Ant Allan Product Report 3 October 2002 Passlogix v-go Single Sign-On (SSO) Summary Passlogix v-go SSO supports many enterprise and Web target systems via script-less client software. Its simple architecture synchronizes user configurations and settings on an established corporate directory. Table of Contents Overview Analysis Pricing Competitors Strengths Limitations Insight List Of Tables Table 1: Overview: v-go SSO Table 2: Features and Functions: v-go SSO: Identity Management Table 3: Features and Functions: v-go SSO: Interfaces Table 4: Features and Functions: v-go SSO: Authentication Methods Table 5: Features and Functions: v-go SSO: Single Sign-On Table 6: Features and Functions: v-go SSO: Security Table 7: Features and Functions: v-go SSO: Administration Table 8: Features and Functions: v-go SSO: Auditing Table 9: Features and Functions: v-go SSO: System Requirements Table 10: Competitors List Of Figures Figure 1: Passlogix v-go SSO Network Diagram Gartner Entire contents 2002 Gartner, Inc. All rights reserved. Reproduction of this publication in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The reader assumes sole responsibility for the selection of these materials to achieve its intended results. The opinions expressed herein are subject to change without notice.
Corporate Headquarters Passlogix, Inc. 160 Pearl Street, 4th Floor New York, NY 10005, U.S.A. Tel: +1 212 825 9100 E-Mail: info@passlogix.com Internet: www.passlogix.com Overview Passlogix s v-go Single Sign-On (SSO) provides SSO to a wide range of enterprise and Web target systems, including custom applications, via a client-centric architecture. The v-go SSO software works on the user s client workstation and intercepts all log-on and password change requests. It can support any mode of work networked, mobile, offline, etc. and allows for strong password rules independent of the rules defined by individual target systems. It can also support alternative authentication methods, such as smart cards, biometrics and graphical passwords. v-go SSO maintains configuration information locally and/or in a directory to create specific policies and uses an independent cryptographic subsystem to ensure the confidentiality of user credentials. Howv-GOSSOWorks A user initially logs in through v-go SSO using a primary authentication method. This can be the user s username and password for a Microsoft Windows network, an LDAP or a PKI application (Entrust and RSA Keon are currently supported). Other valid primary authentication methods are smart cards and biometrics either through Microsoft Windows or Passlogix s Authentication API and Passlogix s own v-go Password Windows graphical password method. Through the use of a configurable background process, v-go SSO detects and responds to log-in events. As an example, v-go SSO will: Automatically submit the proper credentials (for example, username and password) to the target system being accessed. Generate or select a password for a new target system. Automatically change the password for a target system requesting a new password. v-go SSO stores target system usernames and passwords in, and retrieves them from, an encrypted local store and (optionally) a central network directory. The local credentials store means that a user can enjoy SSO even when working remotely, disconnected from the corporate network. The central credentials store means that a user can enjoy SSO from any workstation with v-go SSO on the network. The local and central credential stores are synchronized automatically whenever the workstation is connected to the corporate network. Figure 1: Passlogix v-go SSO Network Diagram 3 October 2002 2
Table 1: Overview: v-go SSO Version v-go SSO 3.2 Date Announced 31 July 2002 3 October 2002 3
Table 1: Overview: v-go SSO Platforms Supported Installed Base Mainframe (OS/390, z/os), Unix, OS/400 and other host-based applications: Attachmate Extra!, Eicon Aviva, Hummingbird HostExplorer, IBM PCom, IBM Client Access, IBM Host-On-Demand, Wall Data Rumba, WRQ Reflection, etc. Host-based applications on Unix-compatible systems (via Telnet), OS/400 systems (via 5250), OS/390 & z/os systems (via 3270), etc. Enterprise client-server applications: Oracle, PeopleSoft (including Vantive), Siebel Sales, Microsoft SQL, Lotus Notes, Novell GroupWise, Clarify, etc. Web and browser-based applications: Via Microsoft Internet Explorer 4.x or 5.1 or later and Netscape Navigator 4.x and 5.5. Desktop applications: Act!, Goldmine, Microsoft FrontPage, Visual SourceSafe, etc. E-mail, groupware and chat: Microsoft Outlook, Eudora, Juno, Lotus Organizer, Meeting Maker, Corporate Time, ICQ, MSN Messenger, Yahoo! Messenger, etc. Online services: Microsoft Dial-up Networking, Internet Explorer Dialer, AOL, CompuServe, EarthLink, MindSpring, MSN, Prodigy, WorldNet, etc. Pre-configured for VPNs from AT&T, Nortel, Cisco, etc. Citrix Metaframe, Nfuse Classic, NFuse Elite and Windows Terminal Server in all modes. Configurable for other applications and services in each category, including inhouse applications. Over 160,000 users in 77 organizations worldwide. By region: North America: 48 organizations Latin America: 5 EMEA: 14 Asia/Pacific: 10 Table 2: Features and Functions: v-go SSO: Identity Management User Definition User Registration Target-System User Name Assignment v-go SSO does not require its own user repository as target-system user credentials are held locally on users workstations. An organization can institute synchronization with an established corporate directory to enable central administration and user roaming. v-go SSO holds user data on users workstations and optionally on an established corporate directory, so does not require user registration. v-go SSO discovers each user s IDs across all target systems as each one is accessed. 3 October 2002 4
