With more users, partners, accounts, and platforms, password automation is becoming a necessity. We tested seven password-management products and granted our Tester's Choice to the one with outstanding policy creation and enforcement as well as extensive platform support.
Password-management software generally lets users reset and change passwords from a browser, Windows client or by phone. When using the telephone for a reset, users enter a PIN and are walked through prompts. For shops that don't provide 24/7 helpdesk access, support for Web browsers and phones are a plus. ActivIdentity SecureLogin lacks phone support, but it does support authentication using biometrics, terminal services and VPN, as does Avatier Identity Management Server (AIMS), Courion Enterprise Provisioning Suite (EPS), M-Tech P-Synch and Passlogix v-GO Single Sign-On. Quest Password Reset Manager (PRM) provides VPN support, and the company said it will add phone support later this quarter. ASPG ReACT (Reset Enterprise Access Control Tool) provides only a Windows client and support for HTTP/HTTPS.
In addition to supporting authentication tools, like tokens or biometrics, out-of-the-box or through an SDK, self-service password-management suites authenticate employees using a series of random, predefined challenge-response questions, such as "What's your mother's maiden name?" All the products we tested ship with built-in identity questions.
To guarantee that challenge-response questions offer strong user authentication, admins typically can specify the number of questions that must be asked and answered correctly. We required that 10 questions be defined in the system, for example, but only four had to be answered properly for a reset request. While ASPG only allows up to five configurable questions, all other products could select, say, four out of our 10 questions randomly. Self-service password resets are ideal for today's mobile and dynamic workforce, but flexibility and ease of use are key. If users find the application too cumbersome or just don't understand what's happening, they won't use the product and they'll call the helpdesk, defeating the purpose. Quest's PRM was the only product we tested that didn't permit at least partial customization of the self-service site.
Users must enroll to take advantage of a self-service password product. With the products we tested, we could enroll users manually or let them enroll themselves. Manual enrollment requires an admin to answer questions for each user. We prefer to let users register themselves by answering a series of questions, but there is an inherent weakness in self-enrollment--if a user should fail to register, someone else could answer his or her questions, then change the password.
Although easily guessable passwords are a security risk, requiring ultrastrong passwords doesn't mean ultrastrong security. It's a rare user who won't jot down a password like au89JQ%p4. The goal is a middle ground where you can enforce strong yet memorizable passwords while reducing resets. We aimed to impose strict passwords, but based on a flexible set of requirement rules--for example, a minimum and maximum length, mixed cases, a minimum and maximum of upper or lower case letters, and no words from the dictionary. By far, M-Tech's P-Synch offered us the richest built-in options for creating password policy rules, but ActivIdentity SecureLogin, Avatier IMS, Passlogix v-GO, and Quest PRM made strong showings as well; note that Avatier requires the purchase of its Password Bouncer as a companion to its Password Station to enforce strong passwords.
Courion also offered good flexibility options and even let us specify formats for policies. ASPG builds in a much smaller policy rule set--we needed to edit or create ActiveX scripts using ASPG's ActiveX Scripted System to add rules other than minimum and maximum password length, characters allowed and password case sensitivity.
When it came to enforcing our test password policies, all seven products worked like a charm.
It's also important to consider supported platforms. If you're a Windows-only shop, you'll find plenty of options. But scaling across numerous platforms, including mainframes, databases and applications like e-mail and ERP will narrow your list quite a bit. For OS support, the products from Avatier, Courion, M-Tech and Passlogix were shining stars. Following closely were those from ActivIdentity and Quest. ASPG's ReACT supports Windows Server 2000/2003 and IBM OS/390 but requires ActiveX scripting for Unix-variant integration.
Sync Up for SSO
Password synchronization can be thought of as one step down from SSO. The former lets users log on to different systems with a single password, but he or she still must enter an ID and password for each application. Password synchronization usually doesn't require IT infrastructure changes because software resides on an existing server, and APIs link the software to databases, helpdesk systems and security frameworks.
SSO lets a user log on once and access multiple applications and systems. Typically, the user is authenticated at logon. When an application is open, the SSO agent seamlessly passes authentication credentials to any system to which the user has access rights. SSO technology requires its own infrastructure, including an authentication server, to validate a user's identity and permissions prior to granting or denying access. In addition, SSO software may not solve all your password-management problems. SSO's high price and manpower costs are causing the pendulum to swing back to password synchronization if your main goal is a single password (see "Is One Password a Reality?").
All the products we tested can handle password synchronization or SSO, though Avatier's and Courion's products require add-ons or partnerships. Passlogix's and ActivIdentity's have the strongest SSO implementations because both provide encrypted, secure passwords that can manage user access across applications. Users should find both simple to use.
5 Top Federal Initiatives For 2015As InformationWeek Government readers were busy firming up their fiscal year 2015 budgets, we asked them to rate more than 30 IT initiatives in terms of importance and current leadership focus. No surprise, among more than 30 options, security is No. 1. After that, things get less predictable.
Join us for a roundup of the top stories on InformationWeek.com for the week of April 24, 2016. We'll be talking with the InformationWeek.com editors and correspondents who brought you the top stories of the week!