5 Using Universal Authentication Manager
for Strong Authentication

The Oracle Enterprise Single Sign-On Universal Authentication Manager system enables you to replace the use of native password logon to Microsoft Windows and Active Directory networks with stronger and easier to use authentication methods, while further enhancing security by providing two-factor authentication in the form of a PIN paired with an enrolled logon method.

Universal Authentication Manager allows you to rapidly and securely enroll credentials that will be used to identify and authenticate you to the system. Out of the box, Universal Authentication Manager offers four built-in and configurable authentication methods: smart cards, passive proximity cards, biometric fingerprint, and a challenge questions quiz. Native Windows passwords are also supported.

5.1 Getting Started Using Universal Authentication Manager

Universal Authentication Manager offers an intuitive interface that allows you to easily enroll credentials for your logon methods. There are two panels from which you can perform all actions for your logon methods:

  • Logon Methods

  • Settings

5.1.1 Fingerprints

Universal Authentication Manager enables you to enroll and use third party standalone and embedded fingerprint scanners as an authentication mechanism to Universal Authentication Manager.

Depending on your environment, your administrator may configure Universal Authentication Manager to require that a PIN be entered when logging on with a fingerprint; in such cases, you will be prompted to select a PIN when enrolling your fingerprints with Universal Authentication Manager. If the PIN requirement is not being enforced by your administrator, you may still choose to assign a PIN to your fingerprint enrollment for heightened security.

Note:

This logon method requires the BIO-key 1.12 BSP to be installed. If this is not installed, you will get an error message. Versions earlier than 1.10 are not supported. Contact your system administrator for assistance.

The following actions are available:

5.1.2 Proximity Cards

A passive proximity card or token is an identity object (such as a workplace ID badge) containing a circuit that a card-reading device can detect and decipher. When you place a proximity card close to a card reader, the reader detects the token's presence and recognizes identifying information that is associated with you.

Universal Authentication Manager also gives you the option (depending on your system configuration) to require a PIN during logon for more secure two-factor authentication.

The following actions are available:

5.1.3 Smart Cards

A smart card is a credit card-sized token containing a chip or embedded circuits that can store and process data securely. Information stored on a smart card can also be used for identification and authentication. Universal Authentication Manager enables you to enroll and use smart cards for logon and authentication without writing any data on the smart card chip.

For heightened security, Universal Authentication Manager requires that a PIN be assigned to each enrolled Smart Card and that you enter that PIN when logging on with the corresponding card. Universal Authentication Manager supports a card's built-in PIN and can also generate and assign a virtual PIN.

The following actions are available:

Note:

When using a smart card, the card's own PIN cannot be changed. Only a Universal Authentication Manager PIN associated with the smart card can be changed. For more information, see Configuring Universal Authentication Manager.

5.1.4 Challenge Questions

Challenge Questions is a question-and-answer quiz that requires you to correctly answer enough questions (which you have selected and provided answers for when you first enrolled this method) to satisfy the weight requirement for successful logon set by the administrator.

5.2 Configuring Universal Authentication Manager

The Settings panel displays configurable policy settings for each logon method. The following settings are available, depending on how your instance of Universal Authentication Manager is configured by your administrator:

5.2.1 Display Settings

On the Display tab, you may be able to view or configure the following setting:

User Language Selects the language in which the Universal Authentication Manager interface is displayed. The default value is the language of the operating system.

Note: This menu only shows languages for which the corresponding Universal Authentication Manager language packs have been installed. If you don't see the desired language in the list, contact your administrator.

5.2.2 Fingerprint Settings

On the Fingerprint tab, you may be able to view or configure the following settings:

Logon Method Enabled Controls if an installed authenticator is enabled or disabled. This policy setting enhances security by controlling the specific logon methods you are allowed to use. Options are Yes (default setting) and No.

Note: The Logon Method Enabled setting is only displayed if Universal Authentication Manager has been configured into local client mode. In enterprise mode, this setting is not displayed.
Number of Fingers Specifies the number of finger samples you are required to enroll. This policy requires you to enroll exactly the specified number of finger samples during enrollment. Default is 1. Maximum is 10.
PIN Required Specifies whether you must submit a PIN in order to be authenticated. Options are Yes (default setting) or No.
PIN Minimum Length The minimum allowed length for the PIN. Possible values are 4-16 characters (default setting is 4 characters).
PIN Allowed Characters Restricts the character type(s) you can use in your PIN. Options are numeric only, alphanumeric only, or any characters (default setting).

5.2.3 Proximity Card Settings

On the Proximity Card tab, you may be able to view or configure the following settings:

Logon Method Enabled Controls if an installed authenticator is enabled or disabled. This policy setting enhances security by controlling the specific logon methods you are allowed to use. Options are Yes (default setting) and No.

Note: The Logon Method Enabled setting is only displayed if you are working in local mode. In enterprise mode, this setting is not displayed.
Removal Action Controls how Universal Authentication Manager behaves when you "tap out" your proximity card (tap your card against the reader a second time during a session). Options are:

  • No Action.

  • Lock workstation (locks the workstation; you must re-authenticate to return to your session).

  • Force Logoff (automatically logs you off the workstation).
PIN Required Specifies whether you must submit a PIN for your card in order to be authenticated. Options are Yes (default setting) or No.
PIN Minimum Length The minimum allowed length for the proximity card PIN. Possible values are 4-16 characters (default setting is 4 characters).
PIN Allowed Characters Restricts the character type(s) you can use in your proximity card PIN. Options are numeric only, alphanumeric only, or any characters (default setting).

5.2.4 Smart Card Settings

On the Smart Card tab, you may be able to view or configure the following settings:

Logon Method Enabled Controls if an installed authenticator is enabled or disabled. This policy setting enhances security by controlling the specific logon methods you are allowed to use. Options are Yes (default setting) and No.

