Email Authentication for Remote Access

When you require two-factor authentication to log in, but your user is a vendor, or is unable to use a device or hard token in their workplace, Imprivata Enterprise Access Management for MFA (formerly Imprivata Confirm ID) can send them an email with a one-time code for his second factor authentication. No enrollment or setup is required from the user.

About Email Authentication

In a typical Imprivata two-factor authentication workflow for Remote Access, the user must enter his password, then complete a second factor authentication via Imprivata ID, SMS code, or OTP token. When user is a vendor, or is unable to use a device or hard token in his workplace, you can enter his email address in his Imprivata User Details. Imprivata Enterprise Access Management will send him an email with a one-time code for his second factor authentication.

Email authentication:

• is allowed as a second factor for Remote Access Log In authentication only;

• is not offered to all users who log in remotely. Email authentication is only offered to a user if your Imprivata Enterprise Access Management administrator added an email address on the Edit User page (see below).

• codes generated by email authentication have a five-minute validity period. This validity period is fixed and is not adjustable by the Imprivata Enterprise Access Management administrator.

• codes generated by email authentication are one-time-use only.

• the ability to authenticate with email does not expire. A user can authenticate with email as many times as needed indefinitely.

• is only configurable by the Imprivata Enterprise Access Management administrator. The user cannot enable it or self-select an email address.

Email Authentication Support

• Supported with Imprivata Confirm ID 6.3 or later for RADIUS-based authentication via your gateway's native user interface ("text mode")

• Supported with Imprivata Confirm ID 7.2 or later for the Imprivata Confirm ID graphical user interface with BIG-IP F5 and Citrix Netscaler.

Enable Mail Server

You must configure your Imprivata appliance to send email messages. If your appliance already sends emails to users or administrators, there is no additional email server setup needed. See Setting the Mail Server and Standard Messages.

Enable Email Authentication for a User

1. In the Imprivata Admin Console, go to Users > Users and select a user to edit.

2. Go to Authentication Methods > Email and enter an email address.

3. Click Save.

Workflow Policy — Log In

Add email as an authentication method, and associate the proper user policy:

1. In the Imprivata Admin Console, go to Users > Workflow policy.

2. Add email authentication as a second factor to your Enterprise Access Management Remote Access Log In workflow policy. See Configuring the Enterprise Access Management MFA Workflow Policy.

3. The user must be included in a user policy associated with this workflow policy. If the user is not included in a user policy yet, see Creating and Managing User Policies.

4. Click Save.

Workflow Policy — Enroll Rule

If these users will be logging in remotely with password + email authentication only, they should be associated with an enrollment rule that does not prompt them to enroll Imprivata ID or SMS code:

1. In the Imprivata Admin Console, go to Users > Workflow policy.

2. Review the Remote Access Log In workflows > Enroll rules section. If necessary, create a new rule and associate their user policy:

3. Click Add another rule.

4. Give the new rule a descriptive name.

5. Select Login = a different login method;

6. Select Enroll prompts = do not prompt;

7. Associate your user policy with this rule.

8. Click Save.

For complete details, see Configuring the Enterprise Access Management MFA Workflow Policy.