MatchLogon Workstation

MatchLogon GINA

The Graphical Identification and Authentication (GINA) DLL is the portion of the Windows 2000/XP/2003 ServerT operating system that challenges a user for his username, domain, and password during the logon process. MatchLogon extends the functionality of this DLL to call a selected BSP. The same Microsoft secure key sequence that invokes the standard GINA DLL (Ctrl-Alt-Del) is also used to invoke the MatchLogon provided GINA DLL. MatchLogon GINA communicates with the user, hardware device and MatchLogon Server to perform the authentication procedure.

Authentication Technologies Supported

MatchLogon GINA is ready-to-support "out of the box", any of the following authentication technologies:

• Static biometrics (Finger, Face, Iris, etc)
• Dynamic biometrics (Keyboard or Mouse signature, Handwriting, etc)
• RFID cards (HID, Milfare, etc)
• GSM SIM card (Cell phone, Smart phone, etc)
• USB tokens or Smartcards (Aladdin eToken, Rainbow iKey, etc)
• Template on board (Flash drive, contactless card, etc)
• Memoryless card and tokens (Dallas iButton)
• Single- and multi-factor authentication
• Any combination of authentication technologies

With MatchLogon, it is possible to use any hardware device or authentication technology. MatchLogon makes it easy to plug in new hardware at any time without reinstallation of the MatchLogon software. The diagram below illustrates the wide range of authentication technologies and hardware devices that are supported "out of the box" by MatchLogon.

Available Authentication Scenarios

The MatchLogon Workstation supports all of the following authentication scenarios:

• Standalone PC
• Networked PC
• Cached logon
• Windows Terminal Server
• Citrix® Metaframe®, NFuse® session
• Windows XP Remote Desktop
• Dial-up/GPRS/VPN/RADIUS session
• Cross-domain authentication (trusted domains)
• Launching application via "Run As" command

Authentication procedure

During logon a user need not memorize a series of ever changing passwords. With MatchLogon the user enters his username followed by his authenticator using biometrics or non-biometrics authentication technology. Depending on which "pluggable" BSP module has been installed and selected, the authenticator presented during logon is compared against the previously enrolled authenticator stored at the authentication MatchLogon Server and the user is either accepted or rejected.

Users whose biometric identification record is already enrolled in the MatchLogon Server database (Active Directory), are only required to enter their user name and present their biometric authenticator. MatchLogon transparently supplies the user's "hidden" and encrypted password to the Windows security system to complete the logon process. This authentication flexibility reduces password maintenance expense by avoiding calls to the help desk for password-related problems, while providing a more secure block against hacking-related problems.

Typical Logon Process

This section describes the typical logon process on the network:

• The user enters Ctrl-Alt-Del sequence, provides user name, domain name and selects the preferred authentication method to be used (biometrics or non-biometrics authentication hardware installed on the computer)
• MatchLogon GINA loads the corresponding BSP module and the user is challenged for the authenticator. The authenticator is captured from the user, then encrypted and sent to MatchLogon Server together with the user and domain names. In the case of a password challenge, MatchLogon GINA captures the user's password and sends it through the WINLOGON process for normal validation by the Windows security system.
• The MatchLogon Server retrieves the user's enrolled authenticator stored in the Active Directory database and decrypts it. The MatchLogon Server then decrypts the authenticator presented by the user and loads the corresponding BSP module for comparison. If there is a match, the user's password (which was also retrieved and decrypted from Active Directory) is encrypted and returned to the MatchLogon GINA.
• MatchLogon GINA then decrypts the password and passes the user name and password to the WINLOGON process to complete the normal Windows logon by password. The user is then logged onto his desktop and connected to the domain server.

Automatic Lock PC

MatchLogon GINA provides a secure screensaver capability for Windows 2000/XP/2003 Server™ that locks the keyboard and hides the desktop when a user leaves his desk. Upon return, the user presents his authenticator to unlock his workstation. The screensaver can be invoked manually through a key sequence or via a configurable timeout value. To use the secure screensaver feature, users must configure their screen savers to be "Password Protected".

Users can also manually lock a workstation independent of the screensaver timeout function through the standard Windows 2000/XP/2003 Server™ lock function.

In addition, in the case of using smartcard, USB token or flash drive the Windows session will be automatically locked once the device is plugged out. This saves precious time for the user who does not have to worry about logging out before leaving his desk.

Credential Caching

Credential caching refers to the mechanism that allows a user to be disconnected from the network but still be able to use domain credentials for logon. When credential caching is enabled, MatchLogon stores a user's authenticators locally. These authenticators are retrieved and verified locally when the user is disconnected during logon. MatchLogon's authenticators caching functionality closely resembles Windows built-in functionality for password-based network-detached logon.

Only the network administrator can enable caching for a particular computer (for example a laptop). MatchLogon minimizes client side security risks by storing authenticators in digitally signed and encrypted form using the operations facilities of the Microsoft Data Protection API and Microsoft CryptoAPI.

Once the administrator disables the caching option for a particular computer all data cached on this PC will be removed regardless of the user wishes.

Logo Customization

The logo that is displayed on the MatchLogon (GINA) logon screen can be easily customized. Customers can easily replace the default logo with their corporate logo or picture.

MatchLogon also provides a special group policy to control which logo should be displayed and this could be used to perform fast logo customization prior to a holiday or special event.