Enterprise Access Management for MFA Authentication Methods

Enterprise Access Management for MFA (formerly Imprivata Confirm ID) supports a wide variety of authentication methods described in the sections below. Depending on federal and/or state regulations, some methods are not available for certain EMR signing workflows.

NOTE: The network passwords for Enterprise Access Management for MFA providers associated with DEA-regulated workflows must meet DEA requirements.

Two-Factor Authentication

Enterprise Access Management for MFA offers a two-factor authentication solution that strengthens IT security by requiring users to provide a second form of identification for authentication.

First Factor Second Factor
Fingerprint Authentication
One-time password (OTP) token (VASCO OTP Tokens*, Symantec VIP Credential, or External ID Tokens)
  • Any available authentication method the token has, for example, a PIN‡
  • Network password
  • Imprivata PIN
  • Imprivata ID°
Passive Proximity Cards
  • None
  • Fingerprint
  • Network password
  • Imprivata PIN
Security Questions (Q&A) None
SMS Code
  • None
  • Network password
  • Imprivata PIN
Password Authentication

* Providers who complete identity proofing via Norton Secure Login cannot e-prescribe controlled substances using a VASCO OTP token.

° The Ohio State Board of Pharmacy does not currently allow Hands-Free Authentication with Imprivata ID as an authentication method for non-EPCS workflows.

‡ Not accepted for e-prescribing controlled substances.

For the list of authentication methods that can and cannot be used for offline authentication and related details, see Offline Authentication.

For lists of authentication methods allowed for Enterprise Access Management for MFA workflows such as for EPCS, EPCS access control, and remote access login, see the Workflows Overview section of E-Prescription of Controlled Substances.

For a table of two-factor authentication methods supported for Enterprise Access Management for SSO and for links to other authentication method topics for SSO, see Enterprise Access Management SSO Authentication Methods.

Authentication Method Overviews

The following sections describe the supported authentication methods and provide links to topics with additional information.

Hands Free Authentication automatically and securely retrieves a one-time password (OTP) from the provider's device to authenticate when signing electronic prescription orders. The OTP, which is generated every 30 seconds by the Imprivata ID app, is validated over an encrypted, low-energy Bluetooth connection between the endpoint computer and the provider's device. This workflow results in minimal disruption to the clinical workflow, as the provider does not have to touch or handle the device.

For complete information, see Hands Free Authentication for Imprivata Enterprise Access Management for MFA.

Licensing Hands Free Authentication to Some or All Imprivata ID Users

Hands Free Authentication is an available licensed option for some or all of your Imprivata ID users.

In a user policy, go to the Authentication tab > Licensed options. Imprivata ID is not a licensed option per se, but the checkbox Hands Free Authentication controls whether the users in this policy can use Hands Free Authentication with their Imprivata ID:

  • User policy with Hands Free Authentication license — Hands free authentication, Push authentication, and manual entry of one time password available.
  • User policy without Hands Free Authentication license — Push authentication, and manual entry of one time password available.

Imprivata ID Push Authentication

During the Remote Access or Imprivata ID for Windows Access workflow, the user can still authenticate with the Imprivata ID app even though his mobile device is outside your enterprise network. A notification is sent to the user's device to authenticate; he can accept or reject the authentication by pressing the notification, then accepting or rejecting. The low-energy Bluetooth connection between the Imprivata ID app and the Imprivata agent is not required.

Imprivata ID with Symantec Tokens

Imprivata Enterprise Access Management for MFA supports authentication with Symantec tokens in the Imprivata ID app. For complete information, see Hands Free Authentication for Imprivata Enterprise Access Management for MFA.

The Remote Access workflow supports SMS text notifications to any iOS or Android device that accepts SMS messaging, including devices not supported by Imprivata ID. With SMS text notifications, the user receives a code on his device, and enters the code on his computer to authenticate during the Remote Access workflow.

