Face Recognition as an Authentication Method

Applies to iOS and Android devices.

Imprivata Mobile Access Management supports face recognition as an authentication method for device check out, using the integration with Imprivata Enterprise Access Management as the identity provider.

Face Recognition Authentication Methods for Device Check Out

Some combinations of authentication factors available in Imprivata Enterprise Access Management are not supported by Mobile Access Management for device Check Out.

The following table illustrates the EAM primary and secondary authentication method selections and the resulting Check Out behaviors in MAM when used with face recognition.

Primary Secondary Device Check Out Behavior
Check Out is initiated by the user taking a device out of the Smart Hub

Password

 Face recognition

  • User taps Unlock with password on the Imprivata Locker lock screen.

  • User enters username and password.

  • Imprivata Locker app prompts for face authentication.

    • If the user's face is already enrolled, the user's facial biometric is successfully captured and the device unlocks.

    • If the user's face is not enrolled, Imprivata Locker prompts the user to enroll their face and to consent to the biometric capture. The user's facial biometric is successfully captured and the device unlocks.
Check Out is initiated by the user tapping their proximity card on a Launchpad
Proximity Card Face recognition

  • User taps their proximity card on the Launchpad's proximity card reader.

  • The device is selected.

  • Imprivata Locker lights up the device's display screen.

  • Imprivata Locker app prompts for face authentication.

    • If the user's face is already enrolled, the user's facial biometric is successfully captured and the device unlocks.

    • If the user's face is not enrolled, Imprivata Locker prompts the user to enroll their face and to consent to the biometric capture. The user's facial biometric is successfully captured and the device unlocks.
Security Key or Imprivata PIN or Proximity Card Face recognition

  • User taps their proximity card on the Launchpad's proximity card reader.

  • The device is selected.

  • Imprivata Locker lights up the device's display screen.

  • Imprivata Locker app prompts for face authentication.

    • If the user's face is already enrolled, the user's facial biometric is successfully captured and the device unlocks.

    • If the user's face is not enrolled, Imprivata Locker prompts the user to enroll their face and to consent to the biometric capture. The user's facial biometric is successfully captured and the device unlocks.

Prerequisites

Take note of the following prerequisites:

Requirements

  • The Imprivata Cloud Connect service to your tenant on the Imprivata Cloud Platform must be up and running.

  • Users in a policy enabled for face recognition must be synced from Active Directory (AD) to Entra ID.

  • The cloud must be synced from AD to Entra ID with Entra Connect.

  • Each user in scope for the facial recognition workflow must exist within Entra ID and each user must also be allocated a P1 or higher Microsoft license.

  • Internet access is required for facial biometric authentication.

    If the device cannot connect with your Imprivata Cloud Platform, an error message will appear during authentication. In this scenario, the user can select another authentication method (password / Imprivata PIN, etc) to complete the authentication.

  • Imprivata Licensing: Face recognition authentication requires an Authentication Management license and a Confirm ID for Remote Access license.

  • Imprivata Locker app requirements:

    • iOSImprivata Locker for iOS 4.0 or later.

    • AndroidImprivata Locker for Android 2.0 or later.

    • The user must grant access to the device's camera to use face recognition.

Additional Resources

For more information, see the Imprivata Enterprise Access Management online help.

Before You Begin

Face recognition authentication for MAM requires:

  1. The Imprivata appliances in your Imprivata enterprise must be running Imprivata Enterprise Access Management 25.2 or later.

    For more information on upgrading your Imprivata appliances, see the Imprivata Upgrade portal.

  2. Complete the connection between your Imprivata enterprise and your tenant on the Imprivata Control Center. See Secure Connection to Imprivata Cloud Platform.

Secure Connection to Imprivata Cloud Platform

Configure the secure connection between your Imprivata appliances and the Imprivata Cloud Platform. To confirm whether this connection is complete, on the Imprivata Admin Console, see the Status panel on the right-hand side. Look for a green checkmark icon for Access Management integration.

Cloud Tenant Setup Wizard

Contact Imprivata Services. Services will create a Cloud Tenant for your enterprise, and send a Welcome email with a link to the Cloud Tenant Setup wizard. Click the link in the email and follow the wizard to complete the secure connection.

Before You Begin

  • You need access to your Imprivata Admin Console.

  • Optional — a PNG, JPG, or GIF of your organization logo (200 x 100 pixels or smaller, max 100KB).

