This article can also be found in the Premium Editorial Download "Information Security magazine: Security 7 Award winners: Simply the best."
Download it now to read this article plus other related content.
REVIEWED BY MIKE CHAPPLE
Price: $259.99 for a 128MB device
MXI Security's Stealth MXP token combines a three-factor remote authentication solution along with two-factor portable encrypted storage in a single device.
Authentication to remote services using the device depends upon three factors: something you have (the token), something you know (a password) and something you are (your fingerprint). Accessing the device's encrypted storage combines biometric and password authentication. Combining these technologies reduces the cost and management of strong security and means one fewer security device users carry in their pockets.
Policy Control C
The device's policy control is limited to the administrator's ability to assign users to individual private storage partitions and resize those partitions. We gave the device a lower grade here because it doesn't provide a native key escrow/backup solution (MXI suggests that you create your own using their SDK), and the use of symmetric cryptography prevents users from sharing encrypted files.
Secure MXP provides a simple configuration process for managing users, authentication mechanisms (fingerprints and passwords) and partitions, but we had difficulty with the biometric enrollment process. Initial configuration requires installing a management interface on the connected system and setting credentials for an administrator. The device then allows you to enroll multiple fingerprints for each user. In our evaluation, the biometric enrollment process required three attempts before the device functioned properly.
The biometric authentication works well. Although our initial "successful" enrollment produced abysmal results, with a false rejection rate of approximately 90 percent, the re-enrollment gave us a false rejection rate of 10 percent with no false acceptances.
Onboard storage is easy to use, supporting up to five users, each with their own private partition. After authenticating, users may access the storage in the same manner as a standard USB drive. Data is protected with 256-bit AES encryption.
Stealth MXP's size poses a barrier to adoption. The unit measures a bulky four inches long, one inch wide and a half-inch high. While it's certainly portable, users familiar with keychain authentication devices will find it rather hefty for something you carry in your pocket. Additionally, the mechanism used to retract and extend the USB connector is difficult to use, requiring a greater degree of force to operate than you would expect.
More information from SearchSecurity.com
Learn how to implement an identity and access management program with our free online training.
Stealth MXP integrates with authentication infrastructures through Microsoft's CAPI and MXI's SDK. We used the device to access two demonstration sites hosted by MXI and preconfigured to work with Stealth MXP--a custom Web application and a Citrix server. In both cases, authentication was seamless after we unlocked the device using a fingerprint.
However, it is significant to note that the device does not ship with built-in support for remote authentication. Enabling this capability requires development work, making it impractical for small deployments.
For example, if you wish to use Stealth MXP to authenticate users to your enterprise identity management system, you'll need to build an interface to bridge the gap between the device and your existing infrastructure.
Stealth MXP offers strong three-factor authentication in conjunction with encrypted storage to solve two major security problems in one package. However, the development work required to get authentication services running limits it to enterprise-level deployments.
Testing methodology: We tested a 128 MB Stealth MXP device connected to a standard Windows XP productivity workstation, using two Web-based sample applications provided by MXI Security. Our testing included the remote authentication and encrypted storage capabilities of the device.
This was first published in October 2006