+1-888-690-2424

[email protected]
entrust.com/authentication

Entrust IdentityGuard
@EntrustDatacard
Strong Authentication Methods
+entrust
Entrust IdentityGuard is an award-winning software-based
/EntrustVideo
authentication solution that secures many of the world’s leading
financial institutions, enterprises and governments. /EntrustSecurity

The solution serves as an organization's single comprehensive

software‑based authentication platform, bridging you to emerging
technologies for strong mobility, cloud and credentialing offerings. DOWNLOAD
THIS
Improve confidence for online transactions and identity authentication
DATA SHEET
for access to applications or resources.

Flexible Security Understanding Product Benefits

The flexibility and range of Entrust Authentication
IdentityGuard authenticators allow Do you want authentication to be šš Serves as a single identity

organizations to apply strong transparent to the user? Would you like management platform for physical,
authentication across the enterprise, the user to carry a physical device or logical and mobile authentication
instead of just for a select group of authenticate online? Do you want the
šš Proven authenticators as part of
users. It’s a single point of administration, website to authenticate itself to the user
the Entrust IdentityGuard software
regardless of the authentication option or as well? How sensitive is the information
authentication platform
combination of options deployed. Evolve you are protecting and what is the
and change authentication methods associated risk? Review the platform’s šš Offers widest range of
over time as risks and the operating full range of authenticators and discover authentication capabilities
environment change. which may be right for your organization. available on the market today
uu
entrust.com/authentication
Integrates with šš Deploys authenticators based

Security Matches Risk Fraud Detection on user requirements, level of risk

and cost
The platform also leverages Entrust’s
The software authentication platform
proven fraud detection capabilities šš Enables advanced protection
allows organizations to match the
to help financial organizations build a against man-in-the-browser
authentication strength and mechanism
comprehensive authentication strategy attacks
to the amount of associated risk in the
based on its unique online requirements,
user’s role, usability requirements and šš Authenticators proven in mass
not the limitations of an individual
cost considerations. market deployments
authentication method.
šš Cost-effective solution that is

a fraction of the cost of traditional

two-factor options
Entrust IdentityGuard
Strong Authentication Methods

Transparent Authentication
Transparent authenticators validate users without requiring day-to-day involvement.

Digital Certificates

Entrust IdentityGuard can leverage existing X.509 digital certificates issued from
Entrust’s managed digital certificate service or a third party to authenticate users.
Certificates can be stored locally or on secure devices like smart cards and USB tokens.
Organizations without an in-house PKI can obtain certificates via Entrust's hosted
PKI services.

IP-Geolocation

Authenticated users can register locations where they frequently access the corporate
network. During subsequent authentications the Entrust IdentityGuard server compares
current location data — country, region, city, ISP, latitude and longitude — to those
previously registered. Organizations can step up authentication only when values
don’t match.

With IP-geolocation organizations can create blacklists of regions, countries or IPs

based on fraud histories, or leverage the Entrust Open Fraud Intelligence Network
(OFIN) to receive updated lists of known fraudulent IPs based on independent
professional analysis.

Device Authentication

Authenticated users can register a computer or device that is frequently used to access
the corporate network. A sophisticated encrypted profile of the registered computer is
created and stored. During subsequent authentication, the Entrust IdentityGuard server
creates a new profile and compares it against the stored value. Step-up authentication
is required only when the values don’t match.

IP-geolocation and machine authentication, deployed in combination, offer an effective

and transparent authentication method for users.
Physical Form Factor Authenticators
Physical form factors are tangible devices that users carry and use when authenticating.
Entrust offers a number of physical authentication devices to meet diverse corporate
user requirements.

One-Time-Passcode Tokens

Entrust offers two versions of the popular one-time-passcode (OTP) token.

The Entrust IdentityGuard Mini Token is OATH-compliant and generates a secure
eight‑digit passcode at the press of a button. The OATH-compliant Pocket Token offers
additional features including PIN unlock prior to generating the passcode, in addition
to a challenge-response mode.

Display Card

The Entrust Display Card provides the same functionality as the popular token in a
credit card format. In addition to providing an OATH-compliant, one-time passcode, the
Display Card includes a magnetic stripe and can optionally include a PKI or EMV chip for
greater versatility.

Grid Authentication

The Entrust-patented grid card is a credit card-sized authenticator consisting of

numbers and characters in a row-column format. Upon login, users are presented with
a coordinate challenge and must respond with the information in the corresponding cells
from the unique grid card they possess.
Entrust IdentityGuard
Strong Authentication Methods

Physical Form Factor Authenticators (cont'd)

One-Time-Passcode List

End-users are provisioned with a list of randomly generated passcodes or transaction

numbers (TANs) that are typically printed on a sheet of paper and distributed
to end‑users. Each passcode is used just once.

Biometrics

Entrust leverages biometric fingerprint data to provide an effective balance between

authentication strength and user convenience for Microsoft® Windows® logon. To protect
user privacy, fingerprint data is stored in a database or on an Entrust smartcard as an
encrypted mathematical representation — sometimes known as a hash — and compared
to the actual fingerprint provided at the time of authentication. This stored information
cannot be reverse-engineered, ensuring the protection of personally identifiable
information (PII).

Non-Physical Form Factor Authenticators

Non-physical form factor authentication provides methods of verifying user identities
without requiring them to carry an additional physical device.

