M.19 biometric password managers – APC BIOM34-EC User Manual

click

Enroll Authentication Device, and authenticate with OmniPass.

Select the fingerprint recognition device in the

Select

Authentication Device screen (it should already be marked by a
green check if you have a finger enrolled) and click

Next. The

rest of the procedure to enroll an additional finger can be

found starting with Chapter 2.3.2.

If you click

Set Authentication Rules in the Enrollment interface,

you will be prompted to authenticate. Upon successful

authentication you will see the

Set Authentication Rules screen.

The selections on the

Set Authentication Rules screen determine

which OmniPass functions require authentication via an enrolled

security device.

You can individually set authentication rules for each enrolled

security device. If you have not enrolled any hardware security

devices, then you cannot set any authentication rules. All

OmniPass functions are accessible via a master password

authentication.

Setting

Windows and OmniPass Logon will require the enrolled

security device be authenticated against for the following

functions: Windows Logon, OmniPass Logon, unlocking your

workstation, resuming from standby or hibernate, and

unlocking a password-enabled screensaver. In a Windows XP

environment, this selection may not be available until you

Enable

Logon Security. See Chapter 6.3 to see how this is done.

WARNING: If this setting is enabled for an enrolled security

device, and the device fails or is removed from the system,

you will not be able to regain access to your system. Only

through a successful authentication via the enrolled device will

access be granted.

Example - You have a SmartCard device and a fingerprint

recognition device enrolled. The SmartCard authentication rules

are set independently of the fingerprint reader authentication

rules, but rules are cumulative.

1. If there are no selections checked for any enrolled

authentication devices, then there are no OmniPass

authentication restriction, and you can access any OmniPass

function using any method to authenticate (enrolled finger,

master password, enrolled SmartCard).

2. For SmartCard authentication rules you checked Windows

and OmniPass Logon and File and Folder Encryption and

Decryption. For fingerprint reader authentication rules you

checked Windows and OmniPass Logon and Application and
Website Password Replacement.

a.

If you visit a remembered website, OmniPass will prompt

you to authenticate and will not grant you access to the

website until you successfully authenticate with an

enrolled finger. Successful authentications with master

password or enrolled SmartCard are not sufficient.

b. If you attempt to encrypt or decrypt a file with OmniPass,

you will be prompted to authenticate and OmniPass will

not allow you to encrypt/decrypt until you successfully

authenticate with an enrolled SmartCard. Successful

authentications with master password or enrolled finger

are not sufficient.

c.

If you log out of Windows (or OmniPass) and attempt to

log back in, you will be prompted to authenticate and

OmniPass will not allow you to log back on until you

successfully authenticate with BOTH a fingerprint reader

AND a SmartCard. This dual authentication requirement

is a Multi-Factor Authentication. Successful authentication

with a master password, or with just the fingerprint

reader are not sufficient. Neither are successful

authentications with just the SmartCard. Loss or failure

of either the SmartCard or the fingerprint reader will

result in an inaccessible system.

6.3 System Settings

The OmniPass

Startup Options interface can be found in the

System Settings tab. With these options you can specify how

your OmniPass Logon is tied to your Windows Logon.

In a Windows XP environment, the

Enable Strong Logon Security

interface will also be available. This allows you to enable

restricted

Authentication Rules functionality. If you would like to

further strengthen Windows and OmniPass logon security,

open the

Enable Strong Logon Security interface and check the

cleared checkbox. Select

OK or Apply, and you will need to

restart before the settings take effect. Under

User Settings, you

will now be able to set the

Authentication Rules for Windows and

OmniPass Logon.

The rest of this section pertains to settings under the

Startup

Options interface.

The first option, Automatically log on to

OmniPass as the current

user, will do just as it says; during Windows login, you will be
logged on to OmniPass using your Windows login credentials.

If the user logging into Windows was never enrolled into

OmniPass, upon login no one will be logged on to OmniPass.

This setting is appropriate for an office setting or any setting

where users must enter a username and password to log into

a computer. This is the default setting.

With the second option,

Manually log on to OmniPass at startup,

OmniPass will prompt you to login once you have logged on to

Windows.

With the third option,

Do not log on to OmniPass at startup, OmniPass

will not prompt for a user to be logged on.

You can manually log on to OmniPass by right-clicking the

OmniPass taskbar icon and clicking

Log in User… from the right-

click menu.

OmniPass has a feature where any authentication device can

be set as "Required" for Windows Logon. This feature is referred

as

Strong Logon Authentication.

For Strong Logon Authentication to work on Windows XP the

system has to be switched to the Classic Logon Mode. An

unfortunate side effect of enabling the Classic Logon Mode is

that Fast User Switching (FUS) and the XP Welcome Screen

must be disabled. This is a Windows XP limitation. To Enable
Strong Logon Authentication in OmniPass Control Center from
the System Settings Tab. Once you have enabled Strong Logon

Authentication you have to reboot the system for the setting

to take effect.

To get back to the XP Welcome Screen or to turn FUS back on,

the user will have to disable Strong Logon Authentication,

reboot the system and then manually enable the XP Welcome

Screen and FUS from the User Accounts in Windows Control

Panel. Once this is done the fingerprint reader or other security

device can no longer be made as a "Required" device for login

to the PC.

This feature is specific to Windows XP only. For Windows 2K

and 2003 Server Strong Logon Authentication is always

enabled.

6.4 Encrypt/Decrypt

The Encrypt/Decrypt tab provides a windows through which

you can do encryption and decryption functions (see Chapter

4). Similar to the Windows Explorer, the Encrypt/Decrypt

window presents the directory structure of your system. You

can select files and folders and use the

Encrypt and Decrypt

buttons to encrypt and decrypt files. Some files and folders

used by the Windows system or by other programs cannot be

encrypted by OmniPass. Directing OmniPass to encrypt or

decrypt a file will result in OmniPass prompting you for

authentication. If you cannot authenticate successfully, the

file will not be encrypted or decrypted. You can bypass the

Encrypt/Decrypt tab by using the OmniPass encryption/

decryption shell extension. In the normal course of browsing

and accessing you files, if you right-click the file and see

OmniPass

Encrypt File(s) or OmniPass Decrypt Files(s), those OmniPass
functions are available to you. Encryption/decryption will occur

upon successful authentication.

M.19

Biometric Password Managers