What does the AAVerify command do and how is it useful?

  • 7940294
  • 19-Aug-2009
  • 24-Jan-2014

Environment

SecureLogin
SecureLogin SSO
All Versions



Situation

Question

What does the AAVerify command do and how is it useful?

Resolution

Answer

Note: Information on AAVerify is also in the SecureLogin SSO scripting guide.

SecureLogin SSO’s AAVerify command can enforce strong security on applications and functions that are unable to do so natively. The command can only be used in conjunction with NetIQ Advanced Authentication Framework (NAAF) or Novell Modular Authentication Services (NMAS). For it to work, you must have installed and configured SecureLogin SSO and EITHER NMAS or NAAF. NMAS and NAAF enforce authentication that is stronger than passwords.

AAVerify can be used to force strong authentication such as biometric (e.g. fingerprint), token (e.g. ActivIdentity, VASCO or RSA) or Smartcard logon to applications, including basic applications such as Hotmail or even Notepad.

AAVerify works by requesting the configured strong authentication method before SecureLogin SSO will retrieve and enter the username and password for the application, or perform transactions such as print (the later is customizable).

From a user’s point of view, they authenticate to the network (e.g. ADS or eDirectory) using strong authentication (e.g. a fingerprint scan). Once authenticated to the network, the user launches their SSO enabled applications. Without AAVerify, SecureLogin SSO would retrieve the user’s application username and password and automatically log the user on. With AAVerify, the user would be prompted to scan their fingerprint and their credentials would not be retrieved until a successful fingerprint scan occurred.

AAVerify can also be used to provide transaction based authentication. For example, you could prompt a user for their smart card/PIN, fingerprint of OneTimePassword before printing from a sensitive database or when transferring large sums of money.

Another example of how AAVerify can be used is if the workstation is logged on as JCitizen but you require their manager’s fingerprint to verify a logon or transfer of money. AAVerify could request the authentication method of the manager using the –User switch.

The Administrator can configure which applications require AAVerify and which will SSO without requesting the re-verification. The application is not changed at all and no modules are required on your application servers making support and maintenance a breeze.

AAVerify is popular at sites with high security requirements and where leaving the workstation unattended is seen as a critical security risk.

The section of the script below demonstrates the power of AAVerify.

#======================================================== 
# Logon Prompt 
# If the user’s fingerprint is verified, SecureLogin will 
# retrieve their credentials and logon 
# If verification is cancelled, the screen is locked 
#======================================================== 
Dialog Title “Log in” 
Class #32770 
EndDialog 
AAVerify –Method “Biometric” ?Result If ?Result Eq ""True"" 
SetPrompt ""Username:"" 
Type $Username #1001 
SetPrompt ""Password:"" 
Type $Password #1002 
Click #1 
Else 
Run ""c:\windows\system32\rundll32.exe""""user32.dll,LockWorkStation"" 
EndIf