Table 3: Features and Functions: v-go SSO: Interfaces Target System Interface User Desktop v-go SSO uses a patented process that associates a single user authentication event to multiple independent application authentication events. v-go SSO employs client-side intelligence to provide SSO by detecting and responding to each log-on process directly from the user s workstation. Users authenticate as they normally would, and then v-go SSO securely handles all subsequent password-related events, including password generation and password change. v-go SSO comes with built-in recognition for a wide range of terminal emulators, common desktop applications, and many client/server utilities. Further target systems, including homegrown and legacy applications, can be supported with little configuration effort. v-go SSO s client software can be deployed using deployment tools, such as Windows Installer (MSI), SMS, Tivoli and others. Table 4: Features and Functions: v-go SSO: Authentication Methods Microsoft Windows Authentication LDAP Directory Authentication PKI v-go SSO Password Window Biometrics v-go SSO allows users to use their normal Microsoft Windows log-on via a memorized password or any other natively supported authentication method (for example, public-key certificates, biometrics): Uses Microsoft Crypto API to encrypt user credentials. Supports both connected and disconnected mode. Supports dedicated, shared and roaming workstation use. Performs silent backup/restore of user credentials. Windows password is the default authentication method. v-go SSO allows users to authenticate to an LDAP directory (for example, Sun ONE Identity Server). v-go SSO is Entrust-Ready and RSA Keon Ready and can be combined with the native infrastructure of Entrust PKI or RSA Keon PKI such that a user can authenticate to the PKI application via a memorized password or any other natively supported authentication method to enable v-go SSO Features: Uses Entrust and RSA cryptographic services for key encryption. Supports most Entrust-Ready and RSA Keon Ready biometrics, tokens and smart cards. Passlogix s own graphical password interface provides a primary authentication method in which a user interacts with a graphical image via click and drag to generate a password consisting of a number of mouse events. Images include: Cocktail lounge (mixing cocktails, etc.). Hand of cards. Making a meal. Periodic table of chemical elements. v-go SSO allows users to access their credentials using a biometric via an Authentication API, a set of plug-in interfaces used to integrate the authentication user interface directly with the main v-go SSO client. (This is in addition to using Windows 2000 biometric authentication.) Several vendors have undertaken this API-enabling support for many commercially available devices. Passlogix states that it requires less than one man-month to ingrate new authenticators via v-go SSO s Authentication API. 3 October 2002 5
Table 4: Features and Functions: v-go SSO: Authentication Methods Smart Cards v-go SSO s allows users to access their credentials using a smart card via: An Authentication API, a set of plug-in interfaces used to integrate the authentication user interface directly with the main v-go SSO client. A Synchronizer API, a set of plug-in interfaces used by the v-go SSO Synchronization Manager to read and write data from the data source. SchlumbergerSema, a leading smart-card vendor, has integrated v-go SSO into its standard smart card offerings using these interfaces. (This is an alternative to using Windows 2000 smart card log-in.) Table 5: Features and Functions: v-go SSO: Single Sign-On Target-System Password Discovery Target-System Password Change Primary Password Timeout Desktop Locking Organizations can choose to set up v-go SSO in one of two ways: The Fist Time Use wizard can be configured to prompt the user to enter all their usernames and passwords for each specified application when v-go SSO runs the first time. The second method automatically recognizes password-protected systems (applications, Web sites, etc.) and optionally prompts the user for log-in credentials and other configuration information as the user accesses each application. The configuration wizard can be administratively set to allow users to set up new log-ons and edit log-on properties, or not. v-go SSO can detect application, Web-site, host/mainframe, and network change requests and generate new passwords. Password-generation rules include: Minimum and maximum length requirements. Allowing or restricting alpha, numeric and special characters, repeated characters. Allowing or restricting repeated characters. Uppercase and lowercase requirements. Begin/end criteria. An administratively set silent mode allows v-go SSO to automatically respond to password change requests. v-go SSO supports applications sharing passwords such as Outlook with the Windows domain, and applications tied to password synchronizers or central security systems, such as IBM z/os RACF. Administrators can set time interval for password re-authentication, so that users will authenticate every log-on, once per session or as frequently as desired, to provide some protection against walk-away security breaches. v-go SSO provides a secure screen saver that locks down a user s Microsoft Windows desktop after a pre-determined period. Once invoked, this screen saver cannot be circumvented using [Ctrl]-[Alt]-[Del]; the user must re-authenticate to regain access to the desktop. Table 6: Features and Functions: v-go SSO: Security Communications Intra-process communications are encrypted. Directory synchronization uses Secure Sockets Layer (SSL) between the workstation and the directory. 3 October 2002 6
