etoken Single Sign-On 3.0

(1)

eToken Single Sign-On 3.0

Frequently Asked Questions

w w w . A l a d d i n . c o m / e T o k e n

1. Why aren’t passwords good enough?

Passwords are not secure

Passwords cannot provide sufficient security - Password cracking tools are widely available on the Internet

Enforcement of password policies requiring long or complex passwords causes password overload. Users compromise their passwords by using common words or by writing them down in an insecure location

Passwords are costly

A typical organization needs to maintain at least 10 different passwords for different systems for each user, leading to loss of productivity of both users and the help desk in maintaining these passwords

Studies have shown that a major portion of help desk calls are related to forgotten passwords, assigning a cost of approximately $25-$50 to each password reset

2. What are the benefits of single sign-on (SSO) solutions?

Single sign-on solutions resolve password issues by storing users’ logon credentials for multiple applications, and automatically providing users with access to all their applications after they authenticate once to the SSO system. Following are the key benefits of SSO:

Enhances security - Users can easily manage complex, unique passwords for their applications

without engaging in risky practices, such as writing down their passwords

Enhances user productivity – Eliminates the need to remember and handle multiple passwords,

and the hassle of forgotten passwords

Provides major cost savings – Significantly reduces password-related help desk calls

3. Why is it important to use strong authentication with SSO?

The fact that SSO allows you to authenticate once and access multiple applications makes it especially critical that this initial authentication be secure. Relying on password authentication to your SSO solution exposes you to a much higher risk than that of having individual application passwords compromised, for whoever gets hold of this one password gets the ‘key to the kingdom’.

Implementing strong authentication by requiring at least two factors (e.g. something you know – a password, and something you have – a token) to log on to the SSO solution significantly reduces the risk of unauthorized access to all your valuable business applications and data.

4. What is token-based SSO?

Token-based SSO solutions use an authentication token, such as a physical smart card token or a virtual (software based) token, to store user logon credentials. These solutions include client software that recognizes target application logon screens when opened, and submits the user’s credentials to the relevant applications.

• • • • • • •

(3)

5. What are the benefits of token-based SSO solutions?

Token-based SSO solutions provide the following added benefits:

Secure credential storage - User credentials are stored securely on a token

Inherently integrated with strong authentication - Users need to have both their token and

token password in order to use the SSO solution

Portable - Users can carry their credentials with them on a portable token

Offline operation - Users can enjoy the SSO functionality even without connectivity to the

organization’s network

Easy to implement - Requiring no back-end integration with target applications, token-based

SSO solutions are easy to deploy and maintain

6. What is eToken Single Sign-on (SSO)?

eToken SSO is a comprehensive, secure, and easy-to-deploy token-based solution for using and managing user passwords in an organization. With eToken SSO, users can securely store their network and application logon credentials on their tokens and automatically gain access to those applications after authenticating once. Administrators can use eToken SSO to provision and manage passwords and password usage within the organization.

7. Why should organizations choose eToken SSO?

Secure, portable credential storage - All the user passwords and credentials can be securely

stored on-board the smart-card-based token, offering enhanced security, full portability, and smooth operation in offline mode

Full management support - eToken SSO is fully supported with eToken TMS (see below),

providing automatic backup and restore of credentials and eToken’s unique solution for employees on the road who lost their tokens – allowing users to always stay productive

Easy to implement - Because the solution is token-based and does not require back-end

integration, it is easy and fast to deploy

Expandable solution - Customers implementing eToken SSO can easily and cost-effectively

expand their authentication solution to include secure certificate-based VPN access, disk

encryption and pre-boot authentication, digital signatures, and more, with the eToken product family and Aladdin eToken’s over 150 solution partners

8. Which applications does eToken SSO support?

eToken SSO works with:

Network logon Desktop applications

Web applications and accounts

9. Which credential storage options does eToken SSO provide?

Smart card tokens - Organizations can deploy eToken SSO with any mix of eToken smart-card-based

authentication tokens (see below). This approach provides maximum security and portability.

Virtual token (software only solution) - For organizations that prefer to deploy eToken SSO as a

software only solution, it is possible to use eToken Virtual, a secure software based token protected with AES 128-bit encryption, for credential storage on the PC. It is also possible to start with the software only solution and add eToken hardware devices at a later stage.

(4)

10. How does eToken SSO work with target applications?

Through the use of templates. A template contains a set of rules and parameters relating to a target

application. For eToken SSO to support a specific application, an SSO template for that application has to be stored on the user’s computer. Administrators can localize and customize a particular template, including the languages and messages presented to the user through a web GUI.

For the creation and maintenance of SSO templates, eToken provides a flexible and easy-to-use Template Manager utility for administrators.

eToken SSO does not require any back-end integration with applications.

11. How does a user work with eToken SSO?

First-time usage with an application:

Following the appropriate setup, a user simply launches her application as usual, with the eToken device plugged into the USB port (if eToken SSO is implemented as a software-only solution, the user needs to use a machine where her eToken Virtual is stored).

The eToken SSO client identifies this application and prompts the user to enter her application logon

credentials (username, password, etc.) only for that one time. An eToken SSO profile is created for the

specific application, stored on the token, and is ready to be used automatically the next time the user logs on to that application.

Ongoing usage:

A user simply launches her application as usual, with her eToken device plugged into the USB port, or her eToken Virtual stored on the machine.

