Key features of the IPI Authentication Service in 5 minutes
IPI Authentication Service – Key features
IPI Authentication Service Components
Identity and Access Management Server via Web Interface
Unlocking the computers with IPI Keys via the Proximity Mechanism
Unlocking and locking the computer with a mobile application
Passwordless and offline unlocking of the computer by Mobile app as Smart Card
Single Sign On (SSO) to any applications that support Open ID Connect
Can be used as an Identity Provider (IdP) for web applications that support SAML 2.0.
Can be deployed on the cloud or On-Premises
Integrated into the domain to work with AD or Azure AD (Entra)
Additional:
can be deployed on both Windows and Linux server
is deployed from the source or run on Docker
can be used as a FIDO-keys server
supports security keys by different vendors
IPI Client (desktop application)
can be installed centrally, .msi
is designed for Windows 10-11 only
You can register the server address on all Сlients centrally
IPI Keys (Hardware security tokens)
Unlocking the computers via the Proximity Mechanism
Password Manager
Replaceable (IPI Key 3) or rechargeable (IPI Key 4) battery
Multifunctional button with different color modes
Bluetooth connection
Passwordless login on IES (FIDO2/WebAuthn)
Usernameless login on IES (FIDO2/WebAuthn)
Universal Second Factor Authentication on IES (FIDO U2F)
USB, NFC, Bluetooth connection
IPI Authenticator (mobile app)
Compatible with Android and iOS devices
Mobile sign-ins to any Windows account type (via RDP as well; passwordless TPM-based, password-based)
Single sign-on option
OTP generation
Keys and Authenticator application can be used either simultaneously or separately.
IPI Enterprise Server
If your application is a SAML 2.0 Service Provider you are ready to add an extra layer of security with IPI IdP, enable 2FA and use IPI security keys or your own (third-party or platform) authenticators. The SAML IdP uses the IES identity store or Active Directory enabling authentication and providing federation for such service providers. IPI Enterprise Server supports SAML 2.0 login, logout, single logout and metadata. Both SP Initiated and IdP Initiated sign on is supported.
Read more about this feature here.
Accounts
There are different account types by affiliation and storage location:
Personal accounts are created on the server by the admin and assigned to a specific employee. The employee uses the account, but cannot change it. At the time of synchronization of the key and the server, passwords are stored in the key and deleted from the server; they are further stored only on the employee's key.
Shared accounts are created on the server by the admin and can be assigned to several employees. Employees use the account, but cannot change it. At the time of synchronization of the key and the server, passwords are stored in the key, but are NOT deleted from the server; they are further stored both on the key and on the server. Use the Data Protection option to ensure data security on the server.
Private accounts are created by an employee from the IPI Client interface, the administrator does not know about their existence, they are not transferred to the server. An employee can only add a Web / App account.
Account types by stored access
You can create an account to access sites and / or applications and unlock your computer (local account, domain account, Microsoft account, or Azure AD account).
The same account can be simultaneously used to access websites / applications and to unlock a PC. For example, you can specify a domain account and sites / applications for which domain authorization is possible.
Workstations
Once the IPI Client is installed on the user's computer, it will be displayed in the eponymous section on the server. A prerequisite is that the administrator must approve this computer to work with IPI Key.
If not approved, the user will not be able to connect the key (i.e. the employee will not be able to work with the key that was given to him at work on some of his laptop / computer if the administrator does not allow it).
Access profiles (Hardware Vault Access Profiles)
Access profiles are a tool for strengthening or weakening security settings for specific users. You can configure the requirement to press the button / enter the PIN code / be connected to the server for the first connection of the key to the computer / to access the password manager in the IPI Client.
To enhance security, you can configure the need to enter a PIN code every n-minutes.
Unlocking your computer with the IPI Key
For the key to be able to unlock the computer, the following conditions must be met:
the client is installed on the computer
the computer is approved by the administrator on the server
the key has an account to unlock the computer
the workstation must be added to "Proximity Unlock Workstations"
Tap-And-Go
This method does not require any additional settings - everything works out of the box. If the above conditions are met, touching the key on the dongle will unlock the computer.
Unlock by proximity (when the Bluetooth signal is amplified to a certain level)
The scenario requires additional configuration: a key that can unlock the computer by proximity must be specified in the Workstation settings on the IES server.
Limitations: This method is intended for a situation where only one user is working on the computer. If 2 or more users work on the same computer, this unlocking method can be allowed only if these employees work in shifts and can not be close the computer at the same time.
Configuring the Bluetooth signal level at which the computer is locked or unlocked is available to the administrator. But you can only adjust the signal level in %. The real distance in meters depends on the specific room (its furnishings, the presence of obstacles, other wireless devices, and the load of the network).
Unlock with the Security Key (FIDO2)
This method only works if you are using Azure AD. IPI Bluetooth Dongle and IPI software are not required, only a configured key and settings from the Azure AD side.