Note: The Logon Method Enabled setting is only displayed if you are working in local mode. In enterprise mode, this setting is not displayed.
Removal Action Controls how Universal Authentication Manager behaves when you remove your smart card. Options are:

  • No Action

  • Lock workstation (locks the workstation; you must re-authenticate to return to your session)

  • Force Logoff (automatically logs you off the workstation)
PIN Type Specifies whether to use the card's internal preconfigured PIN or create and store a PIN within Universal Authentication Manager's secure data store. Options are Smart Card PIN (default setting) or ESSO-UAM PIN.
PIN Minimum Length (ESSO-UAM PIN type only) The minimum allowed length for the smart card PIN. Possible values are 4-16 characters (default setting is 4 characters).
PIN Allowed Characters (ESSO-UAM PIN type only) Restricts the character type(s) you can use in your smart card PIN. Options are numeric only, alphanumeric only, and any characters (default setting).

5.2.5 Challenge Questions Settings

On the Challenge Questions tab, you may be able to view or configure the following settings:

Logon Method Enabled Controls if an installed authenticator is enabled or disabled. This policy setting enhances security by controlling the specific logon methods you are allowed to use. Options are Yes (default setting) and No.

Note: The Logon Method Enabled setting is only displayed if you are working in local mode. In enterprise mode, this setting is not displayed.

5.2.6 Windows Password Settings

On the Windows Password tab, you may be able to view or configure the following settings:

Logon Method Enabled Controls if an installed authenticator is enabled or disabled. This policy setting enhances security by controlling the specific logon methods you are allowed to use. Options are Yes (default setting) and No.

Note: The Logon Method Enabled setting is only displayed if you are working in local mode. In enterprise mode, this setting is not displayed.

5.2.7 Availability of Settings in Enterprise Mode

If Universal Authentication Manager has been deployed in enterprise mode, your administrator may choose to enforce certain settings that will be disabled in your workspace; that is, your administrator will configure those settings and you will not be able to configure them.

For example, your administrator may choose to specify and enforce that when a smart card is removed, you are automatically logged off the workstation (using the Force Logoff setting). In this scenario, the Force Logoff setting will be visible to you, but it will be disabled; you will not be able to change it.

Surrounding text describes settings_prox_card.png.

For more information, see Selecting the Client Mode.

5.2.8 Selecting the Client Mode

When you install Universal Authentication Manager, the InstallShield Wizard asks you to choose the client mode you wish to use.

5.2.8.1 Enterprise Client Mode

If you choose the enterprise client mode, you will be accessing a network and a database that stores settings for your account. In this mode, the administrator configures Universal Authentication Manager for you and you may not be able to modify some of the settings. To update your account with changes made by your administrator, click Refresh.

5.2.8.2 Local Client Mode

If you choose the local client mode, Universal Authentication Manager will not connect to a network in order to retrieve your settings; instead, Universal Authentication Manager stores and manages your settings on your local workstation. You can configure all of the settings that are visible to you in this mode.

To configure settings, click the Settings tab in the left panel of the screen. A tab is displayed for each Universal Authentication Manager logon method installed on the workstation. Click a tab to display and configure settings for that logon method. To apply your configuration, click Apply at the bottom of the screen. To cancel your changes and return settings to their previous state, click Reset.

For more information, see Configuring Universal Authentication Manager.

5.3 Integrating with Logon Manager

Universal Authentication Manager can operate as a stand-alone application and also integrate seamlessly with Logon Manager. Depending on how your administrator has configured Universal Authentication Manager, one of the following scenarios applies:

  • If your administrator has installed and enabled one or more of the individual Universal Authentication Manager authenticators during a Universal Authentication Manager custom installation, those authenticators will appear as separate logon methods in the list of Logon Manager logon methods.

    In this scenario, if you have not already enrolled with the primary logon method chosen by your administrator, you will be prompted to enroll with the method chosen by the administrator when you log on for the first time.

  • If your administrator has chosen to install the multi-method Universal Authentication Manager authenticator instead, and has enabled at least one logon method through that authenticator, you will see a single "Universal Authentication Manager" entry in the list of Logon Manager logon methods.

    In this scenario, if you have not already enrolled any logon methods with Universal Authentication Manager, you will need to enroll with the enabled logon methods from within Universal Authentication Manager before they can be used to authenticate to Logon Manager. Until then, you will be prompted to authenticate with your Windows password.

Note:

Universal Authentication Manager authenticators must be installed before you can configure a Universal Authentication Manager logon method as the primary logon method for Logon Manager. For details on installing the necessary integration components, see the Oracle Enterprise Single Sign-On Suite Installation Guide.

5.3.1 Configuring Universal Authentication Manager as the Primary Logon Method with the First-Time Use Wizard

If you are new to Logon Manager and Universal Authentication Manager, you can configure a Universal Authentication Manager logon method as your primary Logon Manager logon method with the Logon Manager First-Time Use wizard. The First-Time Use wizard gives you the option to select a Universal Authentication Manager logon method (or any other Logon Manager logon methods that are installed) as your primary logon method. To use the first-time use wizard to set a Universal Authentication Manager logon method as your primary logon method:

  1. Click Start > Programs > Oracle > Logon Manager > Logon Manager. The First-Time Use wizard opens. Click Next on the first screen of the wizard. Setup Wizard Screen 1

  2. If prompted, authenticate to Logon Manager and click OK, then click Next.

  3. Select the desired Universal Authentication Manager logon method from the list of available primary logon methods, then click Next. If a method does not appear in the list, your administrator has chosen not to enable it.

    If you select one of the individual Universal Authentication Manager logon methods (shown as ESSO-UAM: logon method name in the drop-down list), only that single method will be available for authentication to Logon Manager; if you have not yet enrolled with that method, you will be prompted to enroll the first time Logon Manager requests authentication.

    If you select Universal Authentication Manager (the multi-method Universal Authentication Manager authenticator), you will be able to use any Universal Authentication Manager logon method with which you have previously enrolled. If you have not yet enrolled any logon methods with Universal Authentication Manager, you will be prompted to authenticate with your Windows password.

    Setup Wizard select primary logon method

  4. Authenticate with the logon method you used to log on to Windows (a Windows password or other logon method).

    UAM Authentication

  5. Logon Manager displays a message informing you that it is ready for use. The Universal Authentication Manager logon method you selected is now configured as your primary logon method for Logon Manager. Click Finish to complete the wizard.

