NetIQ Documentation: Novell SecureLogin Administration Guide - About Passphrases

4.1 About Passphrases

Passphrases are an important security component in the implementation of Novell® SecureLogin. Passphrases are unique question and answer combinations created to verify and authenticate the identity of a user. In a directory environment, you can create passphrase questions for users. Users can select one of these questions and provide an answer for it. You can also permit users to provide a question of their choice and the answer for it.

Passphrases protect user credentials from unauthorized use. For example, in a Microsoft Active Directory environment, you can potentially log in to the network by resetting the user’s network password.

However, this cannot happen when you are using Novell SecureLogin. If someone other than the actual users tries to reset the network password, Novell SecureLogin triggers the passphrase question. The user must provide the correct answer before successfully logging in. Even an administrator cannot access the user’s single sign-on-enabled applications without knowing the user’s passphrase answer.

When Novell SecureLogin is launched for the first time on a user’s workstation, the Passphrase Setup dialog box is displayed.

In a Microsoft Windows Vista environment, when you log in to Novell SecureLogin in an offline mode with an incorrect password, you are prompted to provide the passphrase answer. If an incorrect passphrase answer is specified, you are prompted to retry the authentication.

However, if you again provide a wrong password, instead of seeing a prompt for the passphrase answer, you are prompted to specify the password (that is, instead of the passphrase dialog box, the password dialog box is displayed).

Close and relaunch Novell SecureLogin to be prompted for the password first, then prompted for the passphrase answer if the incorrect password is specified.

SecureLogin using the Novell Client™ does not support non-password-based NMAS™ logins if the passphrase options are disabled. This is not supported because SecureLogin either fails to open the local cache or opens the local cache file without any password.

Also, Offline authentication does not work if you do a non-password-based NMAS authentication with the Passphrase Security System disabled. This is because SecureLogin in offline mode accepts only passphrases for non-password-based NMAS authentication. This scenario occurs only if SecureLogin is installed in Novell Client mode

Figure 4-1 Passphrase Setup Dialog Box

Passphrase Authentication

Passphrases are used to authenticate when:

A user is working either remotely or offline in an eDirectory or non-Microsoft Active Directory LDAP environment.
Someone other than the actual user resets the network password.

Benefits of Passphrases

Some of the benefits of using passphrase include:

An individual cannot access a user’s credentials by resetting the network password.
Passphrases can be used in conjunction with SecureLogin Self-Service Password Reset, which enables users to reset their network password after answering the passphrase question.
You can use this functionality to disable access to user credentials if the computer is stolen.

NOTE:You can disable the passphrase security system, but it also removes the features mentioned in the preceding section.