Imprivata Privileged Access Management Product Update 2.3.201909012238

September 1, 2019

PAM Update: Added embedded Google Authenticator App and the option to review and import accounts detected on the discovered hosts

This update adds support to store Google Authenticator App secret key in a record with the option to generate tokens and also adds the option to review and import selected accounts discovered on the remote Windows and Unix hosts.

Added embedded Google Authentication App

The new update adds the option to store Google Authenticator secret key in a record with the option to generate tokens on demand. This option allows to backup Google Authentication secret keys to store them in a secure reliable location.

In addition to this, the option allows enabling multi-factor authentication for shared privileged accounts.

Shared MFA token generation is granted to selected users using role-based access control as well as location, time and approval-based workflow. In addition to that, the TOTP generation is logged in the system audit log to track the use of the service.

 

Google Authenticator is a System record type hidden in the default installations so it should be enabled in the Administration / Record Types list. Records of the Google Authenticator record type include the only field Secret Key.

When saved, the Google Authenticator record includes the only available task in the Execute menu: Generate Google Authenticator Token that pops up a window with the token visible on the screen.

Users using the service need to have a View and Execute permission to Google Authenticator records.

 

This way, these users can generate TOTP without the option to unlock the secret key.

User access might further be restricted by applying Task Control workflow binding to limit time, location of the service use or require a human or automatic approval process.

Added the option to review and import accounts detected on the discovered hosts

The update adds the option to detect accounts on discovered Unix and Windows computers while doing the network discovery process. The update also adds the option to import selected accounts as system records.

Since the system does not know the passwords to access these accounts, it adds the main account used to discover this endpoint as a shadow record for imported accounts task lists.

This way, the password set job will be used by the shadow record to manage the password for the imported related accounts.