    Ready to use

5.3.2 Configuring a Universal Authentication Manager Logon Method as the Primary Logon Method Using Logon Manager

To configure a Universal Authentication Manager logon method as the primary logon method for Logon Manager:

  1. Click Start > Programs > Oracle > Logon Manager > Logon Manager. The Logon Manager icon appears in the system tray. Launch Logon Manager.

  2. Select Settings, then click the Authentication tab. Authentication Settings

  3. In the Primary Logon Method section, click Change…. The Primary Logon Setup Wizard opens. Click Next to proceed.

  4. Enter your Windows password or authenticate to your currently enrolled logon method when prompted.

  5. From the list of available primary logon methods, select the desired Universal Authentication Manager logon method. (For an explanation of the available logon methods, and the difference between the individual logon methods vs. the multi-method Universal Authentication Manager option, see Integrating with Logon Manager.)

    Click Next.

    Select primary logon method

  6. The Universal Authentication Manager authentication dialog is displayed; enter your Windows password or authenticate with another enrolled logon method.

5.3.3 Authenticating With Universal Authentication Manager When Prompted by Logon Manager

Several Logon Manager events will trigger Universal Authentication Manager to prompt you for authentication. When this occurs, the standard Universal Authentication Manager authentication process begins. You can choose to authenticate with any logon methods that are enabled for your account. For details on Logon Manager events that will trigger Universal Authentication Manager to prompt you for authentication, see the Logon Manager User Guide.

Note:

If you have not yet enrolled any logon methods in Universal Authentication Manager and Logon Manager prompts you for authentication, one of the following scenarios applies:

  • If your administrator has configured Logon Manager to use an individual Universal Authentication Manager logon method authenticator (shown as ESSO-UAM: logon method name in the Primary Logon Method drop-down list in Logon Manager) as its primary logon method, you will be prompted to enroll with that method the first time Logon Manager prompts you to authenticate. In such case, you cannot skip enrollment; you must enroll or you will not be able to use Logon Manager.

  • If your administrator has chosen to use the multi-method Universal Authentication Manager authenticator (shown as Universal Authentication Manager in the Primary Logon Method drop-down list in Logon Manager), you will be prompted to authenticate with your Windows password.

When authentication is required, you are prompted by the Universal Authentication Manager authentication screen. This screen may vary depending upon the logon methods you have enrolled and will reflect the logon method you last used to authenticate to Universal Authentication Manager. For example, if you last authenticated to Universal Authentication Manager with your Windows password, the screen will appear as follows:

Authentication prompt select password

Enter your Windows password or use another enrolled logon method to continue with authentication. After you have authenticated, you can continue working with Logon Manager.

5.4 Logon Method Enabled

The Logon Method Enabled policy allows administrators or users to disable an installed Universal Authentication Manager authenticator.

This policy applies to all authenticators individually and each authenticator will have its own value.

  • In enterprise mode, the Logon Method Enabled policy setting is an Administrative policy only. This means that the policy will never appear in the Universal Authentication Manager settings.

  • In the local client mode, the Logon Method Enabled policy setting is an end-user policy setting. You can manage the policy setting right from the Settings tab in the Universal Authentication Manager :

    Windows Password Setting panel

5.4.1 Windows Password Exception

Universal Authentication Manager automatically enables Windows Password authentication if no other logon methods are enrolled.

This is a "built-in" behavior that requires no configuration. For example, if you've disabled Windows Password via the Logon Method Enabled policy, a password will be allowed for logon, re-authentication and unlock, if you are not enrolled in at least one other method.

Note:

If you are enrolled in one or more other methods, but those methods (and password) are all disabled, you will be locked out. The Administrator will have to correct this by re-configuring the Logon Method Enabled policy in the Universal Authentication Manager Administrative Console.

5.4.1.1 Logon Method Enabled Rules

If the Logon Method Enabled is configured to No for a logon method:

  • The logon method is displayed in the Universal Authentication Manager Logon Methods tab with a status of DISABLED. The only action you are allowed to perform is a Delete, as long as you are enrolled using the logon method. No other enrollment actions (Enroll or Modify) are available.

  • In enterprise mode, the logon method appears in the Universal Authentication Manager Settings tab. All policy settings are disabled, and the Logon Method Enabled policy setting is not displayed.

  • In local mode, the logon method appears in the Universal Authentication Manager Settings tab. The Logon Method Enabled policy setting is enabled, and all other policy settings are disabled.

  • You are not allowed to log onto or enroll on the workstation using that logon method. If you attempt to log on with a disabled logon method, you will receive an error message.

  • You are not allowed to re-authenticate using the logon method and will not see the logon method as an authentication option. A password authentication is enabled for Logon, Unlock, and Re-authentication, if you are not enrolled in any other method.

5.4.2 Configuring Universal Authentication Manager to Lock a Workstation

Note:

Locking a workstation using Universal Authentication Manager is only supported with proximity cards and smart cards.

From the Settings page, you can configure Universal Authentication Manager to lock your workstation when you remove a token, for example, when you remove a smart card or "tap out" a proximity card (that is, when you tap the proximity card on the card reader long enough for it to be detected). If you set the Removal Action setting to "Lock Workstation" (which is the default setting), the workstation will lock when you perform a removal action.

A change to the Removal Action will not take effect until the subsequent removal. For example, if you log on to Windows with a token, launch Universal Authentication Manager, and change the removal action for that token from Lock Workstation to Force Logoff, your workstation will still lock when you remove the token; the Force Logoff action will occur the following time you remove the token.

Note:

The removal action will only be activated for the same token you used to log on to the workstation. For example, if you log on using your Windows password but try to lock the workstation by "tapping out" with a proximity card, the workstation will not lock.

The removal action will not be triggered if the Universal Authentication Manager Client Application or the re-authentication dialog is open.

For more information about Removal Action and other settings, see Settings.

5.5 Using Universal Authentication Manager

To start Universal Authentication Manager:

  1. Click Start, then Programs.

  2. Point to Oracle, then Universal Authentication Manager.

  3. Click Universal Authentication Manager.

Universal Authentication Manager opens.

