Skip to main content

The WiKID Blog

Viewing posts by root

How scalable is the WiKID server?

Very. We have tested the WiKID server running on a low-end 1.4 ghz server with 256 meg of ram and IDE drive and have documented 50 transactions per second. The WiKID Server is a software appliance available as an ISO or a VMWare image that you put on your hardware platform of choice, so the scalability will depend on the hardware you choose.

How does WiKID enable Active Directory password resets?

A password-reset domain is configured on the server with Administrator rights to reset users' passwords. When a user forgets their password, they choose the password reset domain on the WiKID client and enter their PIN. If PIN is correct, the encryption valid and the WiKID account is active, the WiKID server resets the Active Directory password to the one-time passcode and forces the user to change their password at the next login.

How are users provisioned? How is initial validation handled?

A big problem with hardware-based tokens and traditional soft-tokens is the need to get the token or data file to the end user securely and to associate it with the user on the server. Typically, there is a big box of tokens in a secure location, the security administrator grabs a token, enters the serial number into the user’s account on the server, and overnights the token to the user. The next day, he overnights a new PIN number for use with that token. Obviously, this process is an expensive waste of time for a highly paid security professional. WiKID Systems’ elegant architecture allows for a fully automated initial validation when our system is combined with a trusted network or existing trusted relationship.

First, the end-user installs the client on the device (over-the-air download or via the Internet installer) and logs into a web site, over a trusted LAN or using an existing hardware token or some other trusted mechanism. The web site provides the user with a 12-digit code that represents the IP address of the authentication server. The user selects ‘New Domain” to create a new trust relationship and enters the 12-digit number.

The WiKID client generates its own public/private key pair and sends a request to the server along with it’s public key. The server responds with a configuration file and its public key, encrypted with the client’s public key. Already, we have asymmetric encryption! The user enters his chosen PIN, which is stored on the server and the server responds with a registration code. The user enters the registration code into the web site and he is finished. If the administrator allows automated initial validation, the user can start generating valid passcodes and can throw away their token (or, more likely, they can return it for recycling to a non-WiKID user). An administrator can easily add a user manually as well.

Can WiKID work across multiple enterprises without federation?

Yes. Unlike most two-factor authentication systems, WiKID uses public key crypotgraphy instead of shared secrets. This means that a single WiKID token can support an unlimited number of relationships with WiKID servers without a reduction in security.

Can more than one passcode be valid at one time?

No. Only one passcode can be valid at one time. Most time-synchronous token solutions allow more than one passcode to be valid at one time so that the login window is long enough or to account for clock drift. With only a 6 digit passcode, this can reduce security.

Recent Posts

Archive

2024
2022
2021
2019
2018
2017
2016
2015
2014
2013
2012
2011
2010
2009
2008

Categories

Tags

Authors

Feeds

RSS / Atom