Imprivata MDA Authentication and Single Sign–on Workflows
Imprivata Mobile Device Access supports Imprivata authentication management and single sign–on to mobile devices and apps.
Imprivata MDA supports the following authentication methods:
| Primary Factor | Secondary Factors | Description |
|---|---|---|
| NFC enabled proximity card |
|
This is the default configuration. In this configuration:
For additional details, see Workflow — Proximity Card with a Second Factor |
| Face recognition |
NFC enabled proximity card |
In this configuration:
For additional details, see Workflow — Proximity Card with Face Recognition as a Factor. |
| Username and password + (alternative) Imprivata PIN | None |
This configuration supports deployments where proximity cards are not in use. In this configuration:
For additional details, see Workflow — Username/Password + an Alternative Imprivata PIN |
| External proximity card reader |
|
Certain Android devices don't support NFC; as an alternate method, Imprivata MDA supports the use of certain models of Imprivata-branded rf Ideas external USB proximity card readers. See External Proximity Card Readers In this configuration:
For additional details see, Workflow — Proximity Card with a Second Factor |
Workflow — Proximity Card with a Second Factor
As illustrated in the following diagram:
-
At the beginning of their shift, users authenticate by tapping their proximity card, and optionally, entering their password or an Imprivata PIN as a second factor.
-
During a specified grace period, the authenticated user can use a badge tap to authenticate.
-
Users can enroll a proximity card and an Imprivata PIN from either the mobile device or the Imprivata enrollment utility on a Windows workstation.
When a new proximity card is detected or when a PIN is not enrolled, Imprivata MDA steps users through the enrollment.
NOTE:The diagram includes optional functionality, which you configure in the mobile policy.
Click to enlarge.
For details on configuring, see Configure the Mobile Policy and User Authentication.
Workflow — Username/Password + an Alternative Imprivata PIN
As illustrated in the following diagram:
-
At the beginning of their shift, users authenticate by entering their username and password.
-
During a specified grace period, the authenticated user can use an Imprivata PIN for subsequent authentications.
The alternative method can be used until another user authenticates to the device or enters Guest mode.
-
Users can enroll an Imprivata PIN from either the mobile device or the Imprivata enrollment utility on a Windows workstation.
Imprivata MDA steps users through the enrollment if a PIN is not enrolled.
NOTE:The diagram includes optional functionality, which you configure in the mobile policy.
Click to enlarge.
For details on configuring, see Configure the Mobile Policy and User Authentication.
Workflow — Proximity Card with Face Recognition as a Factor
As illustrated in the following diagram:
-
At the beginning of their shift, users authenticate for the first time by tapping their proximity card and then capturing their face as a second factor.
-
During a specified grace period, the authenticated user can unlock a device with their face only.
-
Users can enroll a proximity card and their face from either the mobile device or the Imprivata enrollment utility on a Windows workstation.
-
When a new proximity card is detected or when a user's face is not yet enrolled, Imprivata MDA steps the users through the enrollment.
NOTE:The diagram includes optional functionality, which you configure in the mobile policy.
Click to enlarge.
For details on configuring face recognition, see Face Recognition as an Authentication Method.
Click to enlarge.
