RFID authentication
IBM® Security Access Manager for Enterprise Single Sign-On supports the use of RFID cards for user authentication in both personal and shared workstations.
How it works
- RFID only
- ISAM ESSO password and RFID
To use RFID authentication:
- The users must register the RFID card as a secondary authentication factor.
- The RFID card reader must be plugged into the computer before starting it. If the device is not detected upon startup, the users must restart their computers. Do not unplug and plug-in the RFID card reader while AccessAgent is running.
RFID only logon and RFID only unlock
- RFID only logon
- You can
allow users who initially logged on to a workstation with
their RFID card and password to log on or unlock any workstation with
only their RFID card, but for the following conditions:
- Only for a pre-configured grace period after the initial two-factor logon.
- Only if they use the same card that is used for the two-factor logon earlier.
- Only from workstations where their credential Wallets are cached.
- Only if the workstation has network connection to the IMS Server.
In all other scenarios, users must log on with both their RFID and passwords.
This feature is disabled by default and can be limited to a specific group of machines only.
- RFID only unlock
- You can allow users
who initially logged on to a workstation with
their RFID card and password to unlock their workstation with their
RFID card only but for the following conditions:
- Only within a pre-configured grace period.
- Only from workstations that users are currently logged on.
This feature is disabled by default and can be limited to a specific group of machines only.
RFID tap same and RFID tap different
These concepts apply when a user is logged on to an AccessAgent session, the screen is not locked, and an RFID card is tapped on to the reader.
- RFID tap same
- When the user taps the same RFID card that was previously tapped during an AccessAgent session. Use this configuration to set up a "tap in, tap out" workflow.
- RFID tap different
- When the
user taps a different RFID card during an AccessAgent session.
This configuration is applicable if the userA left
the workstation unattended, and userB comes along
and taps the RFID card to log on to the AccessAgent session.
When a different RFID card is tapped, the machine is locked and prompts for a password. If fast user switching is enabled, it triggers a user switch in Windows 7. It depends on the policy value that is set by your organization.