Table 6: Features and Functions: v-go SSO: Security Server/Repository Resilience Scalability v-go SSO uses Blowfish encryption to secure all user credentials locally on the desktop and to remote directories or network drives. If an organization is required to use a different algorithm, the v-go SSO Encryption API enables easy substitution of Triple DES (3DES), FIPS 140-2, AES (FIPS 197) or any other encryption algorithm. User information can be automatically backed up to (and restored from) a floppy disk, a local directory or a network share on startup or on every application/password change. v-go SSO provides full support for Microsoft AD and LDAP v2 and v3 directory servers (for example, Sun ONE Identity Server, Novell edirectory/nds). A Synchronizer API allows synchronization of credentials between v-go SSO and other password storage repositories (for example, databases, non-ldap directories, smart cards, etc.). Passlogix have built active and passive defenses into v-go SSO to protect it against potential breaches. v-go SSO continuously monitors for attacks on its operation including trapping debuggers or other similar events. All memory-based data is secured, and v-go SSO implements disassembly defenses that compress and encrypt executables, DLLs and other sensitive resources. v-go SSO s combined client and directory-based architecture allows it to scale easily. Passlogix reports no noticeable degradation in log-on performance with well over 200 credentials per user and no known directory scaling limitations. Table 7: Features and Functions: v-go SSO: Administration Interface Reporting Local Administration Utilities The v-go SSO Policy Manager allows all preferences, automation and settings to be controlled by an administrator on a global, user-specific or target-system-specific basis and sets specific levels or turns specific functions on and off. Controls are available for Password Window settings, password generation, automation levels, user-controlled customization, back up, etc. v-go SSO supports central administration via the directory (or NT domain) or thirdparty tools. None. While most deployments rely on central administration, v-go SSO can be fully administered by the user or by the administrator on a local machine. Passlogix provides a configuration and testing wizard that an administrator or engineer can use to configure and test in-house configurations. Table 8: Features and Functions: v-go SSO: Auditing Event Logging v-go SSO logs all user events, including startup/shutdown, application log-on, password change, credential add, modify or delete authenticator changes, backup/restore, credential synchronization, password reset, settings changes, desktop lock. v-go SSO stores event logs locally or can generate output to an administratively set target, including SNMP, Windows Event Log, LDAP, Tivoli, etc. v-go SSO also provides an Event/Audit API and a set of plug-in interfaces to support any log-capable system. 3 October 2002 7
Table 8: Features and Functions: v-go SSO: Auditing Log Archiving Reporting Alerting As implemented for audit log target. As implemented for audit log target. None. Table 9: Features and Functions: v-go SSO: System Requirements Directory Server Client PKI Support Microsoft Windows 2000 Active Directory Novell NDS edirectory Sun ONE Identity Server (iplanet Directory) OS: Microsoft Windows 95, Windows 98, Windows NT 4.0(SP4/5/6a), Windows 2000 and Windows XP Processor: 90 MHz Pentium processor RAM: 64MB RAM Hard disk: 20MB available for installer, 4MB for the program and data. A complete installation requires 6MB. Windows authentication support: MS Internet Explorer 5.0 or higher, with 128-bit encryption Entrust PKI: Entrust/Entelligence v5.0 or higher RSA Keon PKI: RSA Keon Desktop v5.5 or higher Analysis Founded in 1996, Passlogix focuses on the development of v-go SSO. The first commercial version of v- GO SSO shipped in the summer of 2000. v-go SSO enables enterprise users to enjoy the benefits of SSO while connected to or disconnected from the corporate network, while roaming between computers and even if they share a computer with multiple users. Passlogix v-go SSO has a smaller installed base than leading competitors, but these include many large implementations, including 10 with more than 5,000 users and 12 with 2,500-5,000 users. v-go SSO is designed for easy deployment, and an organization can administrate using its existing management tools such as Microsoft Windows Domain Management tools, Tivoli and CA Unicenter. Intelligent, Client-Oriented Single Sign-On v-go SSO s proprietary client-side intelligence handles log-on requests at the user s workstation. When a user encounters a password-protected application or Web site, v-go SSO automatically recognizes the request and supplies the relevant user credentials. v-go SSO works out-of-the-box with common Windows