Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Thales Authenticator Lifecycle Manager

Overview and Components

search

Overview and Components

The Thales Authenticator Lifecycle Manager is a centralized console for security and IT teams to deploy, configure, monitor, and govern FIDO2 authenticators at scale. It provides visibility and control for Thales authenticators and select third-party keys (for example, YubiKey Series). Thales Authenticator Lifecycle Manager streamlines the transition to a passwordless environment while ensuring security and compliance.

Thales Authenticator Lifecycle Manager robust architecture includes three core components, a web-based admin console, the Thales Authenticator Lifecycle Service (Windows), and a secure backend API. Together, these components enable administrators to,

  • Enforce policy-driven authentication

  • Integrate with identity providers (for example, Microsoft Entra ID or STA Identity Provider)

  • Audit System Activity

  • Perform FIDO authenticator lifecycle operations — from discovery and registration to configuration and reset

Note

FIDO authenticator lifecycle operations require the Thales Authenticator Lifecycle Service. This service runs on Windows 10/11, uses port 9333, requires .NET Framework 4.7.2+, and needs administrator privileges.

Key Features

  • Centralized Management and Visibility: Provides a unified interface to monitor and manage all FIDO authenticators across organizational units from a single dashboard.

  • Policy-Based Configuration and Governance: Enables administrators to define authentication requirements such as PIN, PIN length, and Allowed Services, and perform device-specific operations such as reset. Supports both Generic and Managed policy types, with options for device/user assignment and bulk operations.

  • FIDO Authenticator Lifecycle Operations: Facilitates hardware-level actions through the Thales Authenticator Lifecycle Service (port 9333), including device discovery, registration, configuration updates, reset, and testing.

  • Comprehensive Device Inventory and Tracking: Offers full lifecycle visibility into device status, activity, capabilities, and compliance. Includes capabilities, such as advanced search, filtering, bulk operations, and comprehensive export and reporting tools.

  • Identity Provider Integration: Supports integration with Microsoft Entra ID or STA Identity Provider. Provides a user search feature to quickly locate IDP users.

  • Audit Logging and Reporting: Maintains tamper-proof, cryptographically signed logs for authentication events, policy changes, device actions, and administrative activities. Provides powerful filtering capabilities for precise log analysis.

  • Security and Compliance: Ensures secure operations with TLS-encrypted communication, encryption at rest, and HSM-backed key storage. Aligns with FIDO Alliance standards and supports certifications such as FIPS and Common Criteria (where applicable). Compliant with GDPR, HIPAA, and SOC requirements.

  • Scalability and Performance: Optimized for large-scale deployments with real-time updates via WebSockets, configurable caching, pagination, and support for high-availability environments.

  • Integration and Extensibility: Provides RESTful API endpoints and webhook support for event-driven workflows and integration with cloud platforms.

Tip

For the best experience and optimal performance, use a modern web browser such as Google Chrome or Microsoft Edge.

Key Components

Component Description Primary Responsibilities Key Interfaces
Web-Based Admin Console A browser-accessible user interface that provides centralized administrative control. Supports dashboard access, policy management, device inventory, audit logs, identity provider configuration, bulk operations, and reporting. Communicates over HTTPS (443) with the Backend API and uses WebSocket for real-time updates.
Thales Authenticator Lifecycle Service (Windows) A Windows service that enables direct communication with connected FIDO devices. Operates on port 9333. Handles device discovery, registration ceremonies, configuration changes, PIN operations, device reset, and device testing. Connects via Secure WebSocket (9333) to the admin console and interfaces with local device drivers and CTAP/WebAuthn protocols.
Backend API A RESTful service that manages authentication, policy enforcement, device records, identity provider settings, and audit logging. Provides API endpoints for admin console operations, data persistence, validation, audit trails, and integration via hooks or webhooks. Interfaces over HTTPS (443) for REST API calls, WebSocket for real-time metrics, and connects to a database (for example, PostgreSQL).

Caution

Ensure that network and host firewalls allow the required ports:

  • HTTPS (443) for API and console access
  • WebSocket (9333) for the Thales Authenticator Lifecycle Service

Additionally, enforce TLS for all external connections to maintain secure communication.

On this page