Passlogic may have dual factor authentication but, there's nothing preventing somebody from opening remedy and just entering a username and password. To pass the DOD's CAC/SSO initiative, the 2 factor authentication would need to be required in order to access the system.
And I'm not knocking password management tools. I use them all the time. It's just not the solution the DOD is looking for. ________________________________ From: Scott Hammons <[EMAIL PROTECTED]> To: arslist@ARSLIST.ORG Sent: Wednesday, December 3, 2008 10:04:05 PM Subject: Re: SSO & CAC Authentication Well, this sounds like a 2 factor authentication scenario not strictly SSO. Passlogix does support dual factor authentication. Scott ________________________________________ From: Action Request System discussion list(ARSList) [EMAIL PROTECTED] On Behalf Of Kaiser, Norm E CIV USAF AFMC 96 CS/SCCE [EMAIL PROTECTED] Sent: Wednesday, December 03, 2008 1:59 PM To: arslist@ARSLIST.ORG Subject: Re: SSO & CAC Authentication Well, there's really two issues (for DoD, at least): SSO and CAC authentication. DoD wants a solution that does both. Jason pointed out, "[Passlogix] doesn't make the CAC required to access Remedy." If that's true, it's out as far as DoD is concerned. -----Original Message----- From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of Scott Hammons Sent: Wednesday, December 03, 2008 12:40 PM To: arslist@ARSLIST.ORG Subject: Re: SSO & CAC Authentication ** Agreed for the most part. However, to the "end users" this gives them the perception that this is SSO. The "minimal additional security" part can be debated. Most companies I've worked in )commerial and government) have users storing credentials in spreadsheets, in notepad files, in sticky notes (all of the common security issues I'm sure others have seen). Additionally, I've seen where the password policies are documented but not enforced. At least with the Passlogix product set it does provide the password management capability to simulate the SSO process to the end users, centrally and securely store the credentials (supports major encryption algorithms (AES, Blowfish, etc...), and supports CAC authentication systems. The application also works with the majority of applications and doesn't require any modification of the application itself. Is this true SSO? I would say not because true SSO would have applications accepting authentication from a single authentication authority and until the industry and product vendors can work together on a standard integration it will be hard to achieve. Applications from vendors like Passlogix make it easier to simulate an SSO environment. So whenever I hear about SSO integration I think there is a bigger question to be answered here and that is do I implement a solution to meet the requirements of one application (and then have to do this every time a application wants SSO) or do I provide a solution that would work for a majority of the applications that the end users are using and would provide additional security that auditors would be looking for? Just my .02. Scott ________________________________ From: Action Request System discussion list(ARSList) [EMAIL PROTECTED] On Behalf Of Jason [EMAIL PROTECTED] Sent: Wednesday, December 03, 2008 12:44 PM To: arslist@ARSLIST.ORG Subject: Re: SSO & CAC Authentication ** Passlogix provides a password management system. It is no more secure than the automatic authentication processes we've already discussed. It is merely a program that stores the end users' username and password for individual websites and applications and sends it to the appropriate application when activated. While you can use CAC authentication to access the stored information. It doesn't make the CAC required to access Remedy. These types of applications only provide ease of use for the end user and minimal additional security by encouraging more complex passwords. ________________________________ From: Scott Hammons <[EMAIL PROTECTED]> To: arslist@ARSLIST.ORG Sent: Wednesday, December 3, 2008 7:12:31 PM Subject: Re: SSO & CAC Authentication All, There are products out there that will meet the DOD requirements. One of the industry leaders in the SSO market is Passlogix and they support CAC authentication as well. Website: www.passlogix.com <http://www.passlogix.com/> One good thing about their SSO solution is that it will work for most applications (not just Remedy). Hope this helps. Scott ________________________________________ From: Action Request System discussion list(ARSList) [ <mailto:ars__Platinum Sponsor: www.rmsportal.com ARSlist:> _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: "Where the Answers Are" _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: "Where the Answers Are" _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: "Where the Answers Are"