Resistance to various failures requires that you can restore the SecureAnyBox5 server on your laptop, for example, and not need anything else to restore access to your sensitive data, passwords, keys, etc. The question of being able to log in without the availability of the source from which users are synchronized (MS AD, eDIR, LDAP, Entra ID) is one of the most common ones ever.
SecureAnyBox5 stores a hash of the user’s password, verified against the source, after the first login and then uses only this hash – the password is not verified against the source until the user enters an unknown password. Then we check to see if it is a new password set in the source to take over and update the hash in the SAB5 database.
If you are using KeyShield SSO, the password hash is not stored in the database. Only if a given user logs in at least once by entering a name and password will the save occur. If you are counting on recovering SecureAnyBox5 separately in your Disaster Recovery Plan, make sure that at least IT department users can log in with a name/password. Once operations are fully restored, other users will be able to log back in using SSO without restriction. Therefore, at a minimum, selected IT department users are important.
We are working on a new feature that will allow you to prompt all or selected users to authenticate with name and password (and possibly TOTP second factor) if they do not yet have the password hash in the SAB5 database or it has not been used for more than a configurable number of days.
VS