IMPORTANT:

The Cloud Tenant Setup wizard supports several Imprivata products on the Imprivata Cloud Platform.

Some steps may require information from the Imprivata Admin Console or your identity provider (IdP) console.

Some steps may not be required for configuring Imprivata Mobile Access Management.

By default, the Imprivata Cloud Connect service is disabled. You must enable the service before configuring the connection to the Imprivata Cloud Platform.

To start the service:

  1. In the Imprivata Appliance Console, go to System > Operations.

  2. Locate Imprivata Cloud Connect, and click Stop/restart options.

  3. Select Restart Imprivata Cloud Connect on all appliances, and click Go.

Using the Imprivata Admin Console, copy your enterprise integration ID. You require this value to use the Imprivata Cloud Tenant Setup wizard to create an integration token.

To copy your integration ID:

  1. In the Imprivata Admin Console, click the gear icon > Imprivata Access Management integrations.

    NOTE:

    A status message of Unable to verify integration. Unable to connect to Imprivata Access Management is expected.

  2. Copy the enterprise integration ID to your clipboard.

  3. Do not log out. You finish configuring the connection here after using the Imprivata Cloud Tenant Setup wizard to create the integration token.

Using the Imprivata Cloud Tenant Setup wizard, enter your enterprise integration ID to create an integration token. This token is required to finish configuring the connection in the Imprivata Admin Console.

To create the integration token:

  1. Open the Imprivata Cloud Tenant Setup wizard.

  2. If you have not already, agree to the Data Processing Addendum and enter information about your organization.

  3. Go to the Connect to Enterprise Access Management screen, and paste the integration ID into Enterprise integration ID.

  4. Click Create integration token and copy it.

  5. Return to the Imprivata Admin Console to finish configuring the connection.

Using the Imprivata Admin Console, finish configuring the connection to the Imprivata Cloud Platform using the integration token you created.

To create the integration token:

  1. In the Imprivata Admin Console, click the gear icon > Imprivata Access Management integrations.

  2. Paste the integration token, and click Integrate.

  3. Select Administrator console single sign-on using SAML.

IMPORTANT:

Configure Entra ID as the Identity Provider

Using the Imprivata Cloud Tenant Setup wizard, copy the Imprivata SP metadata URL. You use this URL to save the metadata as an XML file, which you upload to your Entra app.

To save the metadata URL as an XML file:

  1. Open the Imprivata Cloud Tenant Setup wizard.

  2. If you have not already, agree to the Data Processing Addendum and enter information about your organization.

  3. Go to the Identity Provider Connect screen.

  4. Copy the Imprivata SP metadata URL, paste it into a new browser tab, and save the page as an XML file.

  5. Do not close the wizard. You finish configuring the connection here after you configure your Entra app.

Using the Microsoft Entra Admin center, configure the Entra ID app to support authentication into the Imprivata Access Management portal.

To configure the Entra app:

  1. In the Entra app, click Microsoft Entra ID > Manage > Enterprise Applications > New application.

  2. Click Create your own applications.

  3. Enter a display name for the application, select Integrate any other application you don't find in the gallery, and then click Create.

  4. Go to Overview > Assign users and groups, and add the users/groups who require administrative access to the Imprivata Access Management portal.

  5. Click Set up single sign-on, and select SAML as the single sign-on method.

  6. Click Upload metadata file and upload the Imprivata SP metadata file you created previously.

  7. Under Basic SAML Configuration, click Edit, specify https://access.imprivata.com for the single sign-on URL, and then click Save and Close.

Using the Microsoft Entra Admin center, copy and save the following Entra app values. You use the following values to finish the configuration in the Imprivata Cloud Tenant Setup wizard:

  • The URL endpoint of federation metadata.

  • The SAML name/value pair that identifies users with administrative access.

To locate the required values:

  1. In the Entra app, go to SAML certificates, and copy the App Federation Metadata URL.

  2. Under Atttributes & Claims, click Edit.

  3. If one does not already exist, click Add a group claim.

    BEST PRACTICE:

    Use Group ID as the source attribute.

  4. Copy the claim name for groups.

    Example: http://schemas.microsoft.com/ws/2008/06/identity/claims/groups

  5. Locate the group of users that should have adminstrator access and copy the Object ID.

  6. Return to the Imprivata Cloud Tenant Setup wizard to finish the configuration.

Using the Imprivata Cloud Tenant Setup wizard, finish configuring Entra ID as an IdP using the Entra app values saved previously.

