Mandylion takes password tokens to next level
Policy Master 2.0 offers more efficient management
- By Michelle Speir Haase
- Nov 20, 2005
If you're holding your breath waiting for passwords to go away, we suggest a long exhale. Despite the increased use of biometric log-in devices such as fingerprint readers, plenty of systems still rely on passwords, and they won't disappear anytime soon.
In fact, as people conduct more of their professional and personal business online, it's not unusual for someone to have 10 or more log-in accounts, sometimes with different user names in addition to different passwords.
The large number of accounts creates a security conundrum. A set of passwords strong enough to withstand hacking would be impossible to memorize, yet writing them all down compromises security.
Several years ago, Mandylion Research Labs introduced a password-management token called ebp lite. It stored existing passwords and log-in names and randomly generated new, strong passwords according to user-defined parameters. The drawback was that entering data was time-consuming and tedious.
Mandylion has solved that problem and created an enterprise-level product with its new Policy Master 2.0, which consists of a token, cradle and management software. The software allows administrators to input and manage the passwords on a PC then download them onto the token.
The token, which fits on a key chain, has four arrow keys and one round Enter key in the center, with a small, monochrome LCD that displays log-in records. Each record includes an identifying name along with the user name and password.
Users can control access by a five-keystroke sequence Mandylion calls a personal finger authentication pattern. You can create your own pattern using the four arrow keys, and Mandylion suggests changing it often.
Using the arrow keys, users scroll through a list of log-in records until they find the one they need. Then they type the password into the computer.
The scrolling process is simple but slower than we would have liked, especially for a device that can hold so many records. When you need to access, say, the 25th record, scrolling speed makes a big difference.
For security, the device does not facilitate bilateral communication between the token, software and cradle during the download process, and the software cannot interrogate a token for its contents.
The system conforms to U.S. military, National Institute of Standards and Technology, and National Security Agency standards for securely creating, managing and using passwords.
The token looks and works the same as ebp lite, except administrators can limit the amount of information users can modify. In addition, this version can store up to 50 passwords -- along with identifying names and log-in names or numbers for each one -- in contrast to ebp lite's capacity of 20.
Another major difference is that the new version can generate passwords of up to 14 characters while ebp lite maxed out at 10.
The new token comes with most of the same excellent security features as ebp lite. For example, customizable lockout settings protect against hackers who might try to guess the finger authentication pattern. You can set the token to lock after one, three, five or 10 incorrect attempts at entering the keystroke pattern.
What's more, you can set the lock action to temporarily freeze data for 15 minutes to 24 hours or completely wipe out all the data on the token. There are even two levels of wipeout, with one allowing the user to immediately reprogram the token and the other requiring the administrator to reinitialize the token via the PC software.
For added control, administrators can enable or disable users' ability to change the lockout parameters.
When locked, the token is totally inaccessible. No backdoor entry is possible, and the circuitry is designed to thwart electronic bypass. It's encased in a gel that, if damaged, renders the device useless.
The Policy Master Configuration software is a welcome addition to the system. We found the template-based interface easy to use, and entering data on a PC is significantly easier -- not to mention exponentially faster -- than entering it into the token directly.
Each token is associated with one template. The templates are in spreadsheet format and list all log-in record information, user information, lockout settings and default password generation settings in one view.
The software also enables administrators to assign and manage group passwords, which are useful in multiserver environments in which a core team of administrators must share log-in access.
The Policy Master's level of customization for password creation is nearly mind-boggling. Passwords can be completely random or specified by length, renewal interval and composition.
To further increase security, Mandylion uses a patented feature called kinetic sensing circuitry. The feature thwarts hackers by sensing the user's physical interaction with the device -- picking it up, putting it in a pocket -- and using that interaction as a random input for password generation. Each token generates a different set of random passwords, in contrast to programs that follow the same formulas each time for each device.
Tokens, cradles and software are sold separately, and users can mix and match them to meet configuration requirements. Tokens cost $19.74 each, and cradles cost $269. Mandylion recommends that customers buy one cradle for every 25 tokens.
The Policy Master Configuration software is licensed in two-user, 25-user, 100-user and 500-user increments, with per-user pricing averaging $34. The total cost for tokens, cradles and software for a typical 100-user installation is about $65 per user. For a typical 500-user installation, the cost is about $45 per user.
Policy Master is an impressive improvement over ebp lite. The system is highly secure, remarkably customizable and ready for enterprise deployment.