Locking your computer with the IPI Key
To configure workstation Locking using the Proximity mechanism, the admin need to create or edit an existing profile that the workstation uses. In this profile, the admin specifies the signal strength for Proximity Lock and Unlock, and the delay before locking the computer. Please note that Unlocking a workstation via Proximity works only after we have added the workstation to Proximity Unlock Workstations on the employee page.
Once the key is pulled away and the Bluetooth signal level falls below the established value, the PC is locked.
In order to lock the PC with a key, you must also unlock it with the IPI Key or connect the key to the Client if it is unlocked manually.
if you unlocked the computer manually and did not connect the key, there will be no automatic lock. This is indicated by the red IPI Client icon.
if you unlocked the computer manually and then connected the key to the Client, the computer will be locked by proximity. The IPI Client icon will appear in the standard blue color.
if you have unlocked the computer using the key, the PC will be locked by proximity.
Organizational structure
You can recreate the organizational structure of your company, and add departments or subsidiaries on the IES server. This is absolutely optional, but the filled-in data will help you get answers in the context of reports for any department. Data can be retrieved from AD for imported users.
Managing keys with statuses
In order to ensure convenient management of the IPI Keys, they have various statuses that allow the Administrator to implement various security policies provided by the company.
Ready
This status means that IPI Key is clear of any data and can be given to an employee.
Devices fall into this status:
immediately after import
after a Wipe procedure
Reserved
This status means that the IPI Key has been issued/sent to the user, but has not yet been activated by the user. The key cannot be used, there is no data on it. An activation procedure is required.
You can add accounts on the IPI Key with such status, but physically they will appear on it when the device switches to the Active status.
Active
This status means that IPI Key is in working order, and you can use the key. This status allows adding/changing/deleting accounts, etc.
Locked
This status means that IPI Key is locked at the hardware level as a result of entering an incorrect PIN or activation code. The user cannot work until the device is unlocked.
Suspended
This status means that IPI Key is temporarily unavailable for use. This may be the case when:
The employee was temporarily banned from using the IPI Key (e.g. while on vacation) and forcibly assigned this status
The Administrator transferred the IPI Key from the Locked status by using the Activate device command and the IPI Key will be unavailable for use until the User enters the correct activation code.
Deactivated
This status means that IPI Key was taken away from the previous user, but the data on it has not been erased yet, or it is broken.
Compromised
This status means that IPI Key has been compromised. The administrator sets the status, the device is wiped, and all links are deleted. Data cannot be restored.
Adding employees
There are 2 mechanisms for adding employees from IES.
If you do not use Active Directory, you can manually add an employee. You can just save the name and complete the full configuration much later, or create an employee with full customization.
If you have Active Directory in your company and you want the most complete integration with it, read the next section.
AD scenarios
You need to create the following groups in AD:
Security Key Owners
Security Key Auto Password Change
Add all employees to whom the hardware keys will be issued in the Security Key Owners group.
The Security Key Auto Password Change group must include the employees for whom domain account passwords will be automatically generated and changed as scheduled. They will have to be authorized only with the IPI Key.
Once all the necessary settings for access to AD on IES were saved and the initial import procedure completed, the Security Key Owners and Security Key Auto Password Change groups will be automatically synchronized with the list of users in IES.
Synchronization with AD occurs once an hour. How does it work? You want to add a new employee who is allowed to use the Hardware security key. Add him to the Security Key Owners group and he will appear in the list of employees on IES after synchronization. After this, you need to assign a key to the employee and go through all the other steps.
You want some employees to set up automatic regular password changes in AD. Neither the user nor the administrator will know these passwords! The password will be stored only on the hardware key and authorization to the domain account will be possible only if the key is present.
Add the user to the Security Key Owners and Security Key Auto Password Change groups at the same time. As soon as an employee is imported from AD, his domain account is also imported (even before the hardware key is assigned to him). The password from AD cannot be imported and therefore it is generated on the IES side. After assigning a hardware key to an employee, a server-side task is created to record a domain account with a new password on the key. The employee continues to use the current password to log into the domain account until the first time the hardware security key is connected.
The key is activated at the time of the first connection (do not forget to provide the employee with the activation code). The task sent earlier by the server to create an account with a new password is executed. At the same time, the user's password in AD is updated and recorded to the key.
Automatic password change occurs according to the settings on the IES.
You want to stop automatically changing the password for your domain account.
Remove the user from the “Security Key Auto Password Change” group. The automatic password change will stop working.
You want to take away the right to use the hardware security key from your employee.
Remove your employee from the Security Key Owners group, and its key will go into the “Deactivated” state after synchronization. The employee will not be removed from IES (to save the history of his actions), but he will no longer be able to use the key. You just have to physically pick up the hardware key from the employee and carry out the Wipe procedure to be able to give it to another employee.
Each IPI Key has a factory-assigned RFID code. It can either be entered into your ACS, or you can assign a new desired RFID code to the IPI Key using a special programmer. The programmer can be purchased separately or it can be included with your ACS.
It is impossible to change the RFID code on IPI Key without a programmer!
Last updated