click Enroll Authentication Device, and authenticate with OmniPass. Select the fingerprint recognition device in the Select Authentication Device screen (it should already be marked by a green check if you have a finger enrolled) and click Next. The rest of the procedure to enroll an additional finger can be found starting with Chapter 2.3.2.

If you click Set Authentication Rules in the Enrollment interface, you will be prompted to authenticate. Upon successful authentication you will see the Set Authentication Rules screen. The selections on the Set Authentication Rules screen determine which OmniPass functions require authentication via an enrolled security device.

You can individually set authentication rules for each enrolled security device. If you have not enrolled any hardware security devices, then you cannot set any authentication rules. All OmniPass functions are accessible via a master password authentication.

Setting Windows and OmniPass Logon will require the enrolled security device be authenticated against for the following functions: Windows Logon, OmniPass Logon, unlocking your workstation, resuming from standby or hibernate, and unlocking a password-enabled screensaver. In a Windows XP environment, this selection may not be available until you Enable Logon Security. See Chapter 6.3 to see how this is done.

WARNING: If this setting is enabled for an enrolled security device, and the device fails or is removed from the system, you will not be able to regain access to your system. Only through a successful authentication via the enrolled device will access be granted.

Example - You have a SmartCard device and a fingerprint recognition device enrolled. The SmartCard authentication rules are set independently of the fingerprint reader authentication rules, but rules are cumulative.

1.If there are no selections checked for any enrolled authentication devices, then there are no OmniPass authentication restriction, and you can access any OmniPass function using any method to authenticate (enrolled finger, master password, enrolled SmartCard).

2.For SmartCard authentication rules you checked Windows and OmniPass Logon and File and Folder Encryption and Decryption. For fingerprint reader authentication rules you checked Windows and OmniPass Logon and Application and Website Password Replacement.

a.If you visit a remembered website, OmniPass will prompt you to authenticate and will not grant you access to the website until you successfully authenticate with an enrolled finger. Successful authentications with master password or enrolled SmartCard are not sufficient.

b.If you attempt to encrypt or decrypt a file with OmniPass, you will be prompted to authenticate and OmniPass will not allow you to encrypt/decrypt until you successfully authenticate with an enrolled SmartCard. Successful authentications with master password or enrolled finger are not sufficient.

c.If you log out of Windows (or OmniPass) and attempt to log back in, you will be prompted to authenticate and OmniPass will not allow you to log back on until you successfully authenticate with BOTH a fingerprint reader AND a SmartCard. This dual authentication requirement is a Multi-Factor Authentication. Successful authentication with a master password, or with just the fingerprint reader are not sufficient. Neither are successful authentications with just the SmartCard. Loss or failure of either the SmartCard or the fingerprint reader will result in an inaccessible system.

6.3 System Settings

The OmniPass Startup Options interface can be found in the System Settings tab. With these options you can specify how your OmniPass Logon is tied to your Windows Logon.

Biometric Password Managers

In a Windows XP environment, the Enable Strong Logon Security interface will also be available. This allows you to enable restricted Authentication Rules functionality. If you would like to further strengthen Windows and OmniPass logon security, open the Enable Strong Logon Security interface and check the cleared checkbox. Select OK or Apply, and you will need to restart before the settings take effect. Under User Settings, you will now be able to set the Authentication Rules for Windows and OmniPass Logon.

The rest of this section pertains to settings under the Startup Options interface.

The first option, Automatically log on to OmniPass as the current user, will do just as it says; during Windows login, you will be logged on to OmniPass using your Windows login credentials. If the user logging into Windows was never enrolled into OmniPass, upon login no one will be logged on to OmniPass. This setting is appropriate for an office setting or any setting where users must enter a username and password to log into a computer. This is the default setting.

With the second option, Manually log on to OmniPass at startup, OmniPass will prompt you to login once you have logged on to Windows.

With the third option, Do not log on to OmniPass at startup, OmniPass will not prompt for a user to be logged on.

You can manually log on to OmniPass by right-clicking the OmniPass taskbar icon and clicking Log in User… from the right- click menu.

OmniPass has a feature where any authentication device can be set as "Required" for Windows Logon. This feature is referred as Strong Logon Authentication.

For Strong Logon Authentication to work on Windows XP the system has to be switched to the Classic Logon Mode. An unfortunate side effect of enabling the Classic Logon Mode is that Fast User Switching (FUS) and the XP Welcome Screen must be disabled. This is a Windows XP limitation. To Enable Strong Logon Authentication in OmniPass Control Center from the System Settings Tab. Once you have enabled Strong Logon Authentication you have to reboot the system for the setting to take effect.

To get back to the XP Welcome Screen or to turn FUS back on, the user will have to disable Strong Logon Authentication, reboot the system and then manually enable the XP Welcome Screen and FUS from the User Accounts in Windows Control Panel. Once this is done the fingerprint reader or other security device can no longer be made as a "Required" device for login to the PC.

This feature is specific to Windows XP only. For Windows 2K and 2003 Server Strong Logon Authentication is always enabled.

6.4 Encrypt/Decrypt

The Encrypt/Decrypt tab provides a windows through which you can do encryption and decryption functions (see Chapter 4). Similar to the Windows Explorer, the Encrypt/Decrypt window presents the directory structure of your system. You can select files and folders and use the Encrypt and Decrypt buttons to encrypt and decrypt files. Some files and folders used by the Windows system or by other programs cannot be encrypted by OmniPass. Directing OmniPass to encrypt or decrypt a file will result in OmniPass prompting you for authentication. If you cannot authenticate successfully, the file will not be encrypted or decrypted. You can bypass the Encrypt/Decrypt tab by using the OmniPass encryption/ decryption shell extension. In the normal course of browsing and accessing you files, if you right-click the file and see OmniPass Encrypt File(s) or OmniPass Decrypt Files(s), those OmniPass functions are available to you. Encryption/decryption will occur upon successful authentication.

M.19

Page 17
Image 17
APC BIOM34-EC user manual System Settings, Encrypt/Decrypt