Single sign-on appliance developer Imprivata has enabled its devices to be called from within an application to verify the user's identity, as well as being used to log on to systems and applications in the first place.

The company said that its customers increasingly need strong authentication within workflows. It says this is being driven by regulations that call for identity-based security on transactions.

An example is a rule in the US state of Ohio that requires a pharmacist to authorise each individual prescription for a controlled drug using two-factor authentication.

What Imprivata has done is to add an API to its single-sign on (SSO) devices so that applications can use the stored credentials, said David Ting, the company's CTO. The SSO appliance also keeps an audit trail, he added.

Transactional strong authentication "is becoming more prevalent for medication-based applications, but there is a similar demand in financial services for large transactions, or for a supervisor voiding a transaction," he said.

"The person who logged in needs to be re-verified as the transaction is committed, otherwise it is too easy for the user to say 'I walked away from my computer, and someone else created that transaction.'

"Login-level authentication allows deniability - for example, the Ohio attorney-general said he could not prosecute prescription offences because of that."

Ting said that the SSO appliance would typically be used with a fingerprint reader, or with a proximity badge and PIN, and would feed that user's log-on ID back for use in the application's workflow and audit trail.

"It wasn't that difficult to do because we already had the authentication infrastructure," he added. "We exposed an API that applications can call from Java, C# and C++."

Working this way could be a boon to programmers, who must otherwise figure out how to implement authentication for themselves on an application by application basis - and must also avoid adding delays or making the system a nuisance for its users.

Ting acknowledged that as there are no standards in this area, anyone programming to Imprivata's API would be tied to its SSO devices, but claimed that the advantages of this approach outweighed the drawbacks.

"We are trying to encourage them to use a standardised programming model as it abstracts out all the complexity," he said. "It is very easy once you show programmers how to do it."