FOR

Using up-to-the-minute cryptographic and biometric technologies, CryptoGram Secure Login enables you to login to Windows NT/2000/XP using a smartcard, USB key or fingerprint recognition. In fact, it is compatible with all authentication environments on Windows NT 4.0, 2000 and XP (NTLM, Novell NDS). The keys are password-protected and contain the parameters required to perform the login.

There are two components to Secure Login: the client program, which carries out the login; and the key administration program, which is used to configure the keys with the login information. This hardware-based authentication solution requires that you possess a key holder and provide information to be authenticated. To describe its operation at the most basic level, you simply enter your secret PIN code, and the required data (username, password, etc.) is read off your smartcard or USB key and transferred to the operating system. In addition to a PIN code, the biometric edition compares your fingerprint profile to the one stored on your smartcard or USB key before granting you access.

There are several practical reasons why you might wish to incorporate Secure Login into your facility. Many of these valuable features are to be found on most similar products but the fact that this is geared specifically towards the Windows NT/2000/XP environment significantly reduces the risk of information overload associated with products that try to cover too many platforms. These features include Log off or Session Lock on key holder removal, giving you the necessary control. Centralized user and key administration is a must for any decent sized organization.

Compromising user flexibility for security can be a disadvantage with some products, the paranoid ones that drive the ordinary user mad. CryptoGram has given some thought to the humble user, with a user-definable PIN code for smartcard and USB key, support for user-defined and secure random passwords for user accounts, and multiple user accounts on the same smartcard or USB key. And most importantly, when all else fails, there is a secure challenge-response to gain access in case of emergency.

The humble administrator is not forgotten either. Only one local administrator of the computer can access the administration program, and if another administrator attempts to do so, a message is displayed saying that this is not their computer and the program will not run. An emergency procedure tool allows administrators to access workstations without token security. It can be installed on the administrator workstation and can only be used if the connected user is the local administrator of the workstation and Secure Login protects it.

When installing and setting up Secure Login there are a variety of options provided that should cover all login eventualities. You can allow any user with a valid key to unlock a computer; otherwise only the user who logged in or a local administrator will be able to unlock the computer. You can retain the standard NT/2000/XP login procedure if a user's key is not initialized, its slot is not configured or when authentication fails, allowing them to login normally with a username and password. If you check the log off on token removal option, removing the key will close the current live session. It will also close any opened applications without saving modifications. By checking the unlock session with another key, any key with a valid user account will be allowed to unlock and continue the session.

You must remember to initialize at least one key on installation with an administrator account before restarting the computer, or it will be blocked the next time it is started up (unless you checked the standard NT/2000/XP login procedure)! You are given three attempts at entering a password for an initialized key before it is blocked. Also, if you installed a screensaver it is automatically password protected when activated, unless the administrator changes this setting. If not, a key and accompanying password will be requested to unlock the computer.

You can change token passwords through the standard NT/2000/XP options window you get by pressing CTRL+ALT+DEL, although the change password button will be grayed out if the token used has not been initialized. When you change a password through this window, it is changed on the network and automatically updated on the token. Network initiated password changes can be randomly generated or manually entered. Either way they are similarly changed on the network and automatically updated on the token.

The user interface is intuitive. The first thing you see is a window with three sections - user list, key slot list and input zone. The user list shows users by local computer and by domains available on the network, and in order to differentiate account types there are specific icons for local, NT or Novell authentication. The key slot list shows the network login available (or in preparation) for a given key. In fact, there are five slots available on each key to store user information. One slot is used for a standard local or NT account, and two are used to store a Netware account. The input zone is used to input login parameters and there are separate dialog boxes for Microsoft and Novell authentication. To configure a key you simply drag the appropriate user accounts to the desired key slot, and if the account is valid it will be added to the empty slot.

There are two ways to change network passwords. They can be entered manually and saved in the key. This mode allows users to login with the key to some computers, and with a password to other computers. Random generation though, provides the highest level of security. A random password is generated and saved both in the key and in the target computer or domain security accounts manager database. This way, the user will never know their password and will never be able to open a session on a computer unless it has Secure Login installed.  

SC On-Line
SC Magazine
www.scmagazine.com