What is a SecureLogin passphrase and what is it used for?

Question

What is a SecureLogin passphrase and what is it used for?

Answer

Note: This document is targeted at sites running SecureLogin in ADS mode but the principles are still the same when using other Directories such as Novell eDirectory.

The passphrase is an integral part of SecureLogin's security architecture, as it secures a user's Single Sign-on data including the usernames and passwords they use to authenticate to applications.

The passphrase is set when SecureLogin is launched first time for each user. The following passphrase security options are available:

• User chooses both the passphrase question and answer. The passphrase question can be anything the user decides, as can the answer;
• SSO Administrator pre defines a list of questions and user selects one of the questions and enters the answer;
• Passphrase security system can be hidden (disables user defined passphrases).
• Passphrase security system can be set to No (disables user defined passphrases and never changes the primary key for SSO decryption from the user's PKI private key).

User defined passphrases can contain any question/answer combination, but should be known only by the user, and not easily guessed. Examples include details of cars, old telephone numbers they know, post codes/ZIP codes of places they have lived etc. Although a user may never be prompted to answer their passphrase, it must be something they will remember or they may be unable to unlock their SecureLogin secrets.

Once the passphrase is set, a random key is generated and a one-way hash of the passphrase answer is used to encrypt this key. The new key is then encrypted using the application key and is used to protect your SecureLogin credentials, ensuring the strongest possible (and unique) security. This new user specific key also protects your passwords so even administrators with Supervisor rights to the network and access to MMC are unable to view a user's passwords to applications.

The next time (and every time after that) a user logs onto ADS, SecureLogin loads seamlessly. Typically, users are NEVER PROMPTED with the passphrase question ever again. However, to protect their Single Sign-on data from unauthorised use, a user WILL be prompted for their user defined passphrase in the following scenario:

• If the user's ADS/network password is changed by someone else (e.g. by the administrator because the user has forgotten it), the next time SecureLogin loads, the passphrase question must be answered before SecureLogin will continue. This prevents an administrator (or anyone other than the user) changing the user's ADS password, logging on as them, and obtaining access to their SecureLogin data and running applications.

In version 6 and later, although not recommended for security reasons when using password authentication to the Directory, the passphrase security system can be hidden or set to No so users do not have to enter a passphrase question or answer by setting the following preference at the container, group policy or user object level.

Enable passphrase security system = Hidden (or No)

In v5.5, this setting was:

Disable passphrase security system = Yes

With this option set to Hidden, users will not be prompted to set a user defined passphrase. A random key will be generated automatically without user input. However, with the passphrase security system set to Hidden, an Active Directory administrator could potentially reset a user's Active Directory password, logon as the user, and access their Single Sign-on data. Enable passphrase security system can only be set to No if PKI is being used to encrypt SSO data (passphrase are required in some form when PKI encryption is not implemented).