Frequently Asked Questions
RELATED QUESTIONS:

Echidna provides a low cost and easy to deploy and manage 2FA authentication solution which scales from 2 to 100,000's of users.

Echidna supports a seamless migration from exiting 2FA solutions, which allows an organisation to easily migrate from ageing and expensive token solutions whilst protecting their investment during the transition stage.

Echidna provides a solution that allows an organisation to adopt new authentication mechanisms as they emerge, without expensive retrofit or system remediation.

  • It’s easy. The standard activation model is:
  • Step 1. Download the Salt mSign app from the app store.
  • Step 2. Scan a QR Code.
  • Step 3. Enter an Unlock Code sent to via SMS.
  • Step 4. Select a PIN to protect access to the app; or use a biometric (such as fingerprint).
  • That’s it.
  • The “express” offline activation model is:
  • Step 1. Download the Salt mCodeXpress app or Salt mCodeXpress-FPE from the app store.
  • Step 2. Select a PIN to protect access to the app; or use a biometric (such as fingerprint).
  • Step 3. Use the “Registration Code” shown by the app to register your token with Echidna.
  • That’s it.
  • Yes, all Salt Mobile apps can be re-branded and published by the customer.
  • Yes, all Salt Mobile apps can be re-branded with multi-lingual support.
  • No. Salt Mobile tokens can be duplicated across devices.
  • Yes. Salt Mobile tokens include measures to protect against anti-cloning. These include the use of device hardware, user biometrics, and key protection methods.
  • Salt mSign Connected Tokens are supported on Android and iOS devices.
  • Salt mCode Offline Tokens are supported on Android and iOS with limited functional support on Windows Phone.
  • Salt Mobile SDK Embedded Tokens are supported on Android and iOS devices.
  • Positronic Trusted Tokens are supported on Android devices with Trusted Execution Environment (TEE) hardware.

Echidna is an enterprise grade authentication server, which has been developed to support high availability, high volume and high assurance user authentication applications in banks, government departments and enterprises, globally.

Echidna has been designed to integrate with and extend existing firewalls and perimeter solutions to provide a simple to manage and deploy two-factor user authentication (2FA) solution.

Echidna is suitable for any organisation that has a need to provide an additional level of user authentication through utilising a two-factor mechanism, be that a mobile or hardware security token.

Echidna provides a flexible unified 2FA user authentication service available via RADIUS and web service protocols. It also makes available transaction and document signing mechanisms via web services for applications needing to directly integrate at a more granular level.

Echidna interfaces to a range of Identity and Access Management (IDAM) infrastructures and to general-purpose access gateways through either web services or RADIUS to provide user authentication services

Echidna supports a comprehensive range of authentication standards and mechanisms and device form factors from a range of vendors, including OATH.

Echidna is agnostic to the authentication mechanism and provides wide support for a range of standard, proprietary and brokered methods, for example:
  • Salt Mobile tokens that are standalone mobile apps (or embedded SDK) that is supported across a range of mobile devices and platforms, including Android and iOS, with limited support on Windows Phone, Blackberry and Symbia
  • Hardware security tokens that are compliant to the OATH HOTP, TOTP or OCRA standards
  • Proprietary soft security tokens running as an App installed on mobile devices
  • "Second Channel" one time passwords delivered to a user via SMS or email.
Echidna can also proxy authentication requests to third party servers to support legacy or proprietary tokens such as RSA SecurID and Vasco tokens.

Yes, Echidna has been designed from the ground up as an enterprise service addressing associated availability, assurance, scalability and performance requirements.

Two-factor authentication (2FA) generally relies on user knowledge of a secret (a password or PIN value) together with user possession of a device (a security token or mobile phone). Echidna provides the flexibility to support the different combinations that may be required in various situations.

  • If the security token itself is PIN protected, there is usually no need for additional user passwords or PINs.
  • If the security token or OTP messaging channel is not PIN protected, the password from the user store can be used to provide the 'knowledge' factor. Echidna supports validation of Active Directory (AD) or LDAP passwords via LDAP binding, and stored encrypted or hashed passwords for database backed user stores.

The second factor would be the one time password generated by the security token or sent via the messaging channel.

The Echidna supported mechanisms can be combined in a flexible manner to support a diverse user base with multiple mechanisms, and even support individual users with multiple available mechanisms.