The eToken SSO client identifies this application and prompts the user to enter her eToken password. (Note: eToken SSO can be configured to have users prompted for the eToken password once, at each application logon, or on defined time intervals depending on the organization’s security needs.) The eToken SSO client pulls the relevant user credentials from the token, automatically fills them into the logon screen and automatically submits them

(Note: automatic fill-in and automatic submit are optional and configurable features of eToken SSO.)

12. Does eToken SSO handle application password changes?

Yes. Whenever an application prompts for a password change, eToken SSO can either generate a random

password that conforms to the password policy that was created for the application, or allow the user to enter a new password herself. This is determined per application, so administrators can have full flexibility in deciding how passwords are handled within the organization.

13. Does eToken SSO require software on the user desktop?

Yes. The eToken SSO Client needs to be installed.

14. Does eToken SSO require any back-end software or hardware?

No. eToken SSO is a client based solution and does not require back-end resources.

Optionally, eToken TMS can be installed in the organization’s back-end infrastructure to take advantage of TMS’ token life-cycle management capabilities and management level support for the SSO solution. 1.

2.

1. 2.

(5)

15. How can I install eToken SSO?

You can use several techniques to install eToken SSO on your users’ desktops.

Microsoft GPO - Using the Microsoft Active Directory GPO you can automatically install and

update any software on user desktops.

Other software distribution solutions - Using other software distribution solutions such as SMS,

you can automatically install and update any software on user desktops.

Sending an email link - Administrators can send an email link to a network installation and ask

the users to run the installation from there.

Manual - Administrators can manually install software on user desktops.

16. Does eToken SSO support strong authentication?

Yes. eToken SSO is inherently integrated with strong two-factor authentication. As user credentials

are stored on-board the token, in order to use the SSO solution for access to applications the user needs to provide the token (something one has), and the token password (something one knows).

17. Which authentication tokens does eToken SSO support?

eToken SSO works with all eToken smart card based devices, including:

eToken PRO - Aladdin’s world leading USB smartcard token eToken NG-OTP - Advanced hybrid USB and OTP token eToken NG-FLASH - 2-in-1 security and data storage token eToken PRO Smartcard - Aladdin’s world leading token in

card form

18. How can I manage my eToken SSO solution?

eToken SSO is completely integrated with eToken Token Management System (TMS), providing full token life-cycle management, as well as automatic backup and restore of user credentials, integration with Identity Management systems, and a solution for employees who lose or forget their tokens while on the road (including those who require their token for network logon).

19. What do I do if I forget my eToken password?

In the case of a forgotten password, eToken TMS enables users to reset the eToken password using the TMS self service web sites. The process is simple and intuitive, involves no help-desk calls, and minimizes password related costs. For organizations preferring the help desk approach, TMS also allows administrators to easily reset user token passwords using the TMS web-based administration tool.

For organizations that do not deploy eToken TMS, it is possible for an administrator to reset a user’s eToken password, if the token was initialized with an administrator password.

(6)

20. What do I do if I lose my eToken device?

No worries! You can fully restore your eToken SSO credentials. eToken provides two forms of back-up:

Enterprise backup and restore capabilities - With TMS, every user’s credentials are automatically

and securely backed-up on the network. If your token has been lost or damaged, your personal credentials can be restored to your new eToken device automatically through the new eToken enrollment process.

User local backup and restore - Users can create a local backup file of all their credentials

using the eToken SSO Client. The file is encrypted and password-protected. When needed, these credentials can be restored by inserting an eToken device and entering the password.

21. What if someone finds my eToken device with my personal credentials?

eToken is a highly secured smartcard-based device. To make sure that whoever finds the device will find it practically useless, eToken employs the following mechanisms:

Strong eToken password - Information stored on-board the token is protected with a unique and

strong password. You can define eToken password policy settings to ensure that your users choose strong eToken passwords.

eToken lock mechanism - eToken has a lock mechanism that locks the token after a few failed

attempts to access it (typing a wrong eToken password). This feature eliminates any chance of breaking the eToken passwords, including brute force attacks.

Secured smart card - eToken is a highly secured smart card device. User credentials are maintained

within the secured smart card, protected from reverse engineering or other hacking attempts.

22. What other security solutions does eToken support?

In addition to SSO, eToken supports a wide range of enterprise security applications, including: Smart card logon

Secure web access

File/folder/disk encryption and pre-boot authentication Email/document encryption and signing

Digital signatures Secure physical access

For more information regarding Aladdin eToken, please refer to: www.Aladdin.com/eToken

• • • • • • • • • • •

North America: +1-800-562-2543, +1-847-818-3800 • UK: +44-1753-622-266 • Germany: +49-89-89-4221-0 • France: +33-1-41-37-70-30 • Benelux: +31-30-688-0800 • Spain: +34-91-375-99-00

Italy: +39-333-9356711 • Israel: +972-3-978-1111 • China: +86-21-63847800 • India: +919-82-1217402 • Japan: +81-426-607-191 • All other inquiries: +972-3-978-1111

Aladdin Knowledge Systems

, Ltd.

Aladdin is a registered tr

ademark and eT

ok

en is a tr

ademark o

f Aladdin Knowledge Systems

, Ltd.

All other names are tr

ademarks or registered tr

ademarks of their respective owners

.

etoken Single Sign-On 3.0