Introduction
Password policies, like minimum length, complexity and
periodic renewal, are there to mitigate password leakage and misuse. Users hate
it and a substantial number of helpdesk calls are password (reset) related.
There is a method to let the user use a
very long and complex password without telling them.
Let the computer provide the user credentials
When you protect the user identity by special security
hardware, like the Trusted Platform Module (TPM), the computer can provide the
user credentials (on behalf of the user) to Windows. The computer doesn’t care
how long a password is so you can assign very complex (random) password. Since
the user’s identity is in cryptographic hardware there is no need for password
policies like minimum length or password renewal. How does that work?
The TPM as Virtual Smartcard
Windows supports a
logon method through Smartcards. A smartcard is usually a creditcard with a
chip. However, smartcards are expensive, users forget or break them and
smartcard logistics can be cumbersome.
Much better is to let the computer act
like a smartcard. Once the user credentials are enrolled to the TPM, the user
only has to provide a PIN to access the computer and authenticate against
Active Directory. Since the user does not have to remember (or even knowing) a
Windows password you strengthen security too! An attacker needs to obtain the
PIN and the PC before he gets access
to the computer.
All other Windows security feature still apply (NTLM
authentication, Kerberos etc.) so there are no changes in the backend
necessary. You also can use the Virtual Smartcard to store other user or
company secrets. Also it is possible to use the TPM for traditional PKI
solutions like WiFi authentication or VPN security.
A world without passwords!
So, without changing your IT infrastructure you are able to
offer the user a seamless method to logon, authenticate the computer and the
user credentials and provide single sign on solutions to Windows, services and
applications! You only need to enable the TPM, load Wave Systems TPM drivers
and enroll the user’s PIN to the computer. Very simple to deploy and the users
and the helpdesk will love this solution.
More information on this subject can be found at http://www.wave.com or send an email to
emea@wave.com
No comments :
Post a Comment