Logon Methods panel

The Logon Methods panel displays the installed logon methods (authenticators) available to you, and allows you to enroll a logon method, as well as modify and delete existing enrollments. For faster access, the Enroll, Modify, and Delete controls are also available in a context menu accessible by right-clicking the desired logon method in the list. From this panel you can also do the following:

Your administrator has made available one or more of the following logon methods:

The controls on this panel are:

Icon Label Purpose
Enroll icon Enroll Enrolls a new credential. When you click Enroll, a drop-down list of available logon methods appears; from this menu, select the logon method you wish to use.
Modify icon Modify Modifies the selected enrollment. For some enrollment methods, you can modify properties of your credential. For example, if you are authenticating with a proximity card that has an associated PIN code, click Modify to change your PIN.
Delete icon Delete Deletes an enrolled credential. If you do not have permission to delete the enrolled credential, you will receive an error message stating so.
Refresh icon Refresh Synchronizes with the Universal Authentication Manager repository and updates any policy settings that were changed by your administrator (in Enterprise client mode).

5.5.1 Shortcut Keys

You can accomplish tasks and access features in Universal Authentication Manager more quickly using the following keyboard shortcuts:

  • To view logon methods: (Alt + L).

  • To view settings: (Alt + S).

  • To enroll credentials: (Alt + E).

  • To modify credentials: (Alt + M).

  • To delete credentials: (Alt + D).

  • To refresh policies or settings: (F5).

  • To view help: (F1).

5.5.2 Enrolling Credentials

Credentials can be enrolled manually, or you may be prompted to enroll credentials during Windows logon, or upon launching the Universal Authentication Manager Client Application. Your administrator may also set a grace period for required enrollment.

Click one of the links below to see instructions for enrolling your selected logon method:

5.5.2.1 Ways to Enroll

Enrollment can occur in one of the following ways:

5.5.2.1.1 Prompted Enrollment

After Universal Authentication Manager is installed and you restart your machine, you will be prompted (by default) to enroll in one or more logon methods when you log on to Windows.

Fingerprint step 1

If multiple logon methods are installed, you will be consecutively prompted to enroll each logon method. You may choose one of the following options when prompted (depending on your configuration):

  • Enroll. Enroll in the logon method now.

  • Not Now. Skip this enrollment and ask me to enroll later.

  • Never. Exit and do not ask me to enroll again.

5.5.2.1.2 Grace Period

Your administrator may have set an enrollment grace period which allows you to defer a required enrollment for a configured number of days. If a grace period is set, the automatic enrollment screen informs you that your administrator requires you to eventually enroll this logon method before you can log on to Windows.

  • The Never option is not available.

  • If you click Not Now, a message appears stating how many days remain within the grace period.

You must enroll this logon method within the configured number of days. Once the Grace Period has ended, you will be required to enroll in this logon method before logging on to Windows.

5.5.2.1.3 Manual Enrollment

If prompted enrollment is configured to optional or required with a grace period, you will be prompted to enroll when you launch the Universal Authentication Manager.

If you choose not to enroll a logon method when you log on to Windows, you can launch Universal Authentication Manager and manually enroll a logon method using one of the following enrollment procedures:

  • Click the Enroll button and choose a logon method from the drop-down list that appears.

    Enter your Windows password (or authenticate with a previously enrolled logon method) when prompted. You are instructed to follow enrollment steps based on the type of authenticator you are using. For example, if you are enrolling a smart card as an authenticator, you are prompted after entering your Windows password to insert the smart card into the card reader and enter the PIN. A confirmation message then informs you that your card is enrolled.

    Enroll with Challenge Questions

  • Right-click a displayed logon method and select Enroll.

    Enter your Windows password when prompted (or authenticate with a previously enrolled logon method) and follow the enrollment steps that appear. (Enrollment steps will vary depending on the type of authenticator you are using.)

    Select a logon method

  • Double-click on a logon method that is not yet enrolled. Enter your Windows password when prompted (or authenticate with a previously enrolled logon method) and follow the enrollment steps that appear. (Enrollment steps will vary depending on the type of authenticator you are using.)

5.5.3 Enrolling a Fingerprint at Windows Logon

When you log on to your workstation, you are automatically prompted to enroll installed logon methods. If one of those methods is Fingerprint, you will be prompted to enroll it.

  1. Click Enroll to enroll a fingerprint.

    Fingerprint Enrollment

  2. If your system is configured to require a PIN with the fingerprint, enter and confirm a PIN.

  3. Enroll at least one fingerprint sample. The number of fingerprint samples is configured by your administrator. Enroll by placing or swiping your preferred finger.

    Fingerprint enrollment step 1

  4. Swipe your finger on the reader again and repeat as many times as requested.

    Fingerprint enrollment step 2

  5. After all fingerprint samples have been enrolled, a message informs you that the data is processing. Wait until it completes.

  6. When enrollment is complete, a message confirms that your biometric data is enrolled. Click OK to exit and resume log on to Windows. If other Universal Authentication Manager logon methods are installed, you may be prompted to enroll in additional methods.

    Fingerprint enrollment complete

5.5.4 Enrolling a Fingerprint When Launching Universal Authentication Manager

When you launch Universal Authentication Manager, you are automatically prompted to enroll installed logon methods (if they are not already enrolled). If one of those methods is a fingerprint, you will be prompted to enroll it.

  1. Click Enroll to enroll a fingerprint.

    Click Enroll

  2. Authenticate using a previously enrolled logon method or your Windows password.

    Surrounding text describes auth_win7.png.

  3. If your system is configured to require a PIN with the fingerprint, provide a PIN when prompted.

  4. Enroll at least one fingerprint sample. The number of fingerprint samples is configured by your administrator. Enroll by placing or swiping your preferred finger.

    Fingerprint step one

  5. Swipe your finger on the reader again and repeat as many times as requested.

    Fingerprint step 2

  6. After all fingerprint samples have been enrolled, a message informs you that the data is processing. Wait until it completes.

  7. When enrollment is complete, a message confirms that your biometric data is enrolled. Click OK to return to Universal Authentication Manager.

    Fingerprint enrollment complete

  8. The Enroll Status column shows a status of Enrolled.

    Fingerprint status-enrolled

5.5.5 Enrolling a Fingerprint Manually

To enroll a fingerprint manually:

  1. Launch Universal Authentication Manager.

  2. Click Enroll in the Logon Methods toolbar and select Fingerprint from the drop-down list; or right-click in the highlighted Fingerprint row and select Enroll; or double click in the Fingerprint row.

