Authentication

Use different types of authentication to help make sure that only authorized users have access to systems.

Authentication of Users to Servers

The users of FactoryTalk® Remote Access™ can sign in to the service by using their FactoryTalk® Hub™ supported credentials.

Authentication of Runtimes to Servers

When the
FactoryTalk® Remote Access™
Runtime connects to the Access Server for the first time, it obtains a signed identity file that contains the device UID in the
FactoryTalk® Remote Access™
domain. The certificate is used for authenticating devices to the server and relies on the operating system file system security. The certificate file is only accessible by elevated processes.
FactoryTalk® Remote Access™
routers use an additional hardware feature that delivers device binding to a certain organization. In
FactoryTalk® Remote Access™
routers, the UID is written in the hardware during the production stage in the factory and cannot be changed. Once the Router is registered to a
FactoryTalk® Remote Access™
domain, it cannot be registered to another organization until the legitimate organization admin deregisters it from their organization. This is made possible by correlating the actual device identity to the hardware UID. This way, even if a threat actor obtains physical access to the Router and performs a factory reset to reconfigure it, they won’t be able to register it to their organization and thus use the Router for malicious remote access to the network.

Authentication of Access Servers to Frontends and Runtime

As mentioned, clients use TLS 1.2 for connecting to Access Servers. Access Servers use an SSL server certificate signed by a well-known certificate authority. Clients can verify the signature against the certificate authority certificates installed in the system.
Provide Feedback
Have questions or feedback about this documentation? Please submit your feedback here.