applications, Web sites and host emulators. Passlogix states that in-house and less common commercial applications typically take less than 10 minutes to configure. After successful user authentication, v-go SSO automatically recognizes and responds to all password-related requests on behalf of the user, including log-on and password change requests. This approach means that organizations do not have to write scripts or install connectors on individual target systems as with other products. Other script-based SSO products, such as CA s etrust SSO and Protocom s SecureLogin do, however, provide many pre-built scripts, and SecureLogin also uses Wizards to quickly build scripts for new target systems. Range of Primary Authentication Options v-go SSO enables enterprise users to authenticate using their Microsoft Windows log-on typically with a memorized password, but optionally with Windows smart card log-in and other authentication methods. 3 October 2002 8
Users can also use LDAP directory passwords or Entrust or RSA Keon PKI product passwords. Smart cards and biometrics can also be supported directly using Passlogix s Authentication API. Another option is the v-go SSO Password Window. There has been renewed interest in this kind of graphical password with the recently announced research in this area by Microsoft, Lucent Technologies, New York University, the University of Virginia and others. Passlogix states, however, that this option is rarely used in practice, as it requires a high level of user training. Nevertheless, its development provided Passlogix with the modular authentication framework that has allowed it to support a wide range of other authentication methods. Single Sign-On Improves Security v-go SSO s Silent Password Change option allows the organization to transparently implement strict password policies across all target systems. v-go SSO can generate more complex, and hence more secure, passwords than users would normally use or remember. In addition, the frequency of password changes can be increased to any desired interval, from weeks to every session, with no additional burden on the users. Where target-system passwords are not revealed to the user security is further increased as users must have access to a system with v-go SSO installed to get into the systems. If memorized passwords are used as the primary authentication mechanism, each user has only one to remember. This password can be made more complex and changed more often (for example, every month) to improve security, without it becoming too onerous for the user to remember. Organizations should recognize, however, that using v-go SSO s Silent Mode means that users do not know their target system passwords so that if v-go SSO fails they cannot access the target systems directly. But as v-go SSO does not rely on a central server, this will be a problem for only users with faulty client software. Single Sign-On Reduces Costs If each user has only one password to remember, it will not be forgotten so often, and vendors estimate that this can eliminate about 80 to 85 percent of password problems. This reduces both lost user productivity and calls to the organization s help desk (which can account for upwards of 30 percent of all help-desk calls). Passlogix cites the cost of a typical password reset as $25 per incident and states that many organizations spend well over $200 per year per employee on resets. Secure Credential Storage v-go SSO securely encrypts user credentials (by default, with Blowfish) and caches them locally or stores them in a directory. These credentials can be unlocked only with a user s primary authentication. Support for User Mobility v-go SSO supports user mobility by storing credentials in an LDAP directory, network drive, smart card or local hard drive. Unlike purely server-based single-sign-on products, such as CA s etrust SSO, v-go SSO enables users to securely access password-protected applications or documents when they are disconnected from the network for example, on an airplane. Ease of Deployment v-go SSO requires no scripting and very little integration, eliminating the burden of costly application and server-side programming. This out of the box functionality enables v-go SSO to be deployed to thousands of users very quickly. Typical implementation projects may take 60 days planning with an additional 30 days for installation. About 75 percent of implementations involve Passlogix s professional services, which typically account for about 15 percent of the total project costs. 3 October 2002 9
Furthermore, v-go SSO does not require a separately administered, dedicated server, so reducing the organization s overhead. Relationship With Novell From May 2000 until December 2001, Novell offered Novell Single Sign-On (NSSO) based on Passlogix v-go SSO. The relationship was dissolved because of incompatible development directions rather than any technical limitations of the v-go SSO product. Passlogix finds it difficult to compete in organizations using NetWare or NDS edirectory, but has won customers that have moved away from Novell. Pricing v-go SSO is priced at $69.95 per user. Volume discounts for enterprise deployments are available. Maintenance: 20 percent of the license cost is charged annually, for a minimum of three years. Support includes unlimited telephone and e-mail incidents and software upgrades. GSA Pricing No. Competitors v-go SSO competes directly with other SSO products and, more broadly, with