Mission Control Identity Server
The Identity Server answers user and client authentication requests. It also offers full user administration and debugging features. Designated administrators can edit the user credentials, define group permissions and set usernames and passwords in the Mission Control Portal. In addition, the Identity Server integrates into the Active Directory environment by keeping users in sync. Whenever a user changes their password, the Mission Control Portal enforces a strong password policy.
For existing Active Directory environments, user fields such as name, phone number, email address, alias, client VPN group membership, authentication group memberships, job title, and cost center are synchronized to the Identity Server database. A user's password is not exported from Active Directory and is, therefore, validated in real time against the directory. This ensures centralized password storage and privacy. The synchronized information can be combined with two-factor authentication methods on the Identity Server service.
Federated identity management
Nowadays users increasingly need to access external systems that are outside their domain of control. Additionally, partners and external users need to access internal systems. Federated identity management addresses the challenges associated with such cross-organization and cross-domain access, and uses a common set of policies, practices and protocols to manage the identity of users. Identity information is portable across autonomous security domains so that users of one domain can seamlessly and securely use the data or systems of another domain, without the overhead of user administration at every domain.
Strong authentication reduces the risks associated with ordinary password authentication and provides a more secure way of logging in to the network by using a second authentication factor, such as one-time passwords or SMS authentication.
OTP Token Authentication
Tokens produce a constantly alternating 6-digit number that provides an additional authentication factor. It serves as a one-time password and, therefore, prevents various attacks on the user's credentials including keyboard logging at internet cafés or any eavesdropping and password thefts. Users are relieved from difficult password handling. Periodic password renewal enforcements can be simplified with increased protection.
Client certificates can be used for device or user authentication. For user authentication, a user identifier is extracted from the user certificate during the login phase. This is convenient for users and automatically creates a strong binding between the user certificate and user login. Device authentication can enforce the use of company-managed computers for remote access.
For users with mobile phones this method of strong authentication is an alternative to hardware tokens. After the correct password is entered, an SMS with a one-time password (OTP) is sent to the mobile number of the user (that number is registered in advance in the Mission Control Portal). The user completes the authentication by entering this OTP in the newly presented field of the login page. This process proves that the user is in possession of a mobile device with a SIM card that corresponds to the registered mobile number, and is thus a form of two-factor authentication, i.e. the user knows a password and has a unique device.