Austin, TX -- December 08, 2021 -- Access Smart hired Secure Network Technologies, Inc. (SNT) to assess the security of our Power LogOn Government COA (Certificate-based Offline Authentication) application with a commercial PKI or government issued (CAC, PIV, CIV, etc.) smartcard without requiring any network connectivity at enrollment and user workstations.
Power LogOn Government COA consists of Windows Enrollment Station software for enrolling and managing an existing digital certificate logon credentials, and User Station authentication software to validate the user’s issued credential using true MFA before granting access to any offline workstation. All this is accomplished without any modification to the credential (FIPS 201 compliant), no backend workstation modifications, and is fully operational within a couple of hours.
SNT testing consisted of digital forensics and hacking tools to attempt to bypass the Power LogOn security, and to verify that credential data are not stored in plain text. There main focus was on insuring that both the smart card and the software cannot be compromised.
SNT focused on 5 major non-Administrator vulnerabilities:
- No Storage of Unsecured Sensitive Data (e.g., credentials)
- No transmission of Unsecured Sensitive Data (e.g., credentials)
- No Security Bypass (e.g., evade controls)
- No Disabling of Controls (e.g., tamper with application)
- Enforcement of Policies (e.g., disable card access after logon failures)
SNT found that both applications function as expected. No efforts to bypass any functionality by a non-administrator user were successful.
The examination of memory and whole disk drives with forensic tools found no instance of credential pairs (username/password) in either memory or disk.
“It is SNT’s conclusion that the Power LogOn applications operate securely and introduce no vulnerabilities that could be exploited to bypass its security functions,” Robert Clary, Secure Network Technologies, Inc. “Power LogOn Government COA had a positive score of five out of five on all of the criteria. Even with our best efforts to hack using various approaches, Power LogOn did not display any weaknesses.”
About Secure Network Technologies, Inc:
Secure Network Technologies, Inc is a full-service information security consulting firm based out of Syracuse, NY. Secure Network offers the widest range of security and investigative services with a large client base both domestically and internationally. Since 1997, Secure Network has been one of the largest growing and highly publicized security firms in the United States, with research and articles featured in powerhouses such as Dark Reading, The Wall Street Journal, Tripwire Magazine, among others. For more information about SNT, please visit https://www.securenetworkinc.com/
About CardLogix Inc:
Headquartered in Irvine, CA, CardLogix is the expert in secure credentials, biometric enrollment, validation and verification with physical and logical access. CardLogix is a reseller of the Access Smart (Power logOn) solution for Multi-Factor Authentication (MFA) logins on employees, IT administrators and business owners. www.cardlogix.com
About Access Smart, LLC:
Headquartered in Austin, TX, Access Smart, LLC removes the burden and cost of Multi-Factor Authentication (MFA) logins on employees, IT administrators and business owners. Dedicated to empowering businesses and government agencies to securely regain control over cyber access control with Identity, Credential, and Access Management (ICAM), Access Smart offers unique, high-quality, integrated hardware and software packages that securely manages password and certificate authentication. For more information about Access Smart, please visit www.access-smart.com.
16 Hughes Street, Suite C100, Irvine CA 92618