Here is a set of points that emphasize the benefits of a smart-cart or token-based authentication solution, coupled with biometric authentication; the example is focused on Dekart Logon for Citrix, but it also applies to other user authentication software by Dekart.
Q: what are the benefits of using your product? Am I simply substituting a PIN for a user/password combination? And can an external user without a flash drive or smart card still access the server?
A: Dekart Logon for Citrix is not a server-side application, it should be used on the clients.
The benefits can be summarized as:
the software can also be used with flash disks, being entirely self-contained:
In this case the user is immune to keyloggers. Even if the keylogger manages to capture the PIN:
And as a side effect, this also means that unloyal end-users won't be able to disclose confidential data even if they want to. In other words, you can implement the "need to know" approach, by not giving users more information than they actually need to get their work done.
The data stored on USB drives are encrypted with AES-256 bit, our implementation of the algorithm is certified by NIST. This is much stronger encryption than the one used by the Citrix client itself.
Q: And can an external user without a flash drive or smart card still access the server?
A: Technically, this is possible, but you can counter that by:
You will probably want to take a look at Key Manager, this is the tool that allows you to write credentials to keys, make copies, edit contents of a key, etc.
Note - you can do these with Dekart Logon for Citrix itself, but if you're planning to operate with many keys (in a corporate environment), you'll find Key Manager very useful. A license for the tool is given for free if a certain number of licenses for Logon for Citrix is purchased.
Q: Couldn't someone with a citrix client installed on their machine get to my server logon screen on the remote machine and execute a brute force attack there?
A: Although that is technically possible, it is not an optimal scenario for the attacker to use:
In other words, a local brute-force attack can take thousands or millions of years, while doing it over the network is totally insane. It may only work for trivial passwords such as '11111' or ones that can be found in any dictionay. But even in that case, a dictionary attack won't be feasible if the network admin took the right measures and prevents one from physically connecting to the server if they've had too many unsuccessful attempts.
Finally, the last detail is that you can use randomly generated passwords, which are extremely long - brute forcing THAT is impractical.
If I were an attacker, I'd try to find alternative ways, such as social engineering applied against a naive employee.
We have recently released Private Disk Multifactor 2.0, a huge step forward in 'multifactorian history'. I will explain how one can migrate a Private Disk encrypted image to a Private Disk Multifactor encrypted image; in other words - how to use smart-card or token authentication for an image which used to be mounted by typing a simple password.
That's all. It should also be mentioned that the image can still be mounted with a password, and with a smart card or token, thus different people can access the data without having to know each other's password or PIN.
2g 3g antivirus authentication beta biometry «blue screen» bsod business data domain driver email encryption «file system» form-filling gsm howto «identity theft» internet iphone keeper keylogger logon mobile password «password carrier» pc/sc portability privacy «private disk» release security service seven sim «sim card» «sim manager» «sim reader» «smart card» software tips token troubleshooting usb usim vista windows wiping xp