Yes, Echidna supports Active Directory Federation Services (ADFS) through its ADFS Plug-In. Echidna's ADFS Plug-In can be installed on Microsoft Windows Server operating systems to provide users with a single sign-on (SSO) access to systems and applications located across organisational boundaries. Echidna supports Security Tokens that are comprised of contemporary two factor authentication (2FA) methods and hardware security tokens based on Open Standard OATH and mobile security tokens such as Salt Mobile and SMS OTP.

Echidna provides secure two factor authentication (2FA) solution to corporate and government organisations globally by using the ADFS Plug-In while still retaining a simplified and convenient user experience.

Salt Mobile tokens are perpetually licensed, and as such any replacement necessitated by loss or user churn does not incur additional token costs. Industry experienced churn rate is around 30% per annum.

Echidna User licensing is based on active users and Salt Mobile tokens are free when deployed with Echidna. As such, as users come and go, and as devices are lost and replaced, there are no additional charges provided the total user base is not increased. Whereas RSA SecurID tokens are not free and token licenses are not transferable to new users.

Salt Mobile tokens never expire whereas RSA SecurID tokens need to be replaced every few years.

ACE servers can only authenticate RSA SecurID tokens whereas Echidna can authenticate multiple authentication tokens from different vendors.

Importantly, Echidna's brokering service allows an organisation to seamlessly migrate from RSA tokens as these tokens expire, thereby eliminating the higher costs of "big bang" migration of tokens.

Yes, Echidna can support fingerprint biometric login using Salt Mobile tokens on mobile devices with fingerprint hardware. Salt Mobile security tokens used in conjunction with Echidna's ADFS Plug-In enable a convenient and secure biometric login to Active Directory Federation Services (ADFS) enabled applications such as Windows Server, SharePoint, Google Drive, Office365, Salesforce.

Yes, Echidna supports the European Payment Services Directive (PSD2) to meet regulations for securing new payments with authentication elements using a range of multi-factor authentication (MFA) methods.

Echidna enables adaptive risk engines to mitigate risk through a range of authentication elements and methods for different levels of authentication from SMS OTPs, Challenge/Response, to more contemporary QR code signing and advanced connected mobile tokens capable of transaction signatures with dynamic linking of the transaction context and addition of PIN, Fingerprint and other biometrics.

Salt Mobile tokens are perpetually licensed, and as such any replacement necessitated by loss or user churn does not incur additional token costs. Industry experienced churn rate is around 30% per annum.

A license request is generated via an option in the Echidna Web Management console and the request is sent to Salt Group via email.

A new or updated license is generated and returned via email for the organisation to upload via the management console, all without the need for the server to be taken off-line.

Echidna is licensed based on active tokens and a base server license.

Applications can integrate directly to Echidna via the web services interface to provide support for authentication or transaction signing within the application, using any of the Echidna supported authentication mechanisms.

Yes. Most VPN products support delegation of the authentication process to an external authentication server via the RADIUS protocol. This is the simplest path to integrate Echidna for VPN access control.

Echidna can delegate authentication of RSA SecurID tokens to existing RSA authentication server(s) while new security tokens or other 2FA mechanisms are introduced. This allows a low risk migration away from RSA SecurID tokens and ACE servers allowing the existing RSA tokens to be gradually replaced as they naturally expire.

Echidna can be used to delegate all Citrix Access Gateway login authentication requests, and for identifying user profiles for authorization decisions.

Citrix Access Gateway can be configured to use Echidna through the RADIUS protocol.

Microsoft Forefront can be configured to use Echidna through a custom TMG authentication filter. There are some restrictions on the supported authentication delegation types (how the user identity or credentials are passed through to the protected application when needed). This is an inherent limitation in the TMG API.

Microsoft Universal Access Gateway can be configured to use Echidna through the RADIUS protocol for delegation of the login authentication.application when needed). This is an inherent limitation in the TMG API.

Echidna can be used with a CheckPoint Firewall for delegated authentication via RADIUS.

Yes, with additional components deployed. Many Wifi access points that support authentication via RADIUS require the use of the EAP-SSL or EAP-TLS protocol to protect that authentication traffic. Echidna does not yet support this protocol natively, but FreeRADIUS can be deployed to provide the EAP-SSL support and to delegate to Echidna for the actual authentication mechanism.

Echidna does not currently support PKI for standard user login authentication.

Yes, Active Directory passwords can be validated via an LDAP bind to the directory. This allows AD to maintain control over the password policies, lockouts and expiry.

