Technical white paper Using HP DigitalPass One Time Password protection Table of contents Introduction 2 What is HP DigitalPass? 2 How DigitalPass works 3 Required components and architecture 3 Using HP DigitalPass 4 Frequently asked questions and scenarios Sample scenario #1 Sample scenario #2 8 8 8 Conclusion 9 For more information 9
Introduction Online identity theft has become a huge international business. In 2009, US citizens lost $560 Million due to internet fraud 1. One of the methods used by scammers and phishers is to obtain your user account and password and then login to your financial accounts and steal your assets. A compromised password can also allow unauthorized access to online merchants and social networking sites.
How DigitalPass works HP DigitalPass uses a hardware-generated passcode that is used only once for a short period of time and supplied invisibly to participating websites. This passcode provides a second factor of authentication to the traditional user name and password—providing something you know (user ID and password) plus something you have (HP DigitalPass). The passcode generator is protected in the PC hardware and cannot be accessed from the hard drive or the BIOS.
Using HP DigitalPass The HP DigitalPass OTP function is configured through the HP ProtectTools utility. 1. Open HP ProtectTools (Figure 2). Figure 2: HP ProtectTools main screen 2. In the left pane of the main screen under Password Manager, select VIP and click Yes (Figure 3).
3. In the “Verify your identity” dialog box, enter your Windows password and click on the arrow icon (Figure 4). Figure 4: HP ProtectTools identification verification 4. HP ProtectTools displays a window reminding you to register your VeriSign Identity Protection (VIP) access credential with each VIP member site you plan to use (Figure 5).
5. Browse to a VIP member site you use for account transactions. In Figure 6, the example site of “Trusted Bank” is used. Click on the prompt I want VIP security. Figure 6: Example VIP member site: selecting VIP security 6. In the VeriSign Identity Protection (VIP) window (Figure 7), select Get VIP.
. In the HP ProtectTools dialog box (Figure 8), enter your password for the site. Ensure that both boxes in the VeriSign Identity Protection (VIP) area are checked and click OK. Figure 8: HP ProtectTools Password Manager window: entering VIP member site data 8. In the VIP member site, enter or drag and drop the 6-digit security code from your VIP credential and click Validate (this process will vary by website).
Frequently asked questions and scenarios Q: What happens to HP DigitalPass and the user credentials if the PC hard drive is reimaged? A: If the user token and credentials have been backed up prior to reimaging, they can be restored from the backup. If no backup is available, the user will need to re-enroll at each web site previously activated to “rebind” their credentials with the PC.
Conclusion Traditionally, the level of protection offered by HP DigitalPass was only available through a separate device (such as a USB disk-on-key) that would generate the one time password. HP DigitalPass allows you to save on cost of a separate One Time Password generator and the hassle of losing your disk-on-key device. For more information The following sites provide additional information on the subjects of identity theft and unauthorized access. http://www.theregister.co.