To finish the configuration:

  1. Open the Imprivata Cloud Tenant Setup wizard, and go to the Identity Provider Connect screen.

  2. Enter the SAML IdP metadata URL of the Entra app, and click Continue.

  3. Paste the administrator group's claim name into SAML attribute name.

  4. Paste the administrator group's Object ID into SAML attribute value, and click Continue.

  5. Click Go to Access URL: access.imprivata.com to test the authentication workflow to access the Imprivata Access Management portal.

Configure Microsoft Entra ID for EAM

Configure additional items in Microsoft Entra ID for Imprivata Enterprise Access Management face recognition.

From the Microsoft Entra admin center, add the trusted Imprivata IP addresses.

To add the IP addresses:

  1. Go to Microsoft Entra ID > Manage > Security, and select Manage > Named locations.

  2. Select IP ranges location.

  3. Enter a name for the new location ("Imprivata Cloud", for example) and select Mark as trusted location.

  4. Go to the Imprivata Identity Provider Connect screen.

  5. Add the following IP addresses:

    • 44.207.16.175/32

    • 44.196.189.191/32

    • 34.195.47.118/32

  6. Click Save.

If you use "per-user" multifactor authentication, adding the Imprivata Cloud Platform to the "per-user" MFA trusted IPs is required.

To add the IP addresses:

  1. Go to Microsoft Entra ID Overview > Manage > Users, and select Per-user multifactor authentication.

  2. Select the Server Settings tab.

  3. Add the following IP addresses:

    • 44.207.16.175/32

    • 44.196.189.191/32

    • 34.195.47.118/32

  4. Click Save.

Password Hash Sync is required, unless you have enabled Microsoft Entra pass-through authentication.

To enable Password Hash Sync:

  1. Go to Microsoft Entra ID Overview > Manage > Microsoft Entra Connect.

  2. Select the Connect Sync, and verify that Password Hash Sync is enabled.

  3. If it is not enabled, configure Password Hash Synchronization in the Microsoft Entra Connect Sync Agent.

Configure Imprivata Enterprise Access Management as a directory. Doing so, provides full user sync capabilities.

Syncing your users requires one of the following:

  • Entra ID Global Administrator rights

  • Privileged Role Administrator rights

To sync Entra ID users:

  1. Log into the Imprivata Access Management portal (access.imprivata.com).

  2. Click the gear icon.

  3. On the Entra ID users tab, click Add an Entra ID directory now.

    The Add Entra ID as a directory window opens.

  4. Paste your Entra ID Tenant ID, and click Continue to Microsoft Authentication.

  5. Click specify groups now. Enter groups names to find and add them.

  6. Click Update now to sync users.

If you are using federated authentication, this step is required.

The Imprivata Cloud Platform must be able to validate user passwords when entered. In a federated environment, Imprivata needs to avoid these calls from being redirected to the federated identity provider (IdP). You must change the home realm discovery policy for authentication from the Imprivata Cloud to your Entra ID tenant only. This only applies to authentication calls made by the Imprivata Access Management Sync.

To create and apply the Home Realm Discovery policy:

  1. Log in to Microsoft Graph Explorer.

    To make it more secure, log in as the Global Administrator.

  2. Consent to the Microsoft Graph explorer application in your tenant.

    For more information, see the Microsoft Graph API documentation.

  3. Create a home realm discovery policy by making the following HTTP request:

    POST - https://graph.microsoft.com/v1.0/policies/homeRealmDiscoveryPolicies

    Request body

    In the request body, supply a JSON representation of the homeRealmDiscoveryPolicy object:

    Copy 
    {
            "displayName": "yourPolicyName",
            "definition": [
            "{\"HomeRealmDiscoveryPolicy\": 
            {\"AllowCloudPasswordValidation\":true, } }"
            ],
            "isOrganizationDefault": false
    }

    Response

    If successful, this method returns a 201 Created response code and a new homeRealmDiscoveryPolicy object in the response body.

    Example Response
    Copy 
    {
            "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#policies/homeRealmDiscoveryPolicies",
            "value": [
            {
                "id": "239cbead-1111-654a-9f50-1467d691aaa",
                "deletedDateTime": null,
                "definition": [
                "{\"HomeRealmDiscoveryPolicy\" : { \"AllowCloudPasswordValidation\":true, } }"
                ],
                "displayName": "Exclude Federated Authentication ",
                "isOrganizationDefault": false
            }
        ]
    }

  4. Assign the home realm discovery policy to the Imprivata Access Management Sync application by making the following HTTP request:

    POST - https://graph.microsoft.com/v1.0/servicePrincipals/<the Imprivata Access Management Sync application object id>/homeRealmDiscoveryPolicies/$ref

    Request body

    In the request body, supply the identifier of the homeRealmDiscoveryPolicy object that should be assigned.

