WebFort cuts cost of security
Whether your agency operates a World Wide Web site, extranet or intranet,
chances are you post, or want to post, potentially sensitive data.
Unfortunately, traditional methods of controlling access are no longer
sufficient. For example, user names and passwords (single-factor authentication)
are easily shared, cracked or stolen. Most two-factor authentication systems
reduce break-in risk by employing a hardware token (such as a smart card)
and something only the user should know (like a personal identification
number). But this approach is expensive — about $50 per user — and somewhat
inconvenient, since authorized people must carry and safeguard their cards.
Arcot Systems Inc.'s WebFort 2.0 software offers the security of a storage
smart card while overcoming the disadvantages of competing digital certificate
methods. As a result, WebFort reduces the cost and complexity of protecting
sites exposed to a large number of users while maintaining strong authentication.
WebFort, which employs public-key in-frastructure (PKI), includes a
number of server components and a browser plug-in. The server software runs
on Microsoft Corp.'s Windows NT and Sun Microsystem Inc.'s Solaris — and
interfaces with both Netscape Communications Corp.'s and Micro-soft's Web
servers. Supported clients include Windows 9x, Windows NT 4.0, Solaris,
Mac OS8 and Linux. Little time and effort should be required to secure your
existing client/server and legacy applications.
In concept, WebFort generates an electronic token — the ArcotCard — which stores a user's private key, and an X.509 Version 3 digital certificate;
the second part of the system's two-factor authentication is a personal
identification number (PIN).
WebFort can be integrated with certificate authority products such as
Microsoft's Certificate Server 1.x and VeriSign Inc.'s OnSite 4.0, as well
as any of the databases on the market that are compliant with the open database
Yet WebFort differs from standard public-key encryption techniques by
employing what the company calls Cryptographic Camouflage. It works like
this: If a hacker manages to crack the key container, instead of finding
the user's private key he or she will find multiple plausible private keys.
The hacker won't know which private key is the correct one without actually
trying them on the authentication server. Unless the hacker gets very lucky
and chooses the correct key on the first try, the authentication server
will notice multiple authentication failures and will suspend access.
Experienced system administrators should have little trouble setting
up WebFort in less than a day. For smaller installations, the Authentication
Server application runs on your main server hardware — and protects Web
content in two basic ways. First, it allows you to secure specific URLs
and directories through a simple computer graphics interface to the Web
server. Alternately, you might replace the log-in to a Web application with
a new page that interfaces with WebFort. The company says that this can
usually be accomplished in one or two days.
Other components include the WebFort Personalization Station, which
runs on any workstation and allows security administrators to create ArcotCards,
and the WebFort Card Server module, which permits users to register their
ArcotCards and lets mobile users retrieve their ArcotCards at different
The same concepts work for large-scale deployments by adding one additional
piece — the WebFort Proxy Server. It lets you distribute multiple authentication
and card servers at different points in your network for load balancing.
This is a fairly simple step because the extra servers don't have to be
configured with user names or credentials. What's more, this scenario helps
ensure around-the-clock operation; if you have a hardware problem with any
system running Authentication Server, WebFort automatically switches over
to an alternate server.
In practice, WebFort performed flawlessly. I used the Personalization
Station's browser interface to quickly issue, revoke and replace ArcotCards.
To access a protected site, users first download and install the browser
plug-in, which takes about one minute over a 56 kilobits/sec modem connection.
(The plug-in works on Windows, Macintosh, Linux and Solaris platforms.)
Next, the person picks up an electronic access card, using an identifier
created by the administrator, and selects a PIN. If someone wants to use
their card at a different PC, they can create four personal questions and
With the one-time card setup done, gaining access to a WebFort-protected
site is much like typical user name and password procedures for a PC or
using an automatic teller machine. In fact, WebFort's end user interface
simulates the action of inserting a card in an ATM, which then asks for
When I wanted to access a site from a laptop that didn't have my ArcotCard,
the Card Server first challenged me with two of the four questions I'd created
earlier. After answering correctly, the system let me download my credentials
to the roaming system. However, I still needed my PIN to actually gain access
to the secure Web. As such, it should be very hard for someone to masquerade
as a legitimate user.
In short, WebFort provides a strong authentication solution to protect
Web content and applications that must be accessed by a large number of
users. The system does a fine job of balancing your security requirements
with user demands for simplicity.
—Heck (firstname.lastname@example.org) is an Infoworld contributing editor and manager
of electronic promotions at Unisys Corp. in Blue Bell, Pa.