Authentication

The users of FactoryTalk® Remote Access™ can sign in to the service by using their FactoryTalk® Hub™ supported credentials.

When the

FactoryTalk® Remote Access™

Runtime connects to the Access Server for the first time, it obtains a signed identity file that contains the device UID in the

FactoryTalk® Remote Access™

domain. The certificate is used for authenticating devices to the server and relies on the operating system file system security. The certificate file is only accessible by elevated processes.

FactoryTalk® Remote Access™

routers use an additional hardware feature that delivers device binding to a certain organization. In

FactoryTalk® Remote Access™

routers, the UID is written in the hardware during the production stage in the factory and cannot be changed. Once the Router is registered to a

FactoryTalk® Remote Access™

domain, it cannot be registered to another organization until the legitimate organization admin deregisters it from their organization. This is made possible by correlating the actual device identity to the hardware UID. This way, even if a threat actor obtains physical access to the Router and performs a factory reset to reconfigure it, they won’t be able to register it to their organization and thus use the Router for malicious remote access to the network.

As mentioned, clients use TLS 1.2 for connecting to Access Servers. Access Servers use an SSL server certificate signed by a well-known certificate authority. Clients can verify the signature against the certificate authority certificates installed in the system.