Advanced Features

What is this Echidna authentication 'broker' I keep hearing about?

The Echidna server can delegate authentication requests that match the pre-configured criteria to external servers via either RADIUS or web service calls. This allows support of 2FA mechanisms that are not natively present in Echidna, such as vendor proprietary security tokens.

Does Echidna support HSMs?

Echidna supports HSMs through the PKCS#11 Java Cryptography Provider. Key generation or commissioning would be done first using the HSMs native toolset.

Thales nShield solutions are fully supported with HSM key ceremony procedures provided as part of Echidna if required.

Can I deploy Echidna for applications across my organisation?

Yes. Echidna has been designed to scale horizontally for performance and supports integration to applications and access points via webservices and RADIUS.

Does Echidna support delegated administration?

Yes, there is a "user-support" web application to allow administrators to assist end-users in registration and use of their 2FA mechanisms. Access to this application is itself protected by the same set of authentication mechanisms that Echidna allows for end-users, and can be additionally restricted by group or role memberships.

How does Echidna on-board new users?

The introduction of new users is implicit when new user records are created in the relevant user store, such as Active Directory, and assigned to any required 2FA or remote access groups.

For security tokens that require explicit registration or activation, this can be done by the user through Echidna's self-service web pages, or with the assistance of an administrator through the user-support web pages.

How does Echidna on-board existing users with pre-existing security tokens?

When Echidna is processing authentication requests, some of which should be brokered to an external server, there must be a basis to decide how to handle each request. Two strategies are common and supported:

  1. Where a registration record for the user for a local 2FA mechanism exists, the user is processed using that mechanism. Requests to authenticate any other user are passed on to the remote server. This enables implicit zero-setup on-boarding, but can make it more difficult to eventually decommission the legacy (remote) authentication server.

  2. The set of users with pre-existing tokens is identified (such as by export from the legacy authentication server database), and an appropriate attribute or group membership assigned for those users in the user store so that they can be explicitly identified. Only those users explicitly identified in this way are authenticated remotely.

How does a relying application interface to Echidna for authentication requests?

Applications that already support the RADIUS protocol can simply be configured to use the Echidna server. Other applications with more specific requirements can make use of the web services protocol, which supports WSI-SOAP and RESTful web service APIs. A precompiled Java client library is available that uses a Fluent style API for invoking the web services.

I use Microsoft Windows Server, Active Directory and Microsoft Internet Information Services (IIS). Can I use Echidna to provide support for Single Sign-On (SSO)?

Yes, Echidna can be used to provide support for Single Sign-On (SSO). Echidna provides an additional layer of security with its two-factor authentication (2FA) for applications using Active Directory Federation Services (ADFS) for Single Sign On (SSO). The integration between Echidna and ADFS (Active Directory Federation Services) is achieved via ADFS plugin.

If I have an application that uses SAML authentication, can I use Echidna for providing two-factor authentication (2FA)?

Yes, Echidna can be used for providing two-factor authentication (2FA) for an application that uses ADFS's support for Security Assertion Markup Language (SAML). Active Directory Federation Services (ADFS) uses standard SAML protocols and can interact with the relying applications. When it comes to securing a SAML based application, Echidna provides a simple and most cost-effective way to two-factor authentication (2FA) and eliminates any possibility of password theft/reuse, thereby increasing security to a greater level. SAML-based applications work perfectly with Active Directory Federation Services (ADFS) Plug-In supported by Echidna, which allows users to securely sign into applications with their credentials via 2FA hardware security tokens based on Open Standard OATH, and Mobile security tokens such as Salt mCodeXpress and SMS OTP.

Does Echidna support PSD2 basic requirements for dynamic linking?

Yes, Echidna supports PSD2 basic requirements for dynamic linking of the authentication code to the transaction context through a range of authentication methods.

Echidna supports Salt Mobile tokens capable of Challenge/Response, QR code signing and advanced connected authentication methods of transaction signing with dynamic linking of the transaction context.

Echidna also supports traditional SMS OTP and Challenge/Response tokens for dynamic linking.

Does Echidna support PSD2 protection of the "possession element"?

Yes, Echidna supports Salt Mobile tokens which include security controls to protect against anti-cloning thereby addressing PSD2 "possession element" protection.