  3. Authenticate with a previously enrolled logon method or your Windows password.

  4. Follow the steps to enroll your fingerprints (see detailed instructions in the previous section).

  5. A message confirms that you have successfully enrolled your fingerprints.

  6. The Enroll Status column shows a status of Enrolled.

5.5.6 Enrolling a Proximity Card at Windows Logon

When you log on to your workstation, you are automatically prompted to enroll installed logon methods. If one of those methods is a proximity card, you will be prompted to enroll it.

  1. Click Enroll to enroll a proximity card.

    Proximity card enrollment

  2. Hold your card near the reader until Universal Authentication Manager detects it.

    Hold card near reader

  3. Enter a meaningful description for the proximity card and click OK. Surrounding text describes prox_description.png.

  4. If your system is configured to require a PIN with a proximity card, enter and confirm a PIN, then click OK.

    PIN requred

  5. When enrollment is complete, a message confirms that your card is enrolled. Click OK to exit and resume logon to Windows. If other logon methods are installed, you may be prompted to enroll in additional methods.

    Proximity card enrollment completed

5.5.7 Enrolling a Proximity Card when Launching Universal Authentication Manager

When you launch Universal Authentication Manager, you are automatically prompted to enroll installed logon methods. If one of those methods is a proximity card, you will be prompted to enroll it.

Proximity card enrollment

  1. Click Enroll to enroll a proximity card. You are prompted to authenticate to continue. You can authenticate through any of the available authentication methods.

    Surrounding text describes smart_auth.png.

  2. Hold your card near the reader until Universal Authentication Manager detects it.

    Hold card near reader

  3. If your system is configured to require a PIN with a proximity card, enter and confirm a PIN, then click OK.

    PIN requred

  4. A message confirms that you have successfully enrolled your card. Click OK to return to Universal Authentication Manager.

    Proximity card enrollment completed

  5. The Enroll Status column shows a status of Enrolled.

    Proximity card enrolled status

5.5.8 Enrolling a Proximity Card Manually

To enroll a proximity card manually:

  1. Launch Universal Authentication Manager.

  2. Click Enroll in the Logon Methods toolbar and select Proximity Card from the drop-down list; or right-click in the highlighted proximity card row and select Enroll; or double click in the proximity card row.

  3. Authenticate with a previously enrolled logon method or your Windows password.

  4. Hold your card near the reader until Universal Authentication Manager detects it.

  5. If your system is configured to require a PIN with a proximity card, enter and confirm a PIN. (see detailed instructions in the previous section).

  6. A message confirms that you have successfully enrolled your card. Click OK to return to Universal Authentication Manager.

  7. The Enroll Status column shows a status of Enrolled.

    Note:

    It is best not to leave a proximity card resting on the card reader after using it to log on to, log off from, or lock a workstation. If you leave a proximity card on the reader, you may need to tap the card on the reader twice in order to log on to or unlock the workstation.

5.5.9 Enrolling a Smart Card at Windows Logon

When you log on to your workstation, you are automatically prompted to enroll installed logon methods. If one of those methods is a smart card, you will be prompted to enroll it.

  1. Click Enroll to enroll a smart card.

    Enroll smart card

  2. Insert your card into the reader.

    Smart card insertion

  3. Enter a meaningful description for your smart card, then click OK.

    Surrounding text describes smart_description.png.

  4. Do one of the following:

    • If the smart card logon method is configured to use the card's own PIN, enter the PIN and click OK.

      Enter smart card PIN

    • If the smart card logon method is configured to use the Universal Authentication Manager PIN, enter and confirm a PIN of your choice, then click OK.

    For more information, see Smart Card Settings.

  5. A message informs you that your card is being enrolled. When enrollment is complete, a message confirms that your card is enrolled. Click OK to exit and resume logon to Windows. If other Universal Authentication Manager logon methods are installed, you may be prompted to enroll in additional methods.

    Smart card enrollment completed

5.5.10 Enrolling a Smart Card when Launching Universal Authentication Manager

When you launch Universal Authentication Manager, you are automatically prompted to enroll installed logon methods (if they are not already enrolled). If one of those methods is a smart card, you will be prompted to enroll it.

  1. Click Enroll to enroll a smart card.

    Enroll smart card

  2. Authenticate using a previously enrolled logon method or your Windows password.

    Authenticate using previous method

  3. Insert your card into the reader.

    Smart card insertion

  4. Do one of the following:

    • If the smart card logon method is configured to use the card's own PIN, enter the PIN and click OK.

      Enter smart card PIN

    • If the smart card logon method is configured to use the Universal Authentication Manager PIN, enter and confirm a PIN of your choice, then click OK.

      For more information, see Smart Card Settings.

  5. A message informs you that your card is being enrolled. When enrollment is complete, a message confirms that your card is enrolled. Click OK to return to Universal Authentication Manager.

    Smart card enrollment completed

  6. The Enroll Status column shows a status of Enrolled.

    Smart card enrolled status

5.5.11 Enrolling a Smart Card Manually

To enroll a smart card manually:

  1. Launch Universal Authentication Manager.

  2. Insert the card in the card reader.

  3. Click Enroll in the Logon Methods toolbar and select Smart Card from the drop-down list; or right-click in the highlighted smart card row and select Enroll; or double click in the smart card row.

  4. Authenticate with a previously enrolled method or your Windows password.

  5. Enter the PIN associated with the card (see detailed instructions in the previous section).

  6. Click OK to return to Universal Authentication Manager. A message confirms that you have successfully enrolled your card.

  7. The Enroll Status column shows a status of Enrolled.

5.5.12 Enrolling Challenge Questions at Windows Logon

When you log on to your workstation, you are automatically prompted to enroll installed logon methods. If one of those methods is a challenge questions quiz, you will be prompted to enroll it.

  1. Click Enroll to begin the enrollment process.

    Challenge Question enrollment

  2. Select the challenge questions you want to enroll, then enter and confirm your answers.If your entries do not match, the mismatch is indicated in red; re-enter each incorrect answer and its confirmation to correct the mismatch. When you have selected and answered enough questions to satisfy the weight requirements configured by the administrator, the progress bar at the top of the window will show 100%. At this point you can select additional questions to fall back on in case you forget the answers to your main questions. When you have selected and answered all of the desired questions, click Finish.

