PortalGuard Desktop Component

As an optional client-side component, you can install the PortalGuard Desktop on your workstations.The PortalGuard Desktop software contains multiple, independent features:

1) Workstation-based Challenge Enrollment & Recovery

2) PassiveKey™

3) Desktop Two Factor Login

4) Credibility-Based Authentication

Usage Scenarios

Workstation-based Challenge Enrollment & Recovery

This feature can be used to force users to enroll in the Challenge Question and Answer recovery feature (by providing personal answers to the questions they choose) AND reset their password directly from the Windows logon screen.

When users log into their Windows workstation, they can be forced to set their challenge answers if they have not already done so. They must complete this enrollment before their Windows desktop will appear. If they forget their password, they can launch a password recovery wizard directly from the Windows login screen that allows them to reset their password and unlock their Active Directory account when on the network.

When users are off the corporate network but forget their Active Directory domain password, resetting the password is not an option as this requires network connectivity to an Active Directory domain controller.Instead they can restore access to their workstation by being shown their current/forgotten password after correctly answering a sufficient number of the same challenge questions.They can then login to their machine using Windows cached credentials.

PassiveKey™

PassiveKey (formerly named “Transparent Tokenless Toolbar”) provides the security of two-factor authentication without burdening the end-user to manually enter OTPs sent or generated by a mobile phone and without the additional expense and management overhead associated with hardware tokens.See the How It Works section below for more details.

Desktop Two Factor Login (Desktop 2FA)

An optional component in the PortalGuard Desktop is Desktop Two Factor Login.When installed, this requires users to login to their Windows workstations with both their Active Directory domain account and a One-Time Passcode (OTP).This feature is good for more security conscious customers who would like to enforce 2FA as part of the Windows login.The allowable OTP types are configurable.

Credibility-Based Authentication

This is comprised of components that integrate with the web browsers on the workstation.Their purpose is to provide better quality information about the client that is delivered to the PortalGuard server.This pertains specifically to the credibility-based authentication feature in PortalGuard that can require less trustworthy requests to login with a more stringent authentication method.The information sent to the server can include geo-location/GPS coordinates, time zone, wireless authentication & encryption levels (when applicable) and locally installed hard drives and other devices.

How It Works

Workstation-based Challenge Enrollment & Recovery

The PortalGuard Desktop integrates with Windows to communicate with the PortalGuard server when it is available on the network.This allows users to enroll their challenge answers and reset their password and unlock their Active Directory account when on the corporate network.Since an Active Directory domain controller is reachable by the client, any new password can be used immediately to login to the workstation.

Once the user provides their correct credentials to Windows, the PortalGuard Desktop verifies that the user is in compliance with the settings in their PortalGuard policy.For example, enrolling challenge answers can be enforced in this policy and if the user has not already done so, they will be forced to provide these answers before getting to their Windows desktop.If offline password recovery is enabled in the PortalGuard policy, then these credentials are used to create and/or verify the user's encrypted recovery information on the server.This encrypted information is validated and copied to the local machine upon each network login to Windows.If the user changes their Windows password from the workstation or resets their password using PortalGuard, this recovery information is automatically rebuilt.

Decryption of the recovery information is attempted using the challenge answers provided by the user when offline.Optionally, an offline lockout feature can be used to delete this recovery information after a configurable number of unsuccessful attempts.

PassiveKey™

The PassiveKey component of the PortalGuard Desktop serves to validate both the user -AND- the device they're using. PassiveKey is implemented as a browser toolbar installed on workstations that automatically generates a Time-based One-time Password (TOTP) on a regular interval and sets the value as a session-based cookie. This cookie is created for only specific websites and is encrypted using public-key cryptography to ensure only the PortalGuard server can decrypt it.

Desktop Two Factor Login

The Desktop 2FA component of the PortalGuard Desktop is implemented as a Microsoft Credential Provider module.It enforces 2FA when the user logs into their Windows workstation.It can also be installed on the Windows Server operating system to enforce 2FA login for Terminal Services or Citrix logins.

The user enters their Active Directory domain username and password as usual at the Windows logon screen.These credentials are sent to the PortalGuard web server via HTTPS for validation.If the user’s PortalGuard security policy is configured to require 2FA for Desktop login, then the user receives a prompt to enter an OTP.The PortalGuard server will automatically generate and send the user an OTP if the user’s phone is the default mechanism.

Once the user enters the correct OTP, their Windows session begins.

Credibility-Based Authentication

This is comprised of browser add-ins that run in the context of the web browser on the workstation.Each time the browser is launched, the toolbars loads in the background as well.It does not have a user interface or graphical component.

The toolbar queries the workstation to determine information about the current user, machine, network and devices.Here are some of the attributes that are queried:

  • Operating system
  • Current time and time zone
  • Machine host name
  • Active Directory domain
  • Windows username
  • User Security Identifier (SID)
  • Hard drive model and serial numbers
  • Network interface cards (NICs) with MAC and IP addresses
  • User’s geo-location/GPS coordinates
  • Wireless network SSID, authentication and encryption levels (if applicable)

These attributes are formatted into XML, encoded and created as session-based cookies that will only be sent to the PortalGuard server.Each time the user accesses a PortalGuard server through the web browser, this cookie is sent with the HTTP request and PortalGuard has a much richer set of information about the user upon which it can gauge their level of credibility.Client devices with this software installed are referred to as “Managed” devices.

Requirements

The following requirements are common for all features available in the PortalGuard Desktop component:

  • Windows XP, Vista, or Windows 7 operating system (32 or 64-bit)
  • The .NET Framework 2.0 or later must be installed on the machine
  • Installation must be performed by an administrator
  • A PortalGuard server must be running on your network and reachable by the client workstation. The server architecture (32-bit or 64-bit) does not need to match that of the client.

For Workstation-based Challenge Enrollment & Recovery

  • On Windows XP, you must use the standard Microsoft GINA

For Desktop Two Factor Login

  • Windows XP is not supported, only Windows 7 and later
  • The workstation must have HTTPS connectivity to the PortalGuard server. Offline login is not currently supported.
  • Resending generated OTPs is not currently supported.

For PassiveKey and Credibility-Based Authentication

Supported web browsers are:

  • Microsoft Internet Explorer 8.0 or later (32-bit only)
  • Mozilla Firefox version 18 or later
  • Google Chrome version 19 or later