Setting up and Configuring SafeLogin

By design, picture-based authentication bypasses the most commonly used methods for hacking into secured networks. For example: Phishing, Dictionary, Brute Force attacks all rely on stealing text-based credentials. SafeLogin is an easy, cost-effective multifactor authentication solution that adds an extra layer of security at the click of a button. As an entirely software-based solution, SafeLogin effortlessly scales with your needs and becomes instantly available across the entire organization upon activation.

When SafeLogin is used as the authentication method, the dynamic positioning of images prevents the attacker from recording the pattern by over-the-shoulder inspection. SafeLogin works as a 2-factor authentication and only works with Active Directory. 

To enable SafeLogin for the users, the administrators are required to configure SafeLogin parameters and attributes in TAC.

In the TAC Management Console, go to SafeLogin under Configuration menu.

This will open SafeLogin settings window.

In SafeLogin, you will be able to create your own custom keypad with your images, or you can select available keypads from the list. In the keypad section,  select the keypad layout from the list of available keypads.

In the policy section,  define  the SafeLogin  password policies.  To enable  password policy, select “Enable  SafeLogin  password policy”  checkbox.   Configure minimum and maximum password length in respective fields. Select how many times an image  should repeat from the “maximum password image  repeat” field. It is recommended to keep a lower  value  to create complex passwords.

Under email configuration, you can configure an email notification to send  the password reset link to clients. TAC requires the following information to configure email notification:

  • Active Directory user’s email attribute name:   Enter the attribute name  that is present for user’s email in Active Directory. Default is “mail.”
  • Message subject:  Enter message subject line (example: Password Reset).
  • Message template:  This is the message template used  to send the password reset link.
  • From (email):  This is the email address of the person or group sending the email

Next, configure SMTP parameters to send and  receive emails.

Click OK to complete the SafeLogin  settings.

After you configure SafeLogin  settings, you will be required to add  SafeLogin  as an authentication server.   SafeLogin  currently works with  the combination of default Active Directory authentication.

To add  SafeLogin  in to the authentication list, do the following:

1.   Go to Configuration menu in TAC Configuration Manager and select Authentication and

Authorization Servers.

2.   In the Authentication and  Authorization Servers  window, click Add.

3.   In the Configure Authentication and Authorization Servers window, select SafeLogin  as the type under general section.

4.     In the Name field enter a friendly name.

5.   Under Configuration section,  select the keypad background and button set designs from the dropdown lists.

Note:  If you have created a custom keypad, you can select them  here by the name  you provided. Creating a custom keypad is covered in the next section.

SafeLogin  allows  users  to reset password by themselves. Select “Enable  password reset by user”  option. When  you enable  this option, SafeLogin will send a password reset link to the customer using  the email template you configured in SafeLogin  Settings  window. To send the email, SafeLogin  needs  to get the user’s email address. If it is stored in Active Directory user profile,  select “Use Active Directory to find user’s email”  checkbox.  SafeLogin  will look to Active Directory to get respective user’s email to send  the password reset link. See below windows of SafeLogin  password reset.

The Administrator can reset the user’s password through the Users and Device Management  console. See more about SafeLogin  password reset in section  8.6 - Resetting SafeLogin password under Users and  Device Management.

6.   Click Verify to verify the configuration.

7.   Click OK.

Note:  If you do any changes to the keypad design, those changes will take effect for new SafeLogin  passwords only.

This will add  SafeLogin into Authentication and Authorization servers list.

After you add  SafeLogin as the second authentication method for a site, users  will be prompted to setup SafeLogin  password for the first time and you can setup your own image-based password.