GemSafe Logon is intended for the individual computer. It is self-contained, but with an administrative twist. Access policies are set up centrally by an administrator who creates a configuration file for the individual smartcards and distributes it to users. This is practical for smaller installations but perhaps not for large, distributed enterprises.
The product suffers from the safe mode bypass flaw but tests for the forensic analysis flaw were inconclusive. Because the policy can be set to allow users to reset locked-out pins, change pins and use small pins, care should be taken in configuration. We were able, usually through errors in configuration, to bypass the card security in a variety of ways.
A user with the card administration tool could take further steps to attack the card security. Though Gemplus notes that the tool should be kept out of reach of unprivileged users, this is always a risk and, with many users having admin rights on desktops, could exacerbate the vulnerabilities we found. We feel that the GemSafe Logon product provides cursory protection at best and is a good example of keeping honest people honest rather than providing strong access control.
The product was reasonably straightforward to install and distribute. We found the manuals to be weak. For example, we ran one of the supplied cards down so that it allowed no further login. In order to unlock the card, the policy must allow the user to unlock the card. If the configuration box allowing this is unchecked, the card cannot be unlocked. This is made clear in the manual, but what is not made clear is that there is a way to change the configuration after the fact and reset the card policy, allowing the card to be unlocked – if the user has access to those forbidden administration tools.
Support is not available 24-7 but there is a toll-free number and email access to support. Occasionally we reached voicemail but support, when we reached it, was good.
Generally, we found that GemSafe Logon provided limited protection in a small, contained environment and we recommend it only for small organizations, especially those not using laptops.