RoboForm Steps Up Into Enterprise Security

Good security dictates that users create unique, long and complex passwords for all the corporate
applications they log on to. It also dictates that they don’t write these passwords down. Enterprise single
sign-on (ESSO) systems aim to make this possible but they can be costly and difficult to implement. RoboForm
Enterprise provides a simple alternative to ESSO that achieves many of the same benefits at a far lower
cost.

RoboForm, developed by Fairfax, VA-based Siber Systems, is best known as a consumer password manager utility.
Put simply, it stores user name and password information for different websites, protected by a master password
the user specifies. When a user visits one of these websites, RoboForm prompts the user for the master
password and then logs the user in automatically by entering the stored username and password information.
The benefit to the user is that the they can use different complex passwords for every website while only having
to remember a single master password. The product has a number of other features too, like the ability to
auto-fill forms, including credit card information and social security numbers.

About three years ago, in response to a large number of inquiries from businesses, Siber Systems developed
RoboForm Enterprise. “We were getting companies  asking us if we could do a version of RoboForm that forced
people to choose a master password with at least eight characters, or one that didn’t do automatic form filling.
We decided that we didn’t want to do custom versions, so instead we decide to develop an enterprise version
specifically for businesses,” says Bill Carey, Siber Systems’ VP Marketing and Business Development.

A system like RoboForm Enterprise may not be as effective as an ESSO solution, says Ant Allan, a research
vice-president at Gartner, but it can be far cheaper and easier to implement. “RoboForm Enterprise is like ESSO
Lite,” he says. “For smaller companies that mainly use Windows and Web-based apps it is probably attractive, but
for larger enterprises the trouble is that it doesn’t work with terminal screens for things like (Lotus)
Notes.”

RoboForm Enterprise handles logins for Web applications and most Win32 application logins, including
enterprise applications like SAP, storing passwords using AES 256-bit encryption. The main difference between
the consumer and enterprise versions of RoboForm is the enterprise version’s Policies Editor, a utility which
administrators can use to set a number of policies. These include the minimum master password length, and the
minimum number of upper and lower case characters and the minimum number of digits the master password must
contain. It can also be used to customize just about any aspect of RoboForm, from whether of not to display
a RoboForm taskbar icon, to the interval before the master password needs to be re-entered on an idle
machine. Policy changes can be carried out by users with administrative rights on their own machines, however,
which presents a potential security risk. The difference from the consumer version is that the enterprise
product can be mass deployed and activated over the network.

The key concept behind RoboForm is that everyone should be able to remember one good, strong password, which
protects many other passwords stored on their computer. An argument against this is that if the master password
is compromised, so are all the other passwords it protects. The counter argument is that a single good, strong
password carried around in a user’s head is less likely to be compromised than many alternatives: a user asked
to remember many long passwords will almost certainly be unable to do so, forcing them to choose between using
simple short passwords, writing down their passwords, or using the same password for all their applications.
ESSO systems also suffer from this problem, and when implemented are often used in conjunction with two-factor
authentication systems. RoboForm Enterprise can be configured to use individual users’ Windows logins instead of
a master password, so it too can make use of two factor authentication if the standard Windows login uses it. It
can also be configured to use a biometric such as a fingerprint instead of a master password.

Additional RoboForm Features

RoboForm Enterprise has a few other interesting features, such as dual master passwords. This allows 
employees to provide colleagues with access to any of their accounts without revealing their passwords. To
do this the employee creates a “passcard” containing login and password information, protected by a different
master password. The colleague can import this passcard into their own copy of RoboForm and access the
accounts using the second master password, without ever knowing what the underlying login and password details
are.

But what happens of a user forgets their master password? Unlike the consumer version, RoboForm Enterprise
allows for key recovery based on a public key encryption system. If enabled in the Policies Editor, the master
password for each RoboForm Enterprise client is backed up to a central location, encrypted using a public key
stored at that location. The corresponding private key is stored separately by the administrator,
protected by a password. Using the Policies Editor, an administrator can then open a specific user’s master
password backup file using the password-protected private key, to recover the master password and the user’s
network login ID. If the password recovery feature is used this does mean that there is the potential for a
hacker getting his hands on the private key and gaining access to the central storage location to acquire all
the master passwords. But to use any given master password he would also have to access the relevant user’s
machine.

The fact the RoboForm Enterprise is run locally on users’ machines has other implications too. Unlike an ESSO
system, it can’t supply centralized logs for security and compliance purposes, but it also can’t bring an entire
enterprise to a standstill like an ESSO system that stops functioning has the potential to do.

M Financial Group is one company that is using RoboForm Enterprise as an alternative to ESSO. This Portland,
OR-based financial services company spent “a couple of hundred thousand dollars” on failed single sign-on
projects before deciding to abandon them and use RoboForm Enterprise instead, according to Curt Rynties, M
Finance’s VP Information Technology. He explains: “Some of the people at the company were dubious about the
security it could provide, so I just encrypted all my passwords with the product and said that if they could
access them, I’d give up on the idea. Of course they couldn’t, and I think they were quite impressed. Now we use
the Policies Editor to set the length and components of master passwords that staff have to use, and that is the
primary value to us. The whole thing cost about $30,000 to implement,” he says. M Financial decided not to use
the password recovery feature of RoboForm Enterprise, but Rynties says that employees have found it easy to
memorize a single master password. With RoboForm in use requests for password resets for individual applications
have fallen by 20—30 percent.

RoboForm Enterprise costs about $20 per user for 100 licenses, but it won’t suit every company –
especially ones that use terminal-based applications and ones where employees frequently access applications
from different machines. But for many businesses it may offer much of the functionality of an ESSO system for a
fraction of the price, with an implementation time of days rather than months – or even years.

Paul Rubens
Paul Rubens
Paul Rubens is a technology journalist specializing in enterprise networking, security, storage, and virtualization. He has worked for international publications including The Financial Times, BBC, and The Economist, and is now based near Oxford, U.K. When not writing about technology Paul can usually be found playing or restoring pinball machines.

Latest Articles

Follow Us On Social Media

Explore More