Authasas Advanced Authentication® Enterprise Edition is a multi-factor authentication solution for Microsoft® networks.

The framework provides the secure matching of authenticators and the storage and retrieval of user credentials within Active Directory.  User credentials, or authenticators, may consist of one or more types such as biometric fingerprint, contactless smartcard, contact smartcard, USB Flash driver, or Security Questions (Q&A).

Authasas Advanced Authentication® is comprised of a server component, a directory component and a client component.  The Authenticore Server component serves as an authentication server and policy management server.  Optionally, the Authenticore Server may also serve as a log server to centrally collect client and server event logs.  The directory component serves as a repository for user credentials and policies.  Supported directories include MS Active Directory and AD LDS.  The client component is the primary user interface for user authentication and consists of a GINA or Credential Provider depending on the operating system deployed to.

Authasas Advanced Authentication® Enterprise Edition may be deployed to dedicated or existing hardware infrastructure.  Authasas Advanced Authentication® is simple to deploy and manage, and offers a low total cost of ownership, requiring less than one full time employee to administer.

Authentication Scenarios

The Authasas Workstation supports all of the following authentication scenarios:

• Networked PC
• Cached logon for offline PC
• Windows® Terminal Server
• Citrix® Metaframe®, NFuse® session
• Windows® 2003/XP 2008/Win7 Remote Desktop
• Dial-up/GPRS/VPN/RADIUS session
• Cross-domain authentication (trusted domains)
• Launching application via "Run As" command

Authentication procedure

During logon a user need not memorize a series of ever changing passwords. With Authasas the user enters his username followed by his authenticator using biometrics or non-biometrics authentication technology. Depending on which "pluggable" BSP module has been installed and selected, the authenticator presented during logon is compared against the previously enrolled authenticator stored at the authentication Authasas Server and the user is either accepted or rejected.??Users whose biometric identification record is already enrolled in the Authasas Server database (Active Directory), are only required to enter their user name and present their biometric authenticator. Authasas transparently supplies the user's "hidden" and encrypted password to the Windows security system to complete the logon process. This authentication flexibility reduces password maintenance expense by avoiding calls to the help desk for password-related problems, while providing a more secure block against hacking-related problems.

Typical Logon Process

This section describes the typical logon process on the network:

• The user enters Ctrl-Alt-Del sequence, provides user name, domain name and selects the preferred authentication method to be used (biometrics or non-biometrics authentication hardware installed on the computer)*
• Authasas GINA loads the corresponding authentication module and the user is challenged for the authenticator. The authenticator is captured from the user, then encrypted and sent to Authasas Server together with the user and domain names. In the case of a password challenge, Authasas GINA captures the user's password and sends it through the WINLOGON process for normal validation by the Windows security system.
• The Authasas Server retrieves the user's enrolled authenticator stored in the Active Directory database and decrypts it. The Authasas Server then decrypts the authenticator presented by the user and loads the corresponding BSP module for comparison. If there is a match, the user's password (which was also retrieved and decrypted from Active Directory) is encrypted and returned to the Authasas GINA.
• Authasas GINA then decrypts the password and passes the user name and password to the WINLOGON process to complete the normal Windows logon by password. The user is then logged onto his desktop and connected to the domain server.

* When authenticating using a contact or contactless smartcard method, the user is not required to press CTRL-ALT-DEL or provide a username.  Presentation of the card automatically initiates the logon process, and, the username is automatically retrieved.  The user is required to respond to  PIN prompt only.