Security Overview
Preventing Sharing Passwords, Viewing the Username and/or Password
For those concerned about a person being able to view their own credentials, or finding a badge and
viewing another’s credentials there is an easy solution. In the pre-keystrokes section of Credential 1,
before all other ‘pre-keystrokes’, add the necessary keystrokes which lock the PC. For example under
Windows XP, GUI+L is used to issue the locking command.
If the station is already locked, these keystrokes are ignored.
If the station is not locked, this initial set of keystrokes will lock the PC before any other keystrokes
are sent.
Security Due to Lost/Stolen Cards
If there is concern for logon impersonation as a result of a lost or stolen contactless token, you may
set up the usage as a two-factor authentication system.
A two-factor authentication system is made up of
1. Something you have (the token), and
2. Something you know (a PIN)
The card may be encoded to allow operation under either a one- or two-factor authentication system.
One-Factor
In a one-factor system, the user simply waves the contactless token. Therefore the token may be
configured to add TAB keystrokes between the username and password data as well as an ENTER
keystroke behind the data. This was illustrated in example A.
Two-Factor
In a two-factor system, only a portion of the password is encoded into the token. The user is required
to enter the balance of the password (the PIN) after the token data is inserted into the field. The user
then completes the entry with the ENTER keystroke. This was illustrated in example B.
The two-factor approach is especially useful when using a policy that insists on password
construction rules or periodic changing of passwords
Password Change Rules
The issues the administrator will face include:
Automatic Change Password: To increase security several companies have adopted a policy
that requires users to change password every xx number of days. To keep this policy in place,
42
4
Increasing Security
