TriCipher Armored Credential System v3.1.1
Price: Base price is $250,000 for 25,000 users and includes three appliances, management tools and APIs
Authentication systems are increasingly under attack, and organizations are scrambling
TACS is intended for organizations that need a highly available product to quickly authenticate thousands of users -- and it's priced accordingly. Its implementation features a three-appliance mirrored configuration and includes several APIs that can be used to expand functionality (e.g., using TACS as a secure vault for sensitive information). TriCipher claims TACS can handle up to 5 million users and 450,000 authentications per hour.
One part of a credential is stored on the TACS (a FIPS 140-1 level 2-rated appliance), and the other part is kept with the user. To successfully authenticate, both parts of the credential must be combined, making it difficult for an attacker to steal an entire credential and eliminating the need for password files.
The user's part of the credential can be derived in multiple ways using up to three factors: a password, a password plus a key stored on a computer, or a smart card, USB memory stick or device with flash memory. This flexibility enables security managers to issue credentials of multiple strengths to different types of users.
User credentials that are based on just a password or that use browser-based two-factor authentication (with an encrypted browser cookie or browser certificate) require nothing to be installed on the client. Client software is required to use two- and three-factor credentials.
To upload large numbers of users, TACS can be synchronized with an LDAP server, or a batch user import file can be used.
Administrators can assign granular privileges to specific roles. For example, a security manager can review user accounts, but a systems manager cannot. The tool used to configure and manage TACS is solid, but lacks a user dropdown list and a help menu. TriCipher also provides a tool for generating and managing certificates.
Following TriCipher's thorough documentation, we were able to create, issue, modify and revoke different types of authentication credentials for multiple users. We were also able to establish rules that limited the use of credentials to a single computer and allowed users to roam to other computers with their credentials.
TACS produces detailed logs, which can be exported to a syslog server. Backups can be performed to the built-in tape drive or sent to another device via SFTP.
Reporting could be better. The general report is cryptic, and producing it makes the TACS unreachable for up to 10 minutes. The user reporting tool provides only limited information. We'd like to see more detailed reports about significant system events and user actions.
These limitations notwithstanding, TACS offers a clever, robust solution for securely authenticating large numbers of users. It's not cheap, but it's a viable tool for enterprises that need to manage complex authentication requirements efficiently.
This product review originally appeared in the January 2006 issue of Information Security magazine.