Single SignOn replaces Passwords

Passwords are a nuisance. They are too short, too fixed, and must be entered over and over again. They are even stored on insecure systems. Single SignOn solutions founded in cryptography make it secure to login repeatedly, after entering a secret only once!

Other solutions

Issues to consider

Fixed secrets can be tapped from unencrypted points in any communications channel. For encrypted connections, the end points are still points where this can be done. Fixed secrets should not be used to access remote systems.

Public key crypto makes the authentication between a client and server differ every time. As a result, you can safely use the same public key to authenticate to many systems.

Network protocols can often employ public key crypto, but this must be explicitly required in most cases.

Hardware tokens are light and small engines that totally encapsulate public key crypto; use these if you need to carry your credentials around.

Solution 1: Wrap it in a Secure Shell

The Secure Shell is a Network Protocol that has been standardised for the Internet, and that is consequently available from different providers. Public key authentication is possible with these products, making this a true Single SignOn protocols.

The Shaman is a true Single SignOn solution based on the standard SSH protocol.

  • On Linux and Unix, OpenSSH is often already available;
  • On Windows, WinSCP and PuTTY are popular;
  • On Mac OS X, OpenSSH and Fugu are well-integrated.

Client-side key management is worth setting up, even though it is a bit tricky to do. With our Shaman agent, it is possible to use a cryptographic token to encapsulate all Public key crypto. All that is needed is a token with a complete PKCS #11 interface.

Shaman for Windows works smoothly with WinSCP and PuTTY, or any other tool that uses the Pageant protocol. It can also be used to encapsulate arbitrary TCP/IP connections, such as for mail reading and database access. It provides a little icon in the bottom bar, from which a menu with user-defined connections pops up.

Shaman for Linux works smoothly with OpenSSH's ssh/sftp/scp commands, and anything that builds on it, including cvs, rsync and darcs. You do need a token with a working PKCS #11 library.

Shaman for Mac OS X is currently not available, but do let us know if you need it for a group of users.

We can provide useful Token Services on our tokens.

Package summary:
Shaman licenses for selected operating systems at €25
ePass2000 tokens for USB, optional, at €41
Token Service Labels, optional, at €5 per token

Order for systems running Windows Linux
Include ePass2000 tokens with Token Service Labels

Solution 2: Use SSL connections

Another standard Network Protocol that can wrap arbitrary TCP/IP connections is SSL. It has a turbulent history, so we advise using the Secure Shell where possible.

The most common application of SSL is a secure website. Others are secure mail reading protocols. The server side always presents a certificate to authenticate itself. Adding authentication with client certificates can also turn SSL into a true Single SignOn solution.

Server Certificates are necessary so the client knows it is authenticating to a trusted site. By their nature, SSL certificates must be renewed regularly.

Login Tokens are client certificates that we can create for our customers and yours; This is usually much cheaper than anything you can build yourself! You may also want to check compatibility with your current browser. Note that IIS is not sufficiently standards-compliant to recognise Login tokens.

ePass2000 tokens totally encapsulate the Public key crypto for SSL client certificates. The credentials stored on them cannot be copied with any reasonable amount of work. The tokens plug into USB and they are protected with a PIN.

ePass1000 tokens store the credentials for Public key crypto for SSL client certificates. They are not as secure as the ePass2000 tokens, but on Windows they can provide SSL service to browsers and other token-aware software. The tokens plug into USB and they are protected with a PIN.

Token Return Labels can be helpful when you are prone to loosing your tokens. More...

Order the items you seek below.

Package summary:
Login token SSL Client Certificates for one year each, at €3
ePass2000 or ePass1000 tokens for USB, optional, at €41 or €30
Token Service Labels, optional, at €5 per token

Order Login token SSL Client certificates.

Include hardware tokens with Token Service Labels

The following extension to this order is only needed if you have not arranged it yet:

Package summary:
Secure Server Cert at €100 per year

Order one certificate for years

The names of the products presented on this page are trademarks of OpenFortress

   ------ 8< ---------- 8< ----------- 8< ------ | OpenFortress*