Austin, TX – December 08, 2021 – Access Smart hired Secure Network Technologies, Inc. (SNT) to assess the security of our Power LogOn Government COA (Certificate-based Offline Authentication) application with a commercial PKI or government issued (CAC, PIV, CIV, etc.) smartcard without requiring any network connectivity at enrollment and user workstations.
Power LogOn Government COA consists of Windows Enrollment Station software for enrolling and managing an existing digital certificate logon credentials, and User Station authentication software to validate the user’s issued credential using true MFA before granting access to any offline workstation. All this is accomplished without any modification to the credential (FIPS 201 compliant), no backend workstation modifications, and is fully operational within a couple of hours.
SNT testing consisted of digital forensics and hacking tools to attempt to bypass the Power LogOn security, and to verify that credential data are not stored in plain text. There main focus was on insuring that both the smart card and the software cannot be compromised.
SNT focused on 5 major non-Administrator vulnerabilities:
- No Storage of Unsecured Sensitive Data (e.g., credentials)
- No transmission of Unsecured Sensitive Data (e.g., credentials)
- No Security Bypass (e.g., evade controls)
- No Disabling of Controls (e.g., tamper with application)
- Enforcement of Policies (e.g., disable card access after logon failures)
Test results: SNT found that both applications function as expected. No efforts to bypass any functionality by a non-administrator user were successful.
The examination of memory and whole disk drives with forensic tools found no instance of credential pairs (username/password) in either memory or disk.
“It is SNT’s conclusion that the Power LogOn applications operate securely and introduce no vulnerabilities that could be exploited to bypass its security functions,” Robert Clary, Secure Network Technologies, Inc. “Power LogOn Government COA had a positive score of five out of five on all of the criteria. Even with our best efforts to hack using various approaches, Power LogOn did not display any weaknesses.”
