Hitachi ID Systems Inc. of Calgary announced this week a network security product designed to let users reset passwords using mobile phones.
Hitachi ID Password Manager version 7.0 is designed to help large firms manage network authentication using a variety of devices, such as smart cards, hard disk encryption keys and biometrics.
For example, a user who forget a password could receive a random PIN over a cellular network using short messaging service, said Idan Shoham, chief technology officer of Hitachi ID.
He added for some organizations, the primary authentication method is a smart card.
“If a user forgets his smart card PIN, he’s in trouble,” Shoham said, because he will not be able to access technical support by launching the Web browser, because he cannot log on to his PC, so it’s a “Catch 22.”
But using Password Manager 7.0, Shoham said, a user in this predicament could press a button on his smart card and be prompted to answer a series of security questions.
“Using any mechanism that runs on a PC, we can authenticate the user asking some security questions,” Shoham said, adding an Active X component can be pushed to the smart card, which lets users reset their passwords.
Although the smart phone feature of Password Manager 7.0 “appears to be unique,” the other features are common in identity and access management products, said James Quin, lead analyst with London, Ont.-based Info-Tech Research Group.
The new Hitachi offering is part of a broader category of identity and access management (IAM) products available from vendors such as Oracle Corp., CA Inc. and IBM Corp.’s Tivoli brand.
“There’s got to be a dozen companies” in the space, Quin said. “By no means (is Hitachi) the only player in the space.”
New to version 7.0 is the ability to force users to log in using CAPTCHA, or a Completely Automated Public Turing test to tell Computers and Humans Apart, which presents the user with a series of malformed letters designed to foil optical character recognition software. CAPTCHA authentication forces the user to re-enter the characters into a text box.
Pricing is based on the number of licencses, and an organization with 25 seats could expect to pay $13,000, Shoham said.
Password Manager 7.0 also lets companies delegate different security rights. For example, managers could be given the power to reset passwords for their subordinates.
It is also designed to allow single sign-on and includes connectors for more than 100 applications such as Active Directory.
Having native connectors to other software, such as customer relationship management or enterprise resource planning applications, is important, Quin said.
“The more native hooks there are the less money it will cost you,” he said.
If the software doesn’t have a native hook into an application, Quin said, users can still build them using software developer kits or hire a consultant to do it.
Shoham said companies are installing more types of authentication.
“Ten years ago, everyone had just passwords,” he said. “Then needed security questions. Then for road warriors they added hardware tokens, but those are not as convenient as smart cards.”
Hitachi ID Systems said Password Manager works with SecureID, made by EMC Corp.’s RSA division. For example, users can use Password Manager to reset or clear PINs, enable or disable RSA tokens, using either a self serve Web application or an interactive voice response (IVR) systems.
It also has a policy engine that supports 50 different types of rules, such as password length and maximum and minimum numbers of letters, numbers and punctuation marks. It can also reject passwords that match a user’s name or appear in dictionaries. The policy engine could also manage different types of policies, in enterprises where one system supports strong passwords but another will not.
Quin said companies that need to meet regulatory standards may find identity and access management software handy.
“One of great things you can get out of IAM is granular reporting of who is doing what, where why and how,” he said.