Universal Authentication Manager offers a flexible, adaptable, and truly universal authentication solution, capable of integrating with a wide variety of authentication methods through its framework and APIs. Out-of-the-box, Universal Authentication Manager offers four built-in and configurable authentication methods: smart cards, passive proximity cards, biometric fingerprint, and a challenge questions quiz. Native Windows Passwords are also supported.
Note:
Universal Authentication Manager can be deployed in enterprise (centrally-managed, repository-based) or local (standalone) mode. The recommendations in this section are meant for enterprise-wide enforcement via administrator-configured policies and thus apply mostly to Universal Authentication Manager's enterprise mode only. For more information, see the Oracle Enterprise Single Sign-On Suite Plus Administrator's Guide.Follow the guidelines below to maximize security when using each method:
Use a high-strength PIN (fingerprint, proximity/smart cards only):
Require a PIN in conjunction with your chosen logon method to enforce two-factor authentication. Unless your environment specifically disallows the use of a PIN, it should be configured and required at all times.
Enforce high PIN complexity by configuring each logon method's PIN policy for increased minimum length, requiring multiple character types (uppercase, numeric, extended), and so on.
When using smart cards, configure Universal Authentication Manager to use the smart card's built-in PIN and reconfigure the PIN policy stored on the card to increase PIN complexity as described above.
When using smart cards, configure the cards to use your enterprise's Public Key Infrastructure (PKI) and install and configure a certificate revocation plug-in. (For more information on certificate revocation plug-ins, contact Oracle Support.)
Enforce strong authentication as the only permitted logon methods. Disallowing the Windows password as a logon method to Universal Authentication Manager decreases the chance of brute-force and social engineering attacks.
If your environment requires passwords, enforce an enterprise-wide complex password policy. Your password policy should enforce highly complex passwords to minimize the chance of a successful brute-force attack.
Enforce unique challenge questions. Create and enforce unique challenge questions to which answers cannot be easily guessed.
Note:
Universal Authentication Manager can be deployed in enterprise (centrally-managed, repository-based) or local (standalone) mode. For more information, see the guide Administering Oracle Enterprise Single Sign-On Suite.Universal Authentication Manager securely stores user authentication and policy data within an Active Directory based-repository. Data stored in and transmitted between Universal Authentication Manager and the repository is always encrypted and thus not decipherable by a rogue administrator viewing the repository content directly. For added security, Oracle also recommends configuring your repository for SSL connectivity to further increase security.
When running Universal Authentication Manager in enterprise (repository synchronization) mode, you must create and configure a domain account that will allow Universal Authentication Manager to connect to and make changes in its repository. For maximum security, you must:
Strictly follow the repository configuration instructions, including the minimum necessary privilege assignment, described in the guide Administering Oracle Enterprise Single Sign-On Suite. Do not assign any additional privileges to the service account.
Configure the Universal Authentication Manager repository containers to be accessible only by this service account and no other user.
Note:
This account must also be granted the "Log on as a Service" privilege locally on the end-user workstation in order to allow Universal Authentication Manager to function.When deploying Universal Authentication Manager in enterprise mode, Oracle highly recommends that you do not rely on configuration defaults and instead deploy enterprise-wide policies that explicitly enforce each Universal Authentication Manager setting so that users cannot change them. When an explicit policy is in effect, Universal Authentication Manager settings cannot be modified by the end-user.
If you are deploying Universal Authentication Manager with the Challenge Questions logon method and wish to use Password Reset to centrally configure the challenge questions and store the user's enrollment data, Oracle recommends that you set up your Password Reset installation to only accept SSL connections for maximum security. For more information on integrating with Password Reset, see the Oracle Enterprise Single Sign-On Universal Authentication Manager Administrator's Guide.