Clicky

20130205

Give users a 127 character password but do not tell them


Introduction

Password policies, like minimum length, complexity and periodic renewal, are there to mitigate password leakage and misuse. Users hate it and a substantial number of helpdesk calls are password (reset) related. There is a method to let the user use  a very long and complex password without telling them. 

Let the computer provide the user credentials

When you protect the user identity by special security hardware, like the Trusted Platform Module (TPM), the computer can provide the user credentials (on behalf of the user) to Windows. The computer doesn’t care how long a password is so you can assign very complex (random) password. Since the user’s identity is in cryptographic hardware there is no need for password policies like minimum length or password renewal. How does that work?

The TPM as Virtual Smartcard

Wave Systems TPM software
Windows supports a logon method through Smartcards. A smartcard is usually a creditcard with a chip. However, smartcards are expensive, users forget or break them and smartcard logistics can be cumbersome. 

Much better is to let the computer act like a smartcard. Once the user credentials are enrolled to the TPM, the user only has to provide a PIN to access the computer and authenticate against Active Directory. Since the user does not have to remember (or even knowing) a Windows password you strengthen security too! An attacker needs to obtain the PIN and the PC before he gets access to the computer.

All other Windows security feature still apply (NTLM authentication, Kerberos etc.) so there are no changes in the backend necessary. You also can use the Virtual Smartcard to store other user or company secrets. Also it is possible to use the TPM for traditional PKI solutions like WiFi authentication or VPN security. 

A world without passwords!

So, without changing your IT infrastructure you are able to offer the user a seamless method to logon, authenticate the computer and the user credentials and provide single sign on solutions to Windows, services and applications! You only need to enable the TPM, load Wave Systems TPM drivers and enroll the user’s PIN to the computer. Very simple to deploy and the users and the helpdesk will love this solution.

More information on this subject can be found at http://www.wave.com or send an email to emea@wave.com

No comments :

Post a Comment

Real Time Web Analytics