    Challenge Question progress

  3. When enrollment is complete, a message confirms that the Challenge Questions method is now enrolled. Click OK to dismiss the dialog.

    Challenge Question enrollment completed

  4. If other Universal Authentication Manager logon methods are installed, you may be prompted to enroll in additional methods.

5.5.13 Enrolling Challenge Questions when Launching Universal Authentication Manager

When you launch Universal Authentication Manager, you are automatically prompted to enroll installed logon methods (if they are not already enrolled). If one of those methods is the challenge questions quiz, you will be prompted to enroll it.

  1. Click Enroll to begin the enrollment process.

    Challenge Question enrollment

  2. When prompted, authenticate to Universal Authentication Manager and click OK to proceed. You can authenticate through any of the available authentication methods (in the screen sample below, you can select to authenticate with either a Windows password or proximity card).

    Surrounding text describes smart_auth.png.

  3. Select the challenge questions you want to enroll, then enter and confirm your answers.If your entries do not match, the mismatch is indicated in red; re-enter each incorrect answer and its confirmation to correct the mismatch. When you have selected and answered enough questions to satisfy the weight requirements configured by the administrator, the progress bar at the top of the window will show 100%. At this point you can select additional questions to fall back on in case you forget the answers to your main questions. When you have selected and answered all of the desired questions, click Finish.

    Challenge Question progress

  4. When enrollment is complete, a message confirms that the Challenge Questions method is now enrolled. Click OK to dismiss the dialog.

    Challenge Question enrollment completed

  5. The Enroll Status column shows a status of Enrolled.

    Challenge Questions enrolled status

5.5.14 Enrolling Challenge Questions Manually

To enroll challenge questions manually:

  1. Launch Universal Authentication Manager.

  2. Double-click the Challenge Questions method.

  3. (Optional) If the Challenge Questions method's status is Enrolled and you want to replace the current enrollment with a new one, click Re-Enroll in the dialog that appears and proceed to the next step.

  4. Authenticate with a previously enrolled logon method or your Windows password.

  5. In the enrollment capture dialog that appears, select the challenge questions you want to enroll, then enter and confirm your answers. If your entries do not match, the mismatch indicated in red; re-enter each incorrect answer and its confirmation to correct the mismatch. When you have selected and answered enough questions to satisfy the weight requirements configured by the administrator, the progress bar at the top of the window will show 100%. At this point you can select additional questions to fall back on in case you forget the answers to your main questions. When you have selected and answered all of the desired questions, click Finish.

  6. When enrollment is complete, a message confirms that the Challenge Questions method is now enrolled. Click OK to dismiss the dialog.

  7. The method's status changes to Enrolled.

5.6 Managing Enrolled Credentials

Universal Authentication Manager provides you with great flexibility and control over your credentials. Click the following links to learn about:

5.6.1 Viewing Properties of Enrolled Credentials

To view properties of enrolled credentials:

  1. From the Logon Methods tab, select the enrolled credential for which you wish to view properties.

  2. Click Modify in the toolbar at the top of the screen, or right-click in the row for the card and select Modify from the pop-up menu. The dialog box that opens displays the logon method, card type, enrollment date, and card description (if any).

5.6.2 Viewing Status of Enrolled Credentials

Click Logon Methods to view available logon methods. The second column in the row for each method indicates the status of user enrollment for that method. Possible values are:

  • Enrolled. You have successfully enrolled credentials for the logon method.

  • Optional. You may enroll credentials for the logon method, but is not required.

  • Required. You are required to enroll credentials for the logon method.

  • Not available. The detected card is enrolled by a different user. This only applies to smart card and proximity cards.

  • Disabled. The logon method is installed, but disabled.

5.6.3 Viewing and Modifying Enrolled Credentials

To modify credentials:

  1. Select the logon method you wish to modify.

  2. Click Modify to view or modify credentials.

    • For smart cards, you can view the card's properties.

    • For proximity cards, you can view the card's properties and change your PIN.

    • For fingerprint, you can view your enrollment date and re-enroll. Your existing credentials will be replaced.

    • For challenge questions, you can view your enrollment date and re-enroll. Your existing credentials will be replaced.

5.6.4 Enrolling Additional Cards

When a smart card or proximity card is detected, Universal Authentication Manager displays a single row of information, including a status of either OPTIONAL or REQUIRED. When you enroll the first card or token, the enrolled credential will activate the existing row and display a status of ENROLLED.

If you have enrolled at least one card, and want to enroll an additional one, click the Enroll button and choose either Proximity Card or Smart Card from the drop-down list that appears. Universal Authentication Manager displays a message stating that you have already enrolled one card and asks you to confirm that you want to enroll another one.

Click OK to continue with enrollment or click Cancel to cancel enrollment. If you click OK, follow the on-screen instructions to enroll an additional card. You will be asked to tap or insert your card to begin enrollment and then asked to enter your PIN. When the card has been enrolled, Universal Authentication Manager displays a message confirming successful enrollment.

The Enroll Status column now shows two rows of card credentials, each with a status of Enrolled.

5.6.5 Re-Enrolling Credentials

When the Fingerprint or Challenge Questions logon method is enrolled, Universal Authentication Manager displays a single row of information, including a status of either Optional or Required. When you enroll the first fingerprint samples, the enrolled credential will activate the existing row and display a status of Enrolled.

You cannot enroll additional credentials, but you can replace your existing ones by re-enrolling. If you have enrolled at least one fingerprint sample, and want to re-enroll, highlight the logon method and click Modify.

Surrounding text describes cq_reenroll.png.

Select Re-enroll to re-enroll your credentials and follow the on-screen instructions to re-enroll. When re-enrollment is complete, Universal Authentication Manager displays a confirmation message.

5.6.6 Deleting Credentials

To delete credentials:

Note:

If you are required to enroll a credential for a logon method, you will not be able to delete that logon method.

  1. Select the row showing the credential you wish to delete.

  2. Click the Delete button in the toolbar at the top of the screen; or right-click the row and select Delete from the drop-down menu.