    Copy 
    {
        "@odata.id":"https://graph.microsoft.com/v1.0/policies/homeRealmDiscoveryPolicies/<yourHomeRealmDiscovery_PolicyID>"
    }
    Response

    If successful, this method returns a 204 No Content response code.

  5. Verify that the home realm discovery policy was successfully applied to the service principal by making the following HTTP request:

    GET - https://graph.microsoft.com/v1.0/policies/homeRealmDiscoveryPolicies/<homeRealmDiscoveryPolicy object id>/appliesTo

    Response
    Copy 
    {
            "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#directoryObjects",
            "value": [
            {
            "@odata.type": "#microsoft.graph.servicePrincipal",
            "id": "c1f8e0d4-25b0-46b2-aaa8-827822631a33",

    ...

 

You must exclude the Imprivata Access Management Sync app from your MFA conditional access policies for this feature. This requirement is due to a Microsoft blocker.

  1. In Entra ID, go to SecurityConditional Access, and select a policy that applies to your Imprivata users and requires MFA.

  2. To exclude your Imprivata app, go to Cloud apps or actionsCloud appsExcludeSelect excluded cloud apps, and select the Imprivata Access Management Sync app.

  3. Click Save.

  4. Repeat for all conditional access policies that apply to your Imprivata app and require MFA.

NOTE:

Microsoft-managed policies don't allow you to exclude specific cloud apps. If you have a Microsoft-managed policy that requires MFA, recreate it so you can exclude the Imprivata Access Management Sync app, and then turn off the Microsoft-managed policy.

Configure Enterprise Access Management

In Enterprise Access Management, configure the user policy authentication methods and grace periods for MAM.

  1. In the Enterprise Access Management Admin Console, go to the User policies page > Authentication tab > Desktop Access authentication section.

  2. Select Face recognition as a primary factor.

  3. Select a second factor for Face recognition:

    • no second factor (Not recommended)

    • Security Key

    • Imprivata PIN

    • Password

    • Proximity Card

    • Security Key or Imprivata PIN or Proximity Card

      Click to enlarge

    BEST PRACTICE:

    For enhanced protection against sophisticated attacks, pair Face Authentication with a strong second factor like proximity card.

  4. Select another primary factor. For example, if users in this policy must authenticate via password where Face recognition authentication is not available.

  5. Click Save.

Depending on the authentication methods defined in the user policy and computer policy, ensure that you have configured the appropriate grace periods for the second authentication factor.

For example, when using proximity cards as the second authentication factor, you can set a grace period for the second authentication factor after successful authentication, up to 24 hours 59 minutes.

The settings are available in the Authentication method options section of the Authentication tab in the Imprivata Admin Console.

Mobile Access Management organizations with Check Out using EAM as the Identity provider (IdP) create a host (computer) in EAM for every Launchpad registered. That computer in EAM gets a computer policy which must have a proximity card enabled to be able to perform a checkout with a proximity card tap.

  • Confirm that there is no override in the computer policy that the Launchpads are assigned to. If the Launchpads are assigned to the Default Computer Policy, no changes should be needed.

  • MAM's iOS devices are displayed in the Imprivata Admin Console as Prove ID Web devices; confirm that the mobile devices are in the Default Computer Policy. If they are assigned to the Default Computer Policy, no changes should be needed.

  • Confirm that the user policies your mobile users are assigned to allow proximity cards as a primary factor.

If all of the above conditions are true, no changes are needed.

  • However, if an override is already enabled within the computer policy the Launchpads are in, ensure that Proximity Card is allowed in the override.

  • If this is not possible or allowed for your organization, Imprivata recommends moving the Launchpads and devices into a separate computer policy.

If you've performed the validations above, and computer policy changes are needed for your environment, follow these steps.

  1. In the Imprivata Admin Console, go to Computers > Computer policies and select the computer policy your Launchpad is using.

  2. In Override and Restrict tab > Desktop Access Authentication Restrictions section, make sure that the option for Proximity Card is selected (enabled).

    Click to enlarge