1. What are the key elements of the M4S solution?
There are four primary elements that make up the M4S solution that include –
M4S Personal Smart Key (PSK) – A self-contained, AES 256 encrypted, multi-function USB type device containing a biometric fingerprint reader, microprocessors, M4S firmware and secured memory.
M4S Authentication Gateway (AG) – An AES 256 encrypted authentication server that interfaces at the operating-system layer of the IT technology stack and securely manages the communication between all the end points.
M4S Secure-Sync Channel (SSC) – A multi-layer, AES 256 hyper-encrypted channel that is established between the AG and PSK to protect all communications from malware, man-in-the-middle, man-in-the-browser or other types of attacks.
M4S Management Center (MC) – A secure centralized platform for administering all the functions of the M4S solution. The consoles are separated by roles and permissions for each administrator to safeguard against human error.
2. Does the M4S solution support Legacy, Cloud and/or Virtual environments?
The M4S solution seamlessly interfaces with Legacy, Cloud and Virtual environments without having to redeploy or reconfigure the M4S solution. M4S meets virtualized security needs with the ability to provision and manage applications like virtual desktops, GINA/CP logon security, VPN, SSO, etc.. In addition, the M4S communication channel (Secure Sync Channel) provides a unique capability to implement an end-to-end chain of trust throughout the entire communication transaction. The M4S Secure Sync Channel provides the confidence organizations need to securely migrate from Legacy environments to virtualization and the cloud.
3. Does M4S provide Single Sign On or Enterprise Single Sign capabilities?
M4S meets and exceeds the requirements called for in Gartner’s definition of Enterprise Single Sign On. Starting with the inclusion/exclusion criteria:
- Enable users to sign-in once and automatically be signed into secondary applications without requiring a second identification and authentication action
- Supports target applications that require Windows (thick client), terminal emulator and Web client interfaces
- All components are manufactured by the vendor
- Does not have password synchronization without SSO and does not provide Web SSO only
- Does not require bundling the vendors’ authentication technologies only, and support various authentication methods (for example, OTP tokens, biometric methods and smart cards) from multiple third-party vendor
4. What operating systems are supported by M4S
Currently, M4S supports the following operating environments
- 32- and 64-bit on Windows XP through Windows 7/Server 2008R2
- Linux x86/x86-64 (kernel 2.6.x)
- Mac OS X 10.5 and newer
5. How complex and disruptive is it to deploy the M4S solution?
It can take less than 4 hours to deploy the M4S solution. M4S Authentication Gateway Server (software only) seamlessly interfaces with existing directory services and federation mechanisms and requires ZERO disruption to existing IT security schemas. Administration and provisioning wizards make distribution of the M4S Personal Smart Keys (PSK) simple, fast and secure.
6. Do I need to use a Username, Password, or PIN to use the M4S solution?
The M4S solution eliminates the need for users to have to manage any access credentials. This elevates a company’s security posture, reduces costs and provides new levels of user protection and convenience.
7. How would Eliminating Username, Password, PINs with M4S increase security and save money?
The typical employee manages 6 to 12 passwords and can usually only recall three or four from memory. According to industry research a typical user spends 44 hours a year logging on with usernames and passwords to at least four applications a day. When you combine the time users spend recalling and entering usernames and passwords with the fact that up to 70% of help-desk calls are password-related – you can understand why the average company spends US$300-$500 per user, per year on password related issues.
The bottom line – eliminating the need for users to manage username and passwords increases security, makes employees more productive and enables IT personnel to focus on projects to make the company more efficient and profitable. The M4S solution reduces user frustrations, simplifies administrative functions, lowers calls to Help Desks and provides complete non-repudiation for each and every transaction.
8. Does the M4S solution protect from keystroke logging and malware?
The M4S solution does not use keystroke emulation for any part of the authentication process. The entire authentication process is managed through a multi-level encrypted verification process that is controlled by the AG. With the M4S solution the need for the user to manage access credentials (Passwords, PINs, etc) is completely eliminated.
9. Does the M4S solution require loading drivers or software onto the host device?
M4S does not require any footprint on the endpoint device whether it’s a PC, laptop, PDA or Smart Phone. The M4S Personal Smart Key (PSK) onboard processors and firmware deliver the functionality needed to operate the PSK and all applications managed on the PSK. Once the transaction with the PSK is complete there is zero trace left on the host device.
10. What will the user experience with their M4S Personal Smart Key (PSK)?
When the user plugs their PSK into the host device they will be presented with a screen to swipe their finger. Upon verification of the user’s fingerprint, the PSK will request authentication from the M4S Authentication Gateway (AG). The AG will generate and send a one-time use, random encrypted challenge to the PSK. Once the AG has verified the challenge response from the PSK the AG will issue the appropriate credentials to the target environment and log the user in to the appropriate application(s). The entire process completes in a matter of seconds.
11. How do I know the M4S Personal Smart Key (PSK) is secure?
The PSK is a multi-function authentication device containing a biometric fingerprint reader, microprocessors and secured memory. Everything maintained within the device is protected with AES 256 encryption and multiple security validation protocols. The biometric fingerprint data is stored only on the device and that data is never transmitted outside the device. In addition, each device has a unique set of identifiers that can only be interpreted by the M4S Authentication Gateway (AG) managed that is managed within the client’s IT environment.
12. What if my M4S Personal Smart Key (PSK) is lost or stolen?
If a device is lost or stolen, the system administrator via the M4S Management Center (MC) can remotely issue a retire/delete command via the Administration console that will kill/wipe everything on the PSK, including the biometric data, making it inoperable.
13. Is the data communicated between the PSK and AG secure?
The M4S Secure Synch Channel (SSC) protects all communications between the PSK and AG. The SSC is dedicated to communications among all M4S solution elements and utilizes multiple layers of AES 256 encryption developed by Me4Sure that include unique identifiers, random challenges and hyper encryption to securely manage the entire communication process. The SSC defeats hacking techniques that exploit timing vulnerabilities in communications from endpoint devices as well as man-in-the-middle, man-in-the-browser, key logger and replay attacks.
14. Does the AG or PSK have any backdoors?
Me4Sure went to great lengths during the development portion of the solution to ensure that there are no “back-doors” to any part of the solution. The M4S solution provides our clients with Identity Assurance and Access Management solution that delivers complete non-repudiation for each and every transaction. This means that every transaction from the instance the environment is deployed is logged and traceable, including all administrative functions and transactions.
15. Can Me4Sure employees see my data?
No, Me4Sure employees do not have access to any user or customer data. All the elements and administrative functions for the M4S are managed by the customer’s IT organization.
16. What if USB Ports have been blocked?
There are a number of secure ways to allow USB devices such as the PSK to operate on USB ports while still blocking those same ports from unsecured devices. Me4Sure works with the client’s security organization to ensure that we follow and adhere to all security policies and requirements.
17. Does M4S address regulations such as HIPAA, Sarbanes-Oxley, FFIEC, etc.?
Yes, the M4S solution meets and or exceeds compliance regulations such HIPPA, SOX, FFIEC, etc, and the AG is FIPS 140-2 compliant.
18. Does the AG have tracking and audit capabilities
Yes, the M4S Management Consoles (MC) on the AG include transaction logs for full tracking/auditing requirements. M4S provides all the elements required for non-repudiation strength protection.