Imprivata Enterprise Access Management Authentication Best Practices

Download this guide.

Two Factor Authentication

Use two factor authentication for Imprivata Enterprise Access Management for SSO (formerly Imprivata OneSign) desktop authentication, Imprivata Enterprise Access Management for MFA (formerly Imprivata Confirm ID) remote access, and all signing workflows, especially EPCS.

The most common entry point for malware and ransomware attacks is via remote access with valid user credentials obtained via successful phishing.

Two factor authentication is available in a variety of combinations. For details, see "Configuring Authentication Methods in User Policies", "Imprivata Authentication Methods", and "Set Up Users" in the Imprivata Enterprise Access Management Help Portal.

Offline Authentication

Offline Authentication allows a user to log into Imprivata Enterprise Access Management even when the Imprivata agent cannot connect to the Imprivata server. The Imprivata agent uses cached encrypted credentials until it can contact the server again. In the Imprivata Admin Console, go to the User policies page > Authentication tab > Desktop Access authentication.

Security Questions

Users who forget or lose an ID token, smart card, or other authentication factor, can authenticate to Imprivata Enterprise Access Management by answering their security questions (emergency access).

Make security questions more secure: in the Imprivata Admin Console, select a user policy > Authentication tab > Security questions. Imprivata recommends:

  • Require users to enroll 5 questions.

  • Require users to answer 3 questions to authenticate.

  • To prevent users from authenticating with security questions regularly, allow only 2 security question logins per month.

  • Discourage the use of personal information as security answers when this personal information can be found on the Internet.

See "Authenticating to Imprivata via Security Questions (Q&A)" in the Imprivata Enterprise Access Management Help Portal.

User Challenges

Challenges help to maintain security after the Imprivata agent has been offline, especially in situations where more than one user has access to a computer. For higher security, Imprivata recommends:

  • Require users to authenticate again when the Imprivata agent has returned online.

  • Require users to authenticate again after the user has been inactive for 15 minutes.

  • You can also require users to authenticate at a set time interval, even while the user has been active. However, this setting comes at a high cost in usability for the users, and is only recommended when the highest security is required.

In the Imprivata Admin Console, go to the User policies page > Challenges tab. For more information, see "User Challenges" in the Imprivata Enterprise Access Management Help Portal.

User Lockout

After a number of consecutive authentication failures, the user account is locked. Even if the user authenticates correctly during the lockout period, the account remains locked.

This setting applies to:

  • Password Authentication

  • Non-password authentication. For example, fingerprint or token

  • Security questions (emergency access)

  • Self-service password reset

In the Imprivata Admin Console, select a user policy and go to the Lockout section.

For complete details, see "User Lockout Policy" in the Imprivata Enterprise Access Management online help.

Best Practices — Passwords

Imprivata recommends following the password security standards as described by the National Institute of Standards and Technology (NIST). See the NIST Special Publication 800-63B for details.

  • Require passwords greater than 12 characters in length.

  • Set passwords to expire after 180 days. For every character over 12, you can extend the expiry date by 60 days. Changing passwords on a shorter interval is an unnecessary burden that does not increase security, and actually encourages users to compose weak passwords.

  • Encourage the use of "pass phrases" that consist of a combination of words and special characters or numbers.

Best Practice — Default Passwords

Change default passwords for devices. Use robust passwords and make a record of them.

Locking Workstations

Computers in public or semi-public areas have the risk of being viewed by unauthorized people. Imprivata Enterprise Access Management provides a comprehensive set of tools for securing unattended workstations:

  • Locking workstations with a hotkey and badge tap

  • Secure Walk Away — automatic walk–away security based on the proximity of your users' mobile phones

  • User Notifications at unattended workstations — to display the name of who's currently logged into a shared workstation.

  • Inactivity-based presence detection — the workstation locks when Imprivata Enterprise Access Management fails to detect activity after a specified period of time.

Use Secure Walk Away in conjunction with Inactivity Detection set to 15 minutes or less, in an environment where users share workstations and need to leave workstations in a hurry (ED or Wards, for example). See "Configuring Walk-Away Security for Unattended Workstations" in the Imprivata Enterprise Access Management online help.

Computer Policies Overriding User Policies

User policies take precedence over computer policies, but when you need to apply especially strict security to specific computers, Imprivata recommends Override and Restrict settings. Use Override and Restrict settings to enforce stricter security policies for a specific group of computers. See "Setting Computer Policies to Override User Policies" in the Imprivata Enterprise Access Management online help.

Imprivata Enterprise Access Management Single Sign On

In addition to improving user experience, Imprivata Enterprise Access Management Single Sign On is a tremendous security benefit to your enterprise. The fewer passwords your users use, and the less often they manually enter passwords, the more secure your enterprise can be.

When you deploy an Imprivata application profile to users, you should pay careful attention to security settings.

  • Allowing users access to Imprivata Single Sign On when the Imprivata agent is offline

  • You can enable users to edit their Imprivata SSO application credentials

  • You can enable users to reveal their passwords in the Imprivata password manager or in the Password Self Services feature

  • You can prohibit users from bypassing Imprivata SSO for specific applications

  • You can program a finite lifespan for single sign-on data used by offline-enabled users. This provides a guaranteed limit to how long an offline-enabled user can access the network if the user’s account was closed while the user was offline.

For complete details, see "Single Sign-On Security Settings" in the Imprivata Enterprise Access Management online help.

Remote Access — Temporary Codes

When Imprivata ID authentication is required to log in, but the user doesn't have his device or OTP token, Imprivata has made it easy for your enterprise to issue a temporary code allowing your user to continue their work virtually uninterrupted. Temporary codes can also be used when you need to provide remote access to a temporary user such as a contractor.

It's important for your helpdesk to implement security protocols around issuing temporary codes. Validating the identity of a person who is requesting a temporary code for an Imprivata account is essential to maintaining the security of that account.

See "Temporary Codes for Remote Access" in the Imprivata Enterprise Access Management online help.

Remote Access — Skip Second Factor

You can allow users associated with the MFA Remote Access workflow to skip the second authentication factor. Select how long the user can skip second factor (1 hour minimum — 120 days maximum). The default is 30 days.

To improve the security of your enterprise, do not allow users to skip the second authentication factor. See "Skip Second Factor" for Remote Access in the Imprivata Enterprise Access Management Help Portal.

Revoke EPCS from a User

The Delete Record function can be used to revoke the ability to e-prescribe controlled substances from a user. See "Delete Record and Revoke EPCS" in the Imprivata Enterprise Access Management Help Portal.