the Enable Passphrase Security System is set to Hidden, the user is not prompted to set the passphrase question and answer when SecureLogin is launched for the first time.
WARNING:If you change the preference from Hidden to Yes, users must answer the passphrase questions to use SecureLogin. Typically, users are not prompted to create a passphrase after the first login.
Without any message indicating the change in the preference, users are prompted for the passphrase answer. So, avoid changing the preference.
You have two options depending on what you specified.
Users can create both the passphrase question and answer.
You predefine a list of questions and answers, and the user selects from the list.
When users have set a passphrase, the application generates a random key, and a one-way hash of the passphrase answer encrypts this key. Later, the application key encrypts the new key. This key protects users’ SecureLogin credentials and passwords so that even someone with Supervisor rights to the network and access to Microsoft Management Console (MMC) is unable to view a user's passwords to applications.
After the passphrase is set, every time a user logs in to the network, SecureLogin loads seamlessly.
Typically, the prompt to create a passphrase is never seen after the first login. However, if an administrator resets the user's directory or network, the next time SecureLogin launches, users must answer the passphrase question before SecureLogin continues. This prevents other users from changing the user's directory password, logging on as the user, obtaining access to the SecureLogin data, and using it to run applications.
You cannot toggle the Enable Passphrase Security System setting when the users forget their smart card unless they had previously set a passphrase or had it randomly generated using the Hidden option.
If users are required to authenticate to the network by using passwords, Enable Passphrase Security System must be set either to Yes or Hidden.
Launch the Administrative Management utility (SLManager or MMC snap-ins).
Click Preferences.
Under Security, select Yes or Hidden in Enable passphrase security passphrase.
Click Apply.
Click OK.
If you select Yes, users must select a passphrase question and answer when they log in to SecureLogin for the first time. When the passphrase system is enabled, users are prompted to answer their passphrase question if their password has been reset by the administrator.
NOTE:With the Use smart card to encrypt SSO data option selected (either PKI credentials or Key generated on smart card), you can use the passphrase to decrypt single sign-on data if the user’s smart card is damaged or lost.
This setting must be used in conjunction with the Lost card scenario preference set to Allow passphrase and Store credentials on the smart card preference set to No. You can toggle these preferences if the user’s smart card is forgotten providing the user’s passphrase has already been set. The user is prompted to answer the passphrase question before SecureLogin loads.
For more information, see Section 8.5, Lost Card Scenarios.
If the Hidden preference is selected, users are not prompted to set a user-defined passphrase. A user key is generated automatically with any input from the user.
The Enable Passphrase Security System cannot be set to No unless Use smart card to encrypt SSO data is set to PKI credentials.
If users are required to authenticate to the network by using passwords, the Enable passphrase security system option must be set to Yes or No or Hidden.
IMPORTANT:With the passphrase security system set to Hidden, a directory administrator can reset a user’s directory password, log in as the user, and access the user’s single sign-on data because they are not prompted to answer a passphrase question.
If the Use smart card to encrypt SSO data is set to PKI credentials, the user’s single sign-on data is encrypted by using the public key from the selected certificate and the private key and stored on a PIN-protected container on the user’s smart card. Both, the user’s directory datastore and the local cache are now protected by the PKI credentials.
The single sign-on data can be encrypted by using the private key that is PIN-protected and stored on the user’s smart card for added security. Only the user who has the physical possession of the smart card and knowledge of the PIN can decrypt the single sign-on data.
To set the Use smart card to encrypt SSO data preference:
Launch the Administrative Management utility (SLManager or MMC snap-ins).
Click Preferences.
Select Security > Use smart card to encrypt SSO data > PKI credentials, Key Generated On Smart Card, or No.
Click Apply.
Click OK.
If the Use smart card to encrypt SSO data is set to PKI credentials, the Enable passphrase security system can be set to No.
If the Use smart card to encrypt SSO data is set to No, the user’s passphrases are completely disabled and the user’s smart card is always required to decrypt the single sign-on data.
IMPORTANT:If your enterprise chooses to disable the passphrase security system:
You can still access a user’s credentials by resetting the network password.
The functions of using the passphrases in conjunction with SecureLogin Self Service Password Reset (SLSSPR) is disabled. The SecureLogin Self Service Password Reset enables a user to reset his or her network passwords after answering the passphrase questions.
The supported directory modes for disabling the passphrase security system are:
Active Directory
LDAP-compatible
eDirectory (if SecretStore is used)
For information about the scenarios that a user might experience when the Enable passphrase security system option is set to No, see Passphrase Security System Scenarios.