Set any group of business IT users talking and it will not be long before the subject of passwords and application access control crops up. The "I have more passwords than you" debate will then take place, followed by some imaginative suggestions for getting around the system, together with colorful observations about the relative effectiveness of passwords in any event.
This common occurrence, entertaining as it might be, represents a sad indictment of contemporary IT. It further reflects on its perceived slowness in providing secure access to applications in a manner that while being intuitive and seamless for users, is robust enough to provide adequate security.
The irony is that, for some time now, there have been a variety of products available that offer potential solutions to this problem. These include variations around the "single sign-on" idea using passwords, tokens and even biometrics in all manner of combinations, albeit requiring a slightly different operational methodology on the part of the user.
So how is it that more organizations have not embraced some of these ideas? Are we to be condemned for ever to hearing the great password debate in restaurants and bars the world over?
One company which offers a potential escape from this IT Flying Dutchman is Datakey, with its Axis 5.1 product. Based on familiar smartcard methodology, Axis 5.1 provides a convenient means for legitimate users to quickly gain access to relevant applications.
Of course, the system needs to know what these applications are, together with the currently used passwords, and users need to personalize their smartcards.
We also need to consider situations where we might have many users, perhaps divided into logical groups, for whom a suitable access control policy will need to be configured. Datakey has thought carefully about this and has provided a suitable toolset accordingly.
The Datakey Axis Management Center provides a centralized administration point with which to set things up. This adopts a familiar concept, with an Explorer-type left-hand pane and details applicable to the selected item shown within the main right-hand pane. The main sections are the Configuration Manager, Token Manager, Policy Manager and Client Builder.
The Configuration Manager is primarily concerned with the management of certificates, while the Token Manager is concerned with administering the various smartcard parameters. Factors such as pass-phrase length, token time-out and maximum number of allowable failed login attempts can, of course, be adjusted.
The Policy Manager section is where things get interesting, because it is here that you train Datakey Axis to work with your particular applications. This is undertaken in a rather unusual, but intuitive, manner whereby, having brought up the login dialog for the application concerned, you simply drag an Axis icon onto the dialog in order to recognize the application, and then drag the icon onto both the username and password boxes in order to save this information into the profile.
Similarly, you can drag the Axis icon onto the OK button of the login dialog to make sure that this process is similarly automated.
If the application or process in question likes to prompt periodically for a password change, then Datakey Axis has a novel way of managing this, too. The program can automatically and randomly generate new passwords, which are stored on the smartcard for subsequent use. Indeed, the user need not even concern themselves as to what the password actually is.
Having set up the appropriate applications in this way, the Client Builder enables the creation of a client installation file (called a "policy client") which can be distributed to the end users. Each user can then enrol their credentials into their own smartcard, including a smartcard label and a pass-phrase, before using the system in earnest.
There is also a Smartcard Recovery feature which, in the event of a lost or damaged smartcard, enables a new card to be quickly configured with the appropriate information. It also enables a temporary login without a card. Users can also configure their own favorite applications, including web-based applications, for single sign-on if they wish.
All in all, Datakey Axis is a well conceived and executed product that provides a practical means of managing the multiple password dilemma in a secure manner. If yours is a large organization, you may wonder about having a separate smartcard reader attached to every workstation via a USB connection. In practice, and with a little attention, this can be deployed fairly elegantly, because the reader supplied has a self-adhesive base, making it easy to attach to the side of a PC case or monitor.
The Datakey software worked faultlessly in practice and was easy to configure. A quick start guide, reader installation guide, users' guide and a comprehensive administration guide are all provided in PDF format. These are well written and clearly illustrate the capabilities of the product while guiding you on your way to an effective implementation.