  3. When prompted to authenticate, authenticate with an enrolled method to complete the deletion. A message notifies you when the deletion has been completed.

Note:

If you delete the set of credentials that you used to log on for a session (that is, you delete your credentials for a particular logon method), when you remove or "tap out" your card, the removal action that was set for the credential will still be enforced, even though the credential has been deleted. For more information on removal actions, see Configuring Universal Authentication Manager to Lock a Workstation

5.6.7 Changing Your Universal Authentication Manager PIN

If your Universal Authentication Manager fingerprint, smart card, or proximity card is enrolled with an associated Universal Authentication Manager PIN and you wish to change the PIN:

Note:

When using a smart card, the card's own PIN cannot be changed. Only a Universal Authentication Manager PIN associated with the smart card can be changed. For more information, see Configuring Universal Authentication Manager.

To change the Universal Authentication Manager PIN for a fingerprint enrollment, follow the steps in Re-Enrolling Credentials.

  1. Select the desired logon method.

  2. Click Modify in the toolbar at the top of the window.

  3. In the properties dialog that appears, click Change….

  4. Insert or tap your card into or on the reader, or authenticate with an enrolled logon method to proceed.

  5. Enter the current PIN.

  6. When prompted, enter and confirm a new PIN.

    Enter proximity card PIN

  7. A message confirms that you have successfully changed your PIN.

5.7 Authenticating

Universal Authentication Manager allows you to quickly and securely log on and re-authenticate to Windows with any authentication device, such as an RFID badge or non-Windows smart card. The following actions are available:

5.7.1 Logging On to Windows 7 with Universal Authentication Manager

When Universal Authentication Manager is installed on your system, the Windows 7 logon screen displays the available users and Universal Authentication Manager logon methods.

To log on with a Smart Card or a proximity card, select the appropriate logon method tile.

Windows 7 logon screen

To log on with a Windows password, or the Fingerprint or Challenge Questions logon methods, select the desired user (provided that user has previously enrolled those logon methods) or click Other user, enter the desired user name, and select the desired logon method from the drop-down list, and click the Submit ("right-arrow") button.

Surrounding text describes uam_logon_win7_dropdown.png.

The available logon methods will depend upon what your administrator has installed. This logon dialog always defaults to the last used logon method; for example, if Fingerprint is used to log on, it will be preselected at next logon.

Upon initial logon to Universal Authentication Manager, use your Windows Password (if this is an option). You can then launch the Universal Authentication Manager client and enroll credentials. Once enrolled, you can use an enrolled credential (for example, a smart card or fingerprint) to log on to Windows or to unlock your workstation in place of a Windows password.

Note:

If necessary-for example, if your card is lost or damaged-you can always fall back on using your Windows password or the Challenge Questions quiz for logon (if enabled).

Universal Authentication Manager extends your system's normal Windows logon behavior. Microsoft Windows includes numerous security policies and settings that affect the Windows logon and unlock process; Universal Authentication Manager conforms with these policies. For example, if your password reaches the maximum password age, Universal Authentication Manager will still require you to change your password before you can log on.

5.7.1.1 Logging On with Your Fingerprint

The Fingerprint logon method must be manually selected from the logon dialog.

For example, to log on to or unlock Windows with an enrolled fingerprint:

  1. At the logon screen, select or enter a user name (and domain, if required).

  2. Select the Fingerprint logon method from the drop-down list.

  3. Click the submit (right-arrow) button.

  4. If you have enrolled a PIN, Universal Authentication Manager prompts you to enter it.

  5. Universal Authentication Manager prompts you to present your fingerprint sample (for example, place or slide your finger on your reader).

  6. Universal Authentication Manager validates the fingerprint sample and logs you on to Windows.

You can cancel this process at any time and return to the logon screen by clicking Cancel.

You may have to retry logon or unlock if:

  • You enter an invalid PIN. In this case, try entering your PIN again, or click Cancel to return to the logon screen.

  • The biometric sample you try to use for logon is not enrolled as a Universal Authentication Manager logon method. If this happens, authentication will fail. You may try again or choose a different logon method.

5.7.1.2 Logging On with a Smart Card or Proximity Card

Unlike the Fingerprint and Challenge Questions logon methods, Smart Card and Proximity Card logons are event-driven by token insertion and removal.

Note:

If your smart card or proximity has already been inserted or registered by the reader, its respective icon will appear in the logon screen - click the icon to log on with the card.

For example, to log on to or unlock Windows with an enrolled smart card or proximity card:

  1. At the logon screen, insert or tap an enrolled card on the card reader. Universal Authentication Manager locates and validates the enrolled card and identifies you. If no PIN is required with your card, you are logged on to Windows.

  2. If you click the smart card or proximity card icon, Universal Authentication Manager prompts you to tap or insert your card. (For proximity cards, hold your card near the reader until Universal Authentication Manager detects it.)

  3. If a PIN is required with your card, enter your PIN when prompted. Universal Authentication Manager validates the PIN and logs you on to Windows.

You can cancel this process at any time and return to the logon dialog by clicking Cancel.

You may have to retry logon or unlock if:

  • You enter an invalid PIN. In this case, try entering your PIN again, or click Cancel to return to the logon screen.

  • The card you try to use for logon is not enrolled as a Universal Authentication Manager logon method. If the card is not detected, nothing will occur. If the card is detected but is not enrolled, you will see an error message.

5.7.1.3 Logging On with Challenge Questions

The Challenge Questions logon method must be manually selected from the logon dialog.

For example, to log on to or unlock Windows with Challenge Questions:

  1. At the logon screen, select or enter a user name (and domain, if required).

  2. Select the Challenge Questions logon method from the drop-down list.

  3. Click the submit (right-arrow) button.

  4. In the dialog that appears, read the challenge question and enter your answer, then click Next. If you don't know the answer to the question and have enrolled extra questions to fall back on, click Skip.

    (If you have not enrolled extra questions, skipping a required question will result in a failed logon since you will not be able to satisfy the weight requirement set by the administrator.)

    When you have correctly answered enough questions to complete the logon, Universal Authentication Manager logs you on to Windows.

