Key features of the Hideez Authentication Service in 5 minutes
Hideez Authentication Service – Key features
- can be deployed on both Windows and Linux server
- is deployed from source or run on Docker
- must be deployed on the Customer's side and integrated into the domain to work with AD
- can be used as a FIDO-keys server
- supports security keys by different vendors
- can be installed centrally, .msi
- is designed for Windows 10-11 only
- You can register the server address on all Сlients centrally
- Replaceable (Hideez Key 3) or rechargeable (Hideez Key 4) battery
- Multifunctional button with different color modes
- Bluetooth connection
- Passwordless login on HES (FIDO2/WebAuthn)
- Usernameless login on HES (FIDO2/WebAuthn)
- Universal Second Factor Authentication on HES (FIDO U2F)
- USB, NFC, Bluetooth connection
- Compatible with Android and iOS devices
- Mobile sign-ins to any Windows account type (via RDP as well; passwordless TPM-based, password-based)
- Single sign-on option
- OTP generation
Keys and Authenticator application can be used either simultaneously or separately.
If your application is a SAML 2.0 Service Provider you are ready to add an extra layer of security with Hideez IdP, enable 2FA and use Hideez security keys or your own (third-party or platform) authenticators. The SAML IdP uses the HES identity store or Active Directory enabling authentication and providing federation for such service providers. Hideez Enterprise Server supports SAML 2.0 login, logout, single logout and metadata. Both SP Initiated and IdP Initiated sign on is supported.
There are different account types by affiliation and storage location:
- Personal accounts are created on the server by the admin and assigned to a specific employee. The employee uses the account, but cannot change it. At the time of synchronization of the key and the server, passwords are stored in the key and deleted from the server; they are further stored only on the employee's key.
- Shared accounts are created on the server by the admin and can be assigned to several employees. Employees use the account, but cannot change it. At the time of synchronization of the key and the server, passwords are stored in the key, but are NOT deleted from the server; they are further stored both on the key and on the server. Use the Data Protection option to ensure data security on the server.
- Private accounts are created by an employee from the Hideez Client interface, the administrator does not know about their existence, they are not transferred to the server. An employee can only add a Web / App account.
Account types by stored access
You can create an account to access sites and / or applications and unlock your computer (local account, domain account, Microsoft account, or Azure AD account).
The same account can be simultaneously used to access websites / applications and to unlock a PC. For example, you can specify a domain account and sites / applications for which domain authorization is possible.
Once the Hideez Client is installed on the user's computer, it will be displayed in the eponymous section on the server. A prerequisite is that the administrator must approve this computer to work with Hideez Key.
If not approved, the user will not be able to connect the key (i.e. the employee will not be able to work with the key that was given to him at work on some of his laptop / computer if the administrator does not allow it).
Access profiles are a tool for strengthening or weakening security settings for specific users. You can configure the requirement to press the button / enter the PIN code / be connected to the server for the first connection of the key to the computer / to access the password manager in the Hideez Client.
To enhance security, you can configure the need to enter a PIN code every n-minutes.
For the key to be able to unlock the computer, the following conditions must be met:
- the client is installed on the computer
- the computer is approved by the administrator on the server
- the key has an account to unlock the computer
- the workstation must be added to "Proximity Unlock Workstations"
This method does not require any additional settings - everything works out of the box. If the above conditions are met, touching the key on the dongle will unlock the computer.
Unlock by proximity (when the Bluetooth signal is amplified to a certain level)
The scenario requires additional configuration: a key that can unlock the computer by proximity must be specified in the Workstation settings on the HES server.
Limitations: This method is intended for a situation where only one user is working on the computer. If 2 or more users work on the same computer, this unlocking method can be allowed only if these employees work in shifts and can not be close the computer at the same time.
Configuring the Bluetooth signal level at which the computer is locked or unlocked is available to the administrator. But you can only adjust the signal level in %. The real distance in meters depends on the specific room (its furnishings, the presence of obstacles, other wireless devices, and the load of the network).
Unlock with the Security Key (FIDO2)
This method only works if you are using Azure AD. Hideez Bluetooth Dongle and Hideez software are not required, only a configured key and settings from the Azure AD side.
To configure workstation Locking using the Proximity mechanism, the admin need to create or edit an existing profile that the workstation uses. In this profile, the admin specifies the signal strength for Proximity Lock and Unlock, and the delay before locking the computer. Please note that Unlocking a workstation via Proximity works only after we have added the workstation to Proximity Unlock Workstations on the employee page.
Once the key is pulled away and the Bluetooth signal level falls below the established value, the PC is locked.
