Authentication
Each Luna HSM comes in one of two authentication types – Password authenticated or Multi-factor-authenticated (also called PED-authenticated). PED stands for PIN Entry Device. The authentication type is configured at the factory and cannot be modified in the field.
For an outline of the key differences between password and PED authentication, see Table 1: Authentication Types.
Table 1: Authentication Types
Two-factor authentication is not available; relies on "something you know". |
Two-factor authentication is available by way of physical PED Key per role and optional PED PIN per key; that is, can require "something you know" in addition to "something you have" for authentication |
Authentication can be input locally or from a remote terminal. |
Authentication requires physical local connection or pre-configured Remote PED link. |
Knowledge of partition password is sufficient for accessing cryptographic keys. |
Access to cryptographic keys is restricted to CO (read/write) and CU (read only); possession of appropriate PED key(s) and potentially also their PED PINs is required. |
Dual or multi-person access control is not available. |
Dual or multi-person (quorum) access control is available by way of MofN (split-knowledge secret sharing); physical PED Keys, each containing a portion of the role-authentication secret, can be held by separate people who must cooperate to perform authentication. |
Key-custodian responsibility and role separation are linked to password knowledge only. |
Key-custodian responsibility and role separation are linked to partition password knowledge and PED key(s) ownership / physical possession. |
For more detailed information on each authentication type, see:
>Password Authentication
>Multi-factor (PED) Authentication