Playing poker with your passwords

Just one password to remember – that’s the glory of single sign-on technology.

And now Passlogix Inc., a New York-based software company, is offering corporations a different kind of single sign-on technology.

Marc Boroditsky, CEO at Passlogix, said what makes V-GO SSO unique is that it is based on an intelligent client that detects all logon requests, instead of the more popular server-based technology.

“We came at this problem, not as security professionals would, but as the users would,” Boroditsky said.

He added that at times the project had two opposing sets of objectives – simplify for the user while maintain or improve security.

The issue is that some workers have 15 passcodes they need to remember, Boroditsky said. “There has been this idea around for a while, that is: ‘Can I figure out a way to handle all those individual logon requests, all those individual passwords without having the user dealing with them themselves – a single logon,'” he said.

“That sounds simple, but it’s not.”

The team working on V-GO SSO had to deal with a multitude of requirements, such as PCs with applications running locally, Unix machines, mainframes, the network, Lotus Notes, SAP applications, plus home-grown applications.

When a user signs on to the desktop, the machine will start logging on to V-GO, Boroditsky explained.

“With V-GO we have a unique sign-on experience. Instead of a user entering a string of letters and numbers, we have a graphical interface that we call a password window,” he said.

Users can choose from a number of graphical themes, like cards or a bar where they can mix a drink.

“We saw this as a way to simplify the experience for the user,” Boroditsky said. “Names and passwords are really hard to make secure. Most Web sites can be hacked very easily because of weak names and passwords.”

Users can also choose not to use the graphic interface though, Boroditsky said. V-GO also has a keyboard interface.

“When you enter your password, our password window interface generates a key that is not stored or retained. The user does not even know what the key is, so they could never give that information to anyone,” he explained. “That key is then used to unlock a locally-stored encrypted key. Until you’ve put in your password, the key that’s stored on your machine can’t be opened.”

He added that once the client’s “private key” has been decrypted it is then used by the V-GO authentication system to unlock all of the user’s names and passwords.

Gartner Group research director Roberta Witty said solutions have to be very tight. “You need a secure solution, because you’re storing all the user IDs and passwords in one place. They definitely need to be encrypted.”

She added that any single sign-on solution must have strong user authentication techniques up front, so that no one can come in and pose as another person.

There are different types of single sign-on, according to Witty, who said the Passlogix solution is known as password scripting, where user IDs and passwords are included in the solution.

“There is password synchronization, which seems to be getting a lot of play at the moment. It’s not exactly the most secure way of handling single sign-on because what you’re doing is relying on a password, which for most information security professionals is not a secure methodology,” she said.

She noted again, with this technology, user authentication needs to be beefed up.

Witty also said the implementation of single sign-on technology can be very labour intensive. “There have been some successes, but nothing like we anticipated or what security specialists hoped for,” she said. “What I do see emerging is the Web application market because they have a single interface. It’s an easier job to do single sign-on, so I think there’s going to be some successes there.”

Another reason Witty gave for single sign-on technology’s failure to permeate the market was that often the software didn’t cover all the platforms or didn’t have interfaces to applications that people needed.

Boroditsky said that V-GO SSO is transferable to all platforms and applications.

“The first time you use V-GO you have to enter your name and password. If you go to an application and V-Go doesn’t have that configured, V-GO will ask you if you want to configure that application, so that you enter your password at that time, just once, and from then on V-GO will serve up your password to that application,” he explained.

He added that the same holds true for Web sites, mainframes and virtually every application. “Set it up once and then forget about it.”

V-GO will also change passwords for applications that require frequent changes, according to Boroditsky.

The software was tested in the security labs of neighbouring financial institutions, he said. There is a free 90-day download at, and the product can be purchased for US$49.95 per user.