In order to lock the PC with a key, you must also unlock it with the Hideez Key or connect the key to the Client if it is unlocked manually.
- if you unlocked the computer manually and did not connect the key, there will be no automatic lock. This is indicated by the red Hideez Client icon.
- if you unlocked the computer manually and then connected the key to the Client, the computer will be locked by proximity. The Hideez Client icon will appear in the standard blue color.
- if you have unlocked the computer using the key, the PC will be locked by proximity.
You can recreate the organizational structure of your company, and add departments or subsidiaries on the HES server. This is absolutely optional, but the filled-in data will help you get answers in the context of reports for any department. Data can be retrieved from AD for imported users.
In order to ensure convenient management of the Hideez Keys, they have various statuses that allow the Administrator to implement various security policies provided by the company.
This status means that Hideez Key is clear of any data and can be given to an employee.
Devices fall into this status:
- immediately after import
- after a Wipe procedure
This status means that the Hideez Key has been issued/sent to the user, but has not yet been activated by the user. The key cannot be used, there is no data on it. An activation procedure is required.
You can add accounts on the Hideez Key with such status, but physically they will appear on it when the device switches to the Active status.
This status means that Hideez Key is in working order, and you can use the key. This status allows adding/changing/deleting accounts, etc.
This status means that Hideez Key is locked at the hardware level as a result of entering an incorrect PIN or activation code. The user cannot work until the device is unlocked.
This status means that Hideez Key is temporarily unavailable for use. This may be the case when:
- The employee was temporarily banned from using the Hideez Key (e.g. while on vacation) and forcibly assigned this status
- The Administrator transferred the Hideez Key from the Locked status by using the Activate device command and the Hideez Key will be unavailable for use until the User enters the correct activation code.
This status means that Hideez Key was taken away from the previous user, but the data on it has not been erased yet, or it is broken.
This status means that Hideez Key has been compromised. The administrator sets the status, the device is wiped, and all links are deleted. Data cannot be restored.
There are 2 mechanisms for adding employees from HES.
If you do not use Active Directory, you can manually add an employee. You can just save the name and complete the full configuration much later, or create an employee with full customization.
If you have Active Directory in your company and you want the most complete integration with it, read the next section.
You need to create the following groups in AD:
- Security Key Owners
- Security Key Auto Password Change
Add all employees to whom the hardware keys will be issued in the Security Key Owners group.
The Security Key Auto Password Change group must include the employees for whom domain account passwords will be automatically generated and changed as scheduled. They will have to be authorized only with the Hideez Key.
Once all the necessary settings for access to AD on HES were saved and the initial import procedure completed, the Security Key Owners and Security Key Auto Password Change groups will be automatically synchronized with the list of users in HES.
Synchronization with AD occurs once an hour. How does it work? You want to add a new employee who is allowed to use the Hardware security key. Add him to the Security Key Owners group and he will appear in the list of employees on HES after synchronization. After this, you need to assign a key to the employee and go through all the other steps.
You want some employees to set up automatic regular password changes in AD. Neither the user nor the administrator will know these passwords! The password will be stored only on the hardware key and authorization to the domain account will be possible only if the key is present.
Add the user to the Security Key Owners and Security Key Auto Password Change groups at the same time. As soon as an employee is imported from AD, his domain account is also imported (even before the hardware key is assigned to him). The password from AD cannot be imported and therefore it is generated on the HES side. After assigning a hardware key to an employee, a server-side task is created to record a domain account with a new password on the key. The employee continues to use the current password to log into the domain account until the first time the hardware security key is connected.
The key is activated at the time of the first connection (do not forget to provide the employee with the activation code). The task sent earlier by the server to create an account with a new password is executed. At the same time, the user's password in AD is updated and recorded to the key.
Automatic password change occurs according to the settings on the HES.
You want to stop automatically changing the password for your domain account.
Remove the user from the “Security Key Auto Password Change” group. The automatic password change will stop working.
You want to take away the right to use the hardware security key from your employee.
Remove your employee from the Security Key Owners group, and its key will go into the “Deactivated” state after synchronization. The employee will not be removed from HES (to save the history of his actions), but he will no longer be able to use the key. You just have to physically pick up the hardware key from the employee and carry out the Wipe procedure to be able to give it to another employee.
Each Hideez Key has a factory-assigned RFID code. It can either be entered into your ACS, or you can assign a new desired RFID code to the Hideez Key using a special programmer. The programmer can be purchased separately or it can be included with your ACS.
It is impossible to change the RFID code on Hideez Key without a programmer!