Knowledge-Based Authentication

Knowledge-based authentication challenges users to provide information an attacker

is unlikely to possess. Questions presented to the user at the time of login are based
on information (referred to as authentication secrets) that was supplied by the user at
registration or based on previous transactions or relationships. Entrust IdentityGuard
allows the administrator to determine the number and type of questions asked.

Out-of-Band Authentication

Out-of-band authentication leverages an independent and pre-existing means to

communicate with the user to protect against attacks that have compromised the
primary channel.

Entrust IdentityGuard supports this capability by allowing the generation of one-time

confirmation numbers that can be transmitted along with a transaction summary to the
user. This can be done directly via email or SMS, or sent through voice to a registered
phone number. Once the confirmation number has been received, it is simply entered
by the user and the transaction is approved.
Non-Physical Form Factor Authenticators (cont'd)

Entrust IdentityGuard Mobile

Whether for consumer, government or enterprise environments, Entrust IdentityGuard

provides mobile security capabilities via distinct solution areas — mobile authentication,
transaction verification, mobile smart credentials, and transparent authentication
technology with an advanced software development kit.

Supporting the use of the OATH standard for time-based OTP, as well as out-of-band
transaction signatures, Entrust IdentityGuard Mobile is one of the most convenient,
easy to use and secure mobile authentication methods available today.

Entrust IdentityGuard Mobile is also one of the only authentication solutions on

the market today that addresses the man-in-the-browser (MITB) malware threat
— effectively and without user inconvenience.

Mobile Smart Credentials

Eliminate the need for physical smartcards by transforming today’s popular mobile
devices into mobile credentials for enterprise-grade authentication. Advanced mobile
smart credentials can be used with Bluetooth and near-field communication (NFC)
technology for greater convenience and secure connectivity.

SMS Soft Tokens

Similar to the platform’s out-of-band authentication capabilities, Entrust IdentityGuard

also includes SMS soft tokens, which enable the transmission of a configurable number
of one-time passcodes (OTP) to a mobile device for use during authentication.

Automatically replenished as needed, this dynamic soft-token approach delivers the

strength of out-of-band authentication without the concern for constant network
availability, delivery timing or software deployment to a mobile device.
Entrust IdentityGuard
Strong Authentication Methods

Software Authentication Platform

Transaction
QR Code
Mobile Soft Verification Mobile Device
Token Certificates
Mobile Smart
SMS Credential

Device Smartcards
Authentication Grid / eGrid and USB
Digital OTP Tokens
Certificates
IP-Geolocation
Knowledge Transaction
Password Based Signing

Mutual Biometrics
Authentication
SOFTWARE AUTHENTICATION PLATFORM

Powered by Entrust IdentityGuard. The widest range of authenticators on the market today — all from a single platform.

Non-Physical Form Factor Authenticators (cont'd)

eGrid

An alternative to hardware tokens, eGrid cards are sent to users via the Web or as a PDF,
which can be easily stored on a machine or mobile device for convenient access and
eliminating the need to carry a physical form factor.

Strong Username & Password

Entrust IdentityGuard typically provides a strong second factor of authentication

to an organization’s existing username and password infrastructure. The versatile
authentication platform can provide strong username and password login for
companies without an existing solution.
Mutual Authentication
Your organization needs to have confidence in the user’s identity. Likewise, users must
be confident that they are transacting with their organization or intended online site;
not a fraudulent organization or spoofed site. Mutual authentication provides methods
for your organization to confirm your legitimacy to users.

Image & Message Replay

Upon registration, the user selects an image from an extensive image bank supplied with
Entrust IdentityGuard. The user also creates a message. During subsequent logins the
image and message are presented to the user.

Grid Serial Number Replay

During login, the serial number of the user’s unique grid card is presented to the user.

Grid Location Replay

During login, the user is presented with the values of a number of cells from their
unique grid card.

Entrust EV Multi-Domain SSL Certificates

Organizations can deploy Extended Validation (EV) SSL certificates, which confirm the
Web site’s authenticity by displaying a green address bar — an obvious trust indicator
for the end-user.

Each method is designed to replay identifiable information to the user that could only
come from the legitimate organization itself, enabling users to quickly and easily confirm
the Web site is authentic.
About Entrust DataCard Company Facts Headquarters
Consumers, citizens and employees increasingly expect anywhere-anytime experiences — Website: entrust.com Three Lincoln Centre
whether they are making purchases, crossing borders, accessing e-gov services or logging Employees: 359 5430 LBJ Freeway,
onto corporate networks. Entrust Datacard offers the trusted identity and secure transaction Customers: 5,000 Suite 1250
technologies that make those experiences reliable and secure. Solutions range from the Offices: 10 globally Dallas, TX 75240 USA
physical world of financial cards, passports and ID cards to the digital realm of authentication,
certificates and secure communications. With more than 2,000 Entrust Datacard colleagues
around the world, and a network of strong global partners, the company serves customers
in 150 countries worldwide. For more information about Entrust products and services,
call 888‑690‑2424, email [email protected] or visit www.entrust.com.

Entrust is a registered trademark of Entrust, Inc. in the United States and certain other countries. In Canada, Entrust is a registered trademark of Entrust Limited. All
other Entrust product names and service names are trademarks or registered trademarks of Entrust, Inc. or Entrust Limited in certain countries. Entrust Datacard and
the hexagon logo are trademarks of Entrust Datacard Corporation. © 2015 Entrust. All rights reserved.
23637/9-15