Imprivata and Symantec have partnered to provide OTP tokens for e-prescribing controlled substances. Before Symantec VIP Credentials can be enrolled, you need to configure the connection between Imprivata and Symantec.

Symantec VIP Credentials can be managed from the Symantec VIP Credentials page.

When you first install the Imprivata agent, all users are authorized for password authentication. The default username and password are the user's current user directory credentials.

You can disallow password authentication for some or all users via user policy; however, all enabled users must have at least one authentication method. Password authentication is often used as a second factor for two-factor authentication.

There is no separate enrollment step for password authentication. All users automatically enroll the first time they log into Windows after installing the Imprivata agent.

Password Authentication for Imprivata Enterprise Access Management for MFA

Imprivata Enterprise Access Management for MFA users can always log into the Imprivata enrollment utility using their username and network password.

Password authentication for signing workflows must be enabled per each supported workflow in the workflow policy.

Imprivata fingerprint verification allows users to enter their login credentials while adding a layer of security by verifying their identity through a fingerprint scan. This is a "one-to-one" verification as Imprivata checks the fingerprint against the credentials provided by the user.

Imprivata supports passive proximity card authentication with most standard proximity cards and USB card readers from RF IDeas Inc. Proximity card authentication can be combined with password, Imprivata PIN (as an alternative to a password), or finger biometrics as second factors to provide strong two-factor authentication.

See Configuring Passive Proximity Card Authentication

Imprivata includes built-in RADIUS integration to Secure Computing’s Premier Access and Remote Access Servers and RSA's Authentication Manager for token authentication. Imprivata can provide a seamless single-step desktop login using two-factor one-time passcodes for logging in to any SSO-enabled client/server, web, or legacy application from any Imprivata-enabled desktop. ID token-enabled users authenticating to Imprivata use their domain usernames instead of their ID token system usernames (these may be the same values). In all other ways Imprivata makes no changes to the user experience.

Before users can use an ID token to authenticate, you need to configure a connection to the ID token server. See Configuring External OTP Tokens.

These are global settings for the entire Imprivata enterprise. You can override these settings locally for specific site, as detailed in Overriding an ID Token Server Connection.

Imprivata provides support for OneSpan (formerly VASCO) OTP tokens out-of-the-box. Imprivata embeds the VACMAN middleware and management components within the Imprivata appliance. There is no separate token management server to purchase or maintain.

You can manage OneSpan OTP tokens on the VASCO OTP tokens page of the Imprivata Admin Console (Devices menu > VASCO OTP tokens)

For more information, see Managing VASCO OTP Tokens

When security questions are enabled as an authentication method, users enroll security questions that they can later answer to authenticate in signing workflows. See Configuring the Enterprise Access Management Workflow Policy for complete details.

You can set different security questions with different settings for different user policies. When you create a new user policy with emergency access privileges, the new policy uses the settings in the default policy as a starting point.

See Configuring Authentication Methods in User Policies for information about configuring options for security questions.

Enabling and Configuring Authentication Methods for Imprivata Enterprise Access Management for MFA

Authentication methods for Imprivata Enterprise Access Management are enabled and configured in different locations in the Imprivata Admin Console, depending on the type of user and the authentication methods allowed.

Users

The authentication methods available for each user to enroll for Imprivata Enterprise Access Management MFA workflows are controlled by a combination of user policy and the MFA workflow policy.

  • In Workflow policy, select authentication methods for each workflow your enterprise uses in your environment. To enable your users for these workflows, associate EAM user policies with these workflows. See Configuring the Enterprise Access Management Workflow Policy.

  • In MFA user policy, select authentication methods to allow those users to enroll them and authenticate.

Enrollment Supervisors

The authentication methods allowed for witnessing and attesting to provider enrollment of authentication methods for Imprivata Enterprise Access Management are specified on the MFA enrollment supervisors page in the Imprivata Admin Console. You do not need to make any selections in user policy or the workflow policy for enrollment supervisors to use these authentication methods.