Yes, Echidna supports biometric login to Office 365 by using Active Directory Federation Services (ADFS) Plug-In where the Echidna server is located on the premise enabling businesses using Office 365 to provide second factor authentication (2FA) that is stronger than passwords. By using Echidna's ADFS Plug-In, users can authenticate into Office 365 using an Echidna supported security token, such as Salt Mobile on devices that support biometrics hardware for a biometric login.

Yes, Echidna supports biometric login to Salesforce by using Active Directory Federation Services (ADFS) Plug-In where Echidna server provides second factor authentication (2FA) which is stronger than passwords. By using Echidna's Active Directory Federation Services (ADFS) Plug-In, users can authenticate into Salesforce using an Echidna supported security token, such as Salt Mobile on devices that support biometrics hardware for a biometric login.

Yes, Echidna enables strong (2FA) two-factor authentication to access Google Drive by using Active Directory Federation Services (ADFS) Plug-In. Echidna provides most secure two-factor authentication (2FA) solution that allow organisations to seamlessly extend secure access and store data in cloud repositories on Google Drive by using Active Directory Federation Services (ADFS) Plug-In. Echidna provides assurance that sensitive data stored on Google Drive is accessed only through its 2FA security tokens. By using Active Directory Federation Services (ADFS) Plug-In, Echidna provides an additional layer of security to the user data located at Google Drive via its mobile security tokens such as Salt Mobile and OATH hardware token.

Yes, Echidna supports biometric login to SharePoint by using Active Directory Federation Services (ADFS) Plug-In where the Echidna server provides two-factor authentication (2FA), which is stronger than passwords. By using Echidna's Active Directory Federation Services (ADFS) Plug-In, users can authenticate into SharePoint using an Echidna supported security token, such as Salt Mobile on devices that support biometrics hardware for a biometric login.

Thales nShield HSM series such as Network connect, PCI card and USB connected models.

Echidna supports HSMs through the PKCS#11 Java Cryptography Provider. Key generation or commissioning would be done first using the HSMs native toolset.

Thales nShield models are fully supported.

Thales nShield HSM key ceremony procedures can be provided as part of Echidna.

Yes. Salt Group’s Advanced Solutions Group (ASG) has many years of experience around Thales nShield HSMs. The ASG team can provide advice and consulting services on industry best practices for the application and secure usage of HSMs. ASG also provides professional services for the deployment and integration of HSMs for application security, payment systems, database and big data protection.

Yes. Salt Group’s Advanced Solutions Group (ASG) has extensive knowledge around HSM based key management. ASG can advise best practices when it comes to key import, generate, migration and rollover procedures. Furthermore, custom Key Management Tool (KMT) implementations are available to control key usages with more granular level protection within Thales nShield HSM eco systems. With KMT keys can be lock down only for a particular usage. For example, restricting an RSA key to only be capable of wrapping/unwrapping but not for decryption.

Yes. Thales nShield HSM series are certified to FIPS 140-2 Level 3.

Salt Group’s Advanced Solutions Group (ASG) can support a wide range of cryptographic solutions required by organisations including but not limited to:
  • HSM based cryptography as a service solutions
  • Secure application solutions and bespoke development to achieve end-to-end credentials protection such as passphrases and PIN protection
  • Security application solutions to leverage Thales nShield CodeSafe SEE machine integrations, where the cryptographic code resides and executes inside the Thales nShield HSM
  • Document sign/verify and encrypt/decrypt services
Yes. Wherever crypto applications require HSM based key management, Salt Group’s ASG can also provide separate Key Management Tool (KMT) utilities to import, generate, migrate, etc. of HSM based keys.
The ASG team can also provide additional consulting and professional services for advice on key management and documentations for HSM Key Ceremony procedures.
Yes. The ASG team has extensive experience in PKI system integration with Thales nShield HSMs and can provide step-by-step guidance on the integration process plus advice on industry best practices.
Yes. The ASG team can provide consulting and advice on data protection for PCI compliance. Moreover, advise on utilising Thales Vormetric technologies to achieve the compliance without major changes to the existing environment; such as format preserving encryption of card information that require no changes to the database schema.
Yes. The Advanced Solutions Group (ASG) can provide bespoke implementations for specific HSM based cryptographic requirements by payment system vendors. This includes bespoke key management requirements such as legacy key migrations.
Want more Info? Get in touch.