IBM Security Access Manager for Enterprise Single Sign-On, Version 8.2

RFID authentication

IBM® Security Access Manager for Enterprise Single Sign-On supports the use of RFID cards for user authentication in both personal and shared workstations.

How it works

Users can log on, lock, and unlock AccessAgent with the following combinations, depending on the value you set for the Wallet authentication option policy:

RFID only
ISAM ESSO password and RFID

To use RFID authentication:

The users must register the RFID card as a secondary authentication factor.
The RFID card reader must be plugged into the computer before starting it. If the device is not detected upon startup, the users must restart their computers. Do not unplug and plug-in the RFID card reader while AccessAgent is running.

RFID only logon and RFID only unlock

RFID only logon

You can allow users who initially logged on to a workstation with their RFID card and password to log on or unlock any workstation with only their RFID card, but for the following conditions:

Only for a pre-configured grace period after the initial two-factor logon.
Only if they use the same card used for the two-factor logon earlier.
Only from workstations where their credential Wallets are cached.
Only if the workstation has network connection to the IMS Server.

In all other scenarios, users have to log on with both their RFID and passwords.

This feature is disabled by default and can be limited to a specific group of machines only.

RFID only unlock

You can allow users who initially logged on to a workstation with their RFID card and password, to unlock their workstation with their RFID card only but for the following conditions:

Only within a pre-configured grace period.
Only from workstations that users are currently logged on.

This feature is disabled by default and can be limited to a specific group of machines only.

RFID tap same and RFID tap different

These concepts apply when a user is logged on to an AccessAgent session, the screen is not locked, and an RFID card is tapped on to the reader.

RFID tap same: When the user taps the same RFID card that was previously tapped during an AccessAgent session. Use this configuration to set up a "tap in, tap out" workflow.

RFID tap different: When the user taps a different RFID card during an AccessAgent session. This configuration is applicable if the userA left the workstation unattended, and userB comes along and taps the RFID card to log on to the AccessAgent session.
When a different RFID card is tapped, the machine is locked and prompts for a password. If fast user switching is enabled, it triggers a user switch in Windows Vista and Windows 7. It depends on the policy value set by your organization.

Feedback