Introduction
Due to Security and compliance you may want to enable FIPS on your SecureAuth servers, but after enabling you lose the ability to use OATH and Knowledge Based Answers for 2 Factor.
Or during a installation of Windows Credential Provider installation, you receive error:
Cause
For customers inquiring about Tokens:
Currently the advanced encryption option is not FIPS compliant and will not work while FIPS is enabled.
For customers inquiring about Windows Credential Provider:
- Formerly in version 2.1.11, we used 3DES, which is FIPS compliant.
- In version 2.6.5, we moved to AES256, but happened to use a non-FIPS library which broke FIPS compliance.
- We are planning to to use a FIPS compliant AES256 library in the 2.8 release that should be out later this year.
Resolution
If FIPS has to be enabled you would need to switch the encryption method from Advanced to Standard on any attribute being encrypted.
Because the two encryption methods use a different algorithm's you will be required to re-enroll all soft and hard tokens as well as Knowledge Based Questions so this might not be practical if your SecureAuth implementation is already in production.
For Customers looking to install the Windows Credential Provider version 2.6.5: Have them check Local and Group Policy to disable FIPS compliance requirement.
Comments
Article is closed for comments.