5.7.1.4 Logging On with the Windows Password

If working in Enterprise Client Mode, your Administrator may disable use of the Windows Password logon method through the Logon Method Enabled Rules. If Windows password is disabled, you will be able to continue using it until you enroll in at least one other logon method. Once you are enrolled in another logon method, you will no longer be able to log on with a Windows password.

5.7.2 Logging On to Windows 8/8.1 with Universal Authentication Manager

When Universal Authentication Manager is installed on your system, the Windows 8/8.1 logon screen displays the available users:

Surrounding text describes uam_win8_logon0.png.

Selecting a user will allow you to log on as that user with the associated Windows password or click the Sign in options link to expose available Universal Authentication Manager logon methods. The available logon methods will depend upon what your administrator has installed. Surrounding text describes uam_win8_logon1.png.

Upon initial logon to Universal Authentication Manager, use your Windows Password (if this is an option). You can then launch the Universal Authentication Manager client and enroll credentials. Once enrolled, you can use an enrolled credential (for example, a smart card or fingerprint) to log on to Windows or to unlock your workstation in place of a Windows password.

Note:

If necessary-for example, if your card is lost or damaged-you can always fall back on using your Windows password or the Challenge Questions quiz for logon (if enabled).

Universal Authentication Manager extends your system's normal Windows logon behavior. Microsoft Windows includes numerous security policies and settings that affect the Windows logon and unlock process; Universal Authentication Manager conforms with these policies. For example, if your password reaches the maximum password age, Universal Authentication Manager will still require you to change your password before you can log on.

5.7.2.1 Logging On with Your Fingerprint

The Fingerprint logon method must be manually selected from the logon dialog.

For example, to log on to or unlock Windows with an enrolled fingerprint:

  1. At the logon screen, select or enter a user name (and domain, if required).

  2. Click Sign-in options and select Fingerprint logon method.

  3. Click the submit (right-arrow) button.

  4. If you have enrolled a PIN, Universal Authentication Manager prompts you to enter it.

  5. Universal Authentication Manager prompts you to present your fingerprint sample (for example, place or slide your finger on your reader).

  6. Universal Authentication Manager validates the fingerprint sample and logs you on to Windows.

You can cancel this process at any time and return to the logon screen by clicking Cancel.

You may have to retry logon or unlock if:

  • You enter an invalid PIN. In this case, try entering your PIN again, or click Cancel to return to the logon screen.

  • The biometric sample you try to use for logon is not enrolled as a Universal Authentication Manager logon method. If this happens, authentication will fail. You may try again or choose a different logon method.

5.7.2.2 Logging On with a Smart Card or Proximity Card

Unlike the Fingerprint and Challenge Questions logon methods, Smart Card and Proximity Card logons are event-driven by token insertion and removal.

Note:

If your smart card or proximity has already been inserted or registered by the reader, its respective icon will appear when you click Sign in options in the logon screen after selecting the desired user. Simply select the icon and click the Submit ("right-arrow") button to log on with the card.

For example, to log on to or unlock Windows with an enrolled smart card or proximity card:

  1. At the logon screen, insert or tap an enrolled card on the card reader. Universal Authentication Manager locates and validates the enrolled card and identifies you. If no PIN is required with your card, you are logged on to Windows.

  2. If you click Sign-in options and select the smart card or proximity card icon, Universal Authentication Manager prompts you to tap or insert your card. (For proximity cards, hold your card near the reader until Universal Authentication Manager detects it.)

  3. If a PIN is required with your card, enter your PIN when prompted. Universal Authentication Manager validates the PIN and logs you on to Windows.

You can cancel this process at any time and return to the logon dialog by clicking Cancel.

You may have to retry logon or unlock if:

  • You enter an invalid PIN. In this case, try entering your PIN again, or click Cancel to return to the logon screen.

  • The card you try to use for logon is not enrolled as a Universal Authentication Manager logon method. If the card is not detected, nothing will occur. If the card is detected but is not enrolled, you will see an error message.

5.7.2.3 Logging On with Challenge Questions

The Challenge Questions logon method must be manually selected from the logon dialog.

For example, to log on to or unlock Windows with Challenge Questions:

  1. At the logon screen, select or enter a user name (and domain, if required).

  2. Click Sign-in options and select the Challenge Questions logon method.

  3. Click the submit (right-arrow) button.

  4. In the dialog that appears, read the challenge question and provide your answer, then click Next. If you don't know the answer to the question and have enrolled extra questions to fall back on, click Skip. (If you have not enrolled extra questions, skipping a required question will result in a failed logon since you will not be able to satisfy the weight requirement set by the administrator.) When you have correctly answered enough questions to complete the logon, Universal Authentication Manager logs you on to Windows.

5.7.2.4 Logging On with the Windows Password

If working in Enterprise Client Mode, your Administrator may disable use of the Windows Password logon method through the Logon Method Enabled Rules. If Windows password is disabled, you will be able to continue using it until you enroll in at least one other logon method. Once you are enrolled in another logon method, you will no longer be able to log on with a Windows password.

5.7.3 Re-Authenticating to Universal Authentication Manager

The Universal Authentication Manager re-authentication dialog box provides the ability to authenticate to Windows within the currently active user session via available logon methods. You can select your logon method from the horizontal bar of icons, which from left to right represent: Fingerprint, Proximity Card, Smart Card, Challenge Questions, and Windows Password.

Surrounding text describes smart_auth.png.

Each icon presents different controls in the dialog, for example selecting the password icon will show a password field, selecting the smart card icon will hide the password field and prompt you to insert a smart card.

Insertion of smart card and proximity card tokens triggers authentication immediately. However, if no cards are inserted, selecting the button for the appropriate logon method prompts you to insert a card or tap a token.

The reauthentication dialog box:

  • Filters out logon methods that are not installed, not registered, not enrolled, or that are disabled by the Logon Method Enabled policy.

  • Defaults to the last used logon method, so if Fingerprint is used to log on, it will be pre-selected at next logon.

The Always use this method to authenticate check box is always selected by default. This means that future authentications will default to the selected logon method and you will not see the Authenticate dialog box if not necessary.

If you deselect the checkbox and click OK, the re-authentication dialog box is always displayed, and the previously-used method is selected by default. This is useful for users who often switch between different logon methods.