Digipass Pack for Network Authentication
Strengths: Very simple but powerful two-factor authentication, ideal SSO solution, good range of security features, useful logon auto-learning functions
Weaknesses: Multiple management consoles can be confusing
Verdict: Vasco makes light work of two-factor authentication and provides a smart SSO solution that looks very cost-effective for businesses large and small
With people expected to remember more and more username and password combinations, it's no surprise that many support departments spend so much time resetting forgotten passwords. Two-factor authentication aims to do away with this complexity as it relies on a user owning and knowing something and bringing the two together. Vasco's DigiPass Pack for Network Authentication (DPNA) offers simple two-factor authentication for secure and manageable access to applications, websites, portals or just straightforward logon to Windows operating systems.
With DPNA, you provide each user with a smart card and a unique PIN. A smart-card reader is attached to the system they want to access. If the card and PIN match, access is granted. The card can also be configured with logon credentials for multiple applications and services, effectively providing a single sign-on solution.
Installation is simple enough. You start by connecting the smart-card reader to the designated server. We tested using Windows Server 2003 R2 and found the OS identified the device correctly and loaded its own embedded driver for it. Next is the DigiPass secure authentication suite (SAS), which loads all the necessary software to manage the smart cards and control access. Note that at the time of review, SAS supported Windows 2000, 2003 and XP but not Vista.
Each new smart card needs to be personalised. You load it into the reader, assign a PIN to the card and add personal details such as the user's name, address, date of birth, nationality and language. During this phase, a personal unblocking key (PUK) is created, which must be safely stored as you will need it to change the PIN when a card has been blocked due to too many incorrect PINs being entered.
The SAS suite consists of four separate consoles that provide various levels of access. It includes a smart-card explorer for viewing the user's details and seeing what logon credentials are stored on it. The main management console has tabs for setting up login details for Windows, Citrix, Terminal Services and so on. We started by adding a new entry for the Windows server itself. This is easy enough: you provide a username, password and domain and decide whether the computer or card settings are dominant. If the card is removed, you can choose whether to shut down or lock the computer or just log off the user. Global settings can be applied, which are enforced irrespective of the card inserted and include disabling keyboard logins and actions for card removal.
Testing the Windows logon features was a cinch. We just inserted our preprogrammed card when prompted, entered our PIN and were provided with access appropriate to the user details stored on the card. Removing the card immediately locked the computer and we could stop the Ctrl-Alt-Del option appearing. Usefully, the card can store multiple user entries.
The SAS suite runs two background tasks that look out for application and web logon attempts and their auto-learn option makes light work of adding entries. We tested this by firing up an FTP client application and pointing it at our secure FTP server. As soon as we had entered the site details along with user credentials, SAS popped up with a window that had most of the smart card entry details already filled in. Next we accessed the web-mail service on our Kerio MailServer system and the SAS software asked for our user details and added a new entry to the smart card.
With the card in the reader, any application you load that is listed will have its login details filled in automatically. We liked the feature that allows you to select an application or web page and request it to be loaded the moment the card is inserted. This allowed us to load our web mail and log in automatically just by putting our card in the reader and providing our PIN. For more complex logon processes where the automatic functions don't work so well you can use the learning and macro recording tools. This requires you to load the application and drag a crosshair onto its login window. You start the macro recorder, add your details and stop the recorder, after which the information will be added to your card.
Our only negative comment is that Vasco's DPNA would be easier to administer if it was amalgamated into one console. Other than that it offers a smart two-factor user authentication system that's easy to deploy. The starter pack on review represents particularly good value as it includes five USB card readers and smart cards, plus the SAS software.