authentication management infrastructure (AMI) products that offer SSO alongside centralized management of multiple authentication methods and flexible authentication policies. All products here require client software, as v- GO SSO does, and all but Protocom s require a product-specific server and repository. Table 10: Competitors ActivCard Inc. Trinity Internet: www.activcard.com BioNetrix Systems Corp. BioNetrix Authentication Suite (BAS) and BioNetrix SSO Internet: www.bionetrix.com Computer Associates, Inc. etrust SSO Internet: www.ca.com Ankari s Trinity AMI product supports multiple authentication schemes, including memorized passwords, RSA SecurID, smart cards and biometrics (fingerprint only). It also supports a wide range of platforms including Unix and IBM mainframe operating systems and groupware such as Lotus Notes. SSO functionality is integrated with the core product. BioNetrix s BAS supports multiple authentication schemes, including memorized passwords, smart cards and various biometrics, but no onetime password tokens. It also supports a wide range of platforms but not Unix or IBM mainframe operating systems. It allows user re-authentication to be built into workflow applications for transaction security. A separately licensed product, BioNetrix SSO adds SSO functionality, but by itself the only supported primary authentication method is memorized passwords. CA s etrust SSO developed from Memco/Platinum s Proxima provides SSO via a directory-based architecture. It supports a range of primary authentication methods that includes an independent SSO password, network OS passwords, onetime password tokens, smart cards and various biometrics. It supports a wide range of Windows, Web and terminal-emulated target systems via pre-built and custom Tool Command Language (Tcl) scripts. 3 October 2002 10
Table 10: Competitors Protocom Development Systems SecureLogin Internet: www.protocom.cc Protocom s SecureLogin provides SSO via a directory-oriented architecture that supports roaming and offline access via local caching. Like v-go SSO, SecureLogin leverages an organization s established directory (or NT domains). It supports a range of primary authentication methods, including Windows or NetWare network passwords, and strong authentication methods, such as smart cards and biometrics. It supports a wide range of Windows, Web and terminal-emulated target systems via pre-built and custom scripts. Novell offers this product under license as Novell SecureLogin. Strengths No Target System Scripts or Agents v-go SSO provides SSO to all of an organization s target systems without using integration techniques, such as scripting or server-based agents. Passlogix notes that many customer organizations specifically prohibit scripts due to the associated performance and/or maintenance costs. Passlogix s patented approach using intelligent client software embeds algorithms and filters that have been developed over many years and can be implemented reliably across multiple target systems. This approach also increases transparency for users. Easy to Implement, Quick ROI Because of its script-less, agent-less target-system interface and its simple client-oriented architecture, v- GO SSO is very light on the integration challenge. Technical implementation for 10,000 user sites can be achieved in about 30 days. Passlogix states that customers generally see 100 percent ROI in less than six months. Limitations Limited Range of Strong Authentication Methods While v-go SSO provides an Authentication API that can be used to add support for strong authentication mechanisms, such as smart cards and biometrics, but that lacks out of the box support for such methods, except via native Microsoft Windows support. Some third-party vendors do offer support for advanced authentication (for example, SchlumbergerSema for smart cards), and Passlogix states that it can integrate any strong authenticator for customer deployment in less than one man-month. While most organizations will continue to rely on memorized passwords as the primary authentication method, this may be a barrier for organizations looking to move toward strong authentication. Script-Less Approach Lacks Flexibility While v-go SSO script-less approach provides many benefits, some organizations might find the lack of customizability that scripts could provide limiting. Insight Passlogix v-go SSO is a practical enterprise single sign-on (SSO) product that can meet organizations demands for increased security. The distinctive aspect of v-go SSO is its client orientation, where many SSO products and other authentication middleware add another server or directory to manage. v-go SSO does use a directory server to store information but does not interact with the directory during the sign-on process, providing a roaming capability and ensuring that there is no critical dependence on a single server. v-go SSO can be deployed rapidly, but most enterprise users will need to tailor the tool so 3 October 2002 11
that it automatically recognizes their custom applications. Although it lacks its own central management tools, user options can be configured dynamically via the directory or domain or via third-party tools. While organizations looking to implement strong authentication might find v-go SSO s API-based support limiting in comparison with other products, v-go SSO s architectural simplicity can give a quicker return on investment than other SSO products. 3 October 2002 12