By design, picture-based authentication bypasses the most commonly used methods for hacking into secured networks. For example: Phishing, Dictionary, Brute Force attacks all rely on stealing text-based credentials. SafeLogin is an easy, cost-effective multifactor authentication solution that adds an extra layer of security at the click of a button. As an entirely software-based solution, SafeLogin effortlessly scales with your needs and becomes instantly available across the entire organization upon activation.
When SafeLogin is used as the authentication method, the dynamic positioning of images prevents the attacker from recording the pattern by over-the-shoulder inspection. SafeLogin works as a 2-factor authentication and only works with Active Directory.
To enable SafeLogin for the users, the administrators are required to configure SafeLogin parameters and attributes in TAC.
In the TAC Management Console, go to SafeLogin under Configuration menu.
This will open SafeLogin settings window.
In SafeLogin, you will be able to create your own custom keypad with your images, or you can select available keypads from the list. In the keypad section, select the keypad layout from the list of available keypads.
In the policy section, define the SafeLogin password policies. To enable password policy, select “Enable SafeLogin password policy” checkbox. Configure minimum and maximum password length in respective fields. Select how many times an image should repeat from the “maximum password image repeat” field. It is recommended to keep a lower value to create complex passwords.
Under email configuration, you can configure an email notification to send the password reset link to clients. TAC requires the following information to configure email notification:
- Active Directory user’s email attribute name: Enter the attribute name that is present for user’s email in Active Directory. Default is “mail.”
- Message subject: Enter message subject line (example: Password Reset).
- Message template: This is the message template used to send the password reset link.
- From (email): This is the email address of the person or group sending the email
Next, configure SMTP parameters to send and receive emails.
Click OK to complete the SafeLogin settings.
After you configure SafeLogin settings, you will be required to add SafeLogin as an authentication server. SafeLogin currently works with the combination of default Active Directory authentication.
To add SafeLogin in to the authentication list, do the following:
1. Go to Configuration menu in TAC Configuration Manager and select Authentication and
2. In the Authentication and Authorization Servers window, click Add.
3. In the Configure Authentication and Authorization Servers window, select SafeLogin as the type under general section.
4. In the Name field enter a friendly name.
5. Under Configuration section, select the keypad background and button set designs from the dropdown lists.
Note: If you have created a custom keypad, you can select them here by the name you provided. Creating a custom keypad is covered in the next section.
SafeLogin allows users to reset password by themselves. Select “Enable password reset by user” option. When you enable this option, SafeLogin will send a password reset link to the customer using the email template you configured in SafeLogin Settings window. To send the email, SafeLogin needs to get the user’s email address. If it is stored in Active Directory user profile, select “Use Active Directory to find user’s email” checkbox. SafeLogin will look to Active Directory to get respective user’s email to send the password reset link. See below windows of SafeLogin password reset.
The Administrator can reset the user’s password through the Users and Device Management console. See more about SafeLogin password reset in section 8.6 - Resetting SafeLogin password under Users and Device Management.
6. Click Verify to verify the configuration.
7. Click OK.
Note: If you do any changes to the keypad design, those changes will take effect for new SafeLogin passwords only.
This will add SafeLogin into Authentication and Authorization servers list.
After you add SafeLogin as the second authentication method for a site, users will be prompted to setup SafeLogin password for the first time and you can setup your own image-based password.