13.19 Linked Chains

This policy allows users to use a simple chain within a few hours of authentication done with a high-security chain. You must enable this policy for the Required chain option while creating a chain.

NOTE:This policy has replaced the Last Logon Tracking Options policy.

For example, if a user authenticates with the LDAP Password+Card chain once in a day, the user can further use a linked chain with only the Card method without the LDAP Password method, or if a user authenticates with the Fingerprint+Smartphone chain once in every four hours, the user can authenticate once with this chain and next authentication he can use only the linked Smartphone chain. The duration for which he can use the linked chain depends on the grace period that you specify in the Required chain option.

Perform the following steps to configure this policy:

  1. Enable linked chains: Turn this option to ON to enable the linked chain policy.

  2. Hide required chain: After using the required chain within the grace period, a user will see both the required and linked chains.

    Use this option to hide the required (high-security) chain after you authenticate once. Therefore after authenticating with the required chain, instead of displaying both the chains, only the linked chain is displayed. By default, this option is disabled.

  3. Limit by same endpoint: Use this option to restrict a user to authenticate with the alternate linked chain only on the endpoint on which the user has successfully authenticated with a required chain, during the grace period. This option increases security by preventing a user to get authenticated on another endpoint after authenticating with the required (main) chain on an endpoint. By default, the option is ON.

    For example, Bob authenticates on a Windows Client endpoint named System1 with a required chain Card+LDAP password. Now, Bob wants to get authenticated to another Windows Client endpoint named System2, with a linked chain Card. When the Limit by same endpoint option is enabled, Bob will not be able to authenticate on System2 with the linked chain Card. He must first authenticate with the required chain Card+LDAP password on System2.

    IMPORTANT:If you use the linked chains to access the Advanced Authentication portals or web integrations, set Limit by same endpoint to OFF.

  4. Click Save