RoboForm Steps Up Into Enterprise Security

By Paul Rubens | Feb 1, 2010 | Print this Page
http://www.enterprisenetworkingplanet.com/netsecur/article.php/3862066/RoboForm-Steps-Up-Into-Enterprise-Security.htm

Good security dictates that users create unique, long and complex passwords for all the corporate applications they log on to. It also dictates that they don't write these passwords down. Enterprise single sign-on (ESSO) systems aim to make this possible but they can be costly and difficult to implement. RoboForm Enterprise provides a simple alternative to ESSO that achieves many of the same benefits at a far lower cost.

RoboForm, developed by Fairfax, VA-based Siber Systems, is best known as a consumer password manager utility. Put simply, it stores user name and password information for different websites, protected by a master password the user specifies. When a user visits one of these websites, RoboForm prompts the user for the master password and then logs the user in automatically by entering the stored username and password information. The benefit to the user is that the they can use different complex passwords for every website while only having to remember a single master password. The product has a number of other features too, like the ability to auto-fill forms, including credit card information and social security numbers.

About three years ago, in response to a large number of inquiries from businesses, Siber Systems developed RoboForm Enterprise. "We were getting companies  asking us if we could do a version of RoboForm that forced people to choose a master password with at least eight characters, or one that didn't do automatic form filling. We decided that we didn't want to do custom versions, so instead we decide to develop an enterprise version specifically for businesses," says Bill Carey, Siber Systems' VP Marketing and Business Development.

A system like RoboForm Enterprise may not be as effective as an ESSO solution, says Ant Allan, a research vice-president at Gartner, but it can be far cheaper and easier to implement. "RoboForm Enterprise is like ESSO Lite," he says. "For smaller companies that mainly use Windows and Web-based apps it is probably attractive, but for larger enterprises the trouble is that it doesn't work with terminal screens for things like (Lotus) Notes."

RoboForm Enterprise handles logins for Web applications and most Win32 application logins, including enterprise applications like SAP, storing passwords using AES 256-bit encryption. The main difference between the consumer and enterprise versions of RoboForm is the enterprise version's Policies Editor, a utility which administrators can use to set a number of policies. These include the minimum master password length, and the minimum number of upper and lower case characters and the minimum number of digits the master password must contain. It can also be used to customize just about any aspect of RoboForm, from whether of not to display a RoboForm taskbar icon, to the interval before the master password needs to be re-entered on an idle machine. Policy changes can be carried out by users with administrative rights on their own machines, however, which presents a potential security risk. The difference from the consumer version is that the enterprise product can be mass deployed and activated over the network.

The key concept behind RoboForm is that everyone should be able to remember one good, strong password, which protects many other passwords stored on their computer. An argument against this is that if the master password is compromised, so are all the other passwords it protects. The counter argument is that a single good, strong password carried around in a user's head is less likely to be compromised than many alternatives: a user asked to remember many long passwords will almost certainly be unable to do so, forcing them to choose between using simple short passwords, writing down their passwords, or using the same password for all their applications. ESSO systems also suffer from this problem, and when implemented are often used in conjunction with two-factor authentication systems. RoboForm Enterprise can be configured to use individual users' Windows logins instead of a master password, so it too can make use of two factor authentication if the standard Windows login uses it. It can also be configured to use a biometric such as a fingerprint instead of a master password.

Additional RoboForm Features

RoboForm Enterprise has a few other interesting features, such as dual master passwords. This allows  employees to provide colleagues with access to any of their accounts without revealing their passwords. To do this the employee creates a "passcard" containing login and password information, protected by a different master password. The colleague can import this passcard into their own copy of RoboForm and access the accounts using the second master password, without ever knowing what the underlying login and password details are.

But what happens of a user forgets their master password? Unlike the consumer version, RoboForm Enterprise allows for key recovery based on a public key encryption system. If enabled in the Policies Editor, the master password for each RoboForm Enterprise client is backed up to a central location, encrypted using a public key stored at that location. The corresponding private key is stored separately by the administrator, protected by a password. Using the Policies Editor, an administrator can then open a specific user's master password backup file using the password-protected private key, to recover the master password and the user's network login ID. If the password recovery feature is used this does mean that there is the potential for a hacker getting his hands on the private key and gaining access to the central storage location to acquire all the master passwords. But to use any given master password he would also have to access the relevant user's machine.

The fact the RoboForm Enterprise is run locally on users' machines has other implications too. Unlike an ESSO system, it can't supply centralized logs for security and compliance purposes, but it also can't bring an entire enterprise to a standstill like an ESSO system that stops functioning has the potential to do.

M Financial Group is one company that is using RoboForm Enterprise as an alternative to ESSO. This Portland, OR-based financial services company spent "a couple of hundred thousand dollars" on failed single sign-on projects before deciding to abandon them and use RoboForm Enterprise instead, according to Curt Rynties, M Finance's VP Information Technology. He explains: "Some of the people at the company were dubious about the security it could provide, so I just encrypted all my passwords with the product and said that if they could access them, I'd give up on the idea. Of course they couldn't, and I think they were quite impressed. Now we use the Policies Editor to set the length and components of master passwords that staff have to use, and that is the primary value to us. The whole thing cost about $30,000 to implement," he says. M Financial decided not to use the password recovery feature of RoboForm Enterprise, but Rynties says that employees have found it easy to memorize a single master password. With RoboForm in use requests for password resets for individual applications have fallen by 20—30 percent.

RoboForm Enterprise costs about $20 per user for 100 licenses, but it won't suit every company – especially ones that use terminal-based applications and ones where employees frequently access applications from different machines. But for many businesses it may offer much of the functionality of an ESSO system for a fraction of the price, with an implementation time of days rather than months - or even years.