The end of passwords: Ensure’s approach, Part 2

Last time, I introduced Ensure Technologies and its XyLoc system for authenticating users without the need for passwords. This time, I’d like to relay the rest of my interview with Ensure CEO Tom Xydis, focusing on how his system works.

Note: This interview should not be construed as an endorsement of the products discussed. I have not personally evaluated the XyLoc system and I have no financial involvement whatsoever with Ensure.

Q: So how does it work?

A: The KeyCard is a small radio transceiver that communicates with a “lock” transceiver attached to the workstation (called the “XyLoc Lock” – it is connected via USB). They talk to each other about once a second. Each KeyCard has a unique identification number that gets rolled into a stream of encrypted signals that are decrypted by the lock. The ID is not a secret; what we do is to authenticate the badge itself as an authentic XyLoc badge. The lock communicates with the XyLoc client software – a service running under the operating system which interfaces to the authentication system. So the lock provides a list of all the badges within range and how far they are; the software can be set to authenticate those within a specific range.

In addition, some of our sites are interested in the proximity information itself even when the employees are not logging on. This is an application that has more to do with accountability, time management and attendance. But 99% of the installations are interested in walk-up-logon/walk-away-logoff security.

I want to stress that in no way do we tamper with the authentication systems of the operating system; we simply interface with its authentication mechanisms.

Q: Tell me about single-sign-on using the XyLoc system.

A: In the healthcare field especially, we’ve added single-sign-on capabilities to our authentication software so we can interface directly with medical applications. So if you’re running a medical application program, you can access your own tools right away. We call this the “secured kiosk” mode, and it’s very useful in the clinical context for shared workstations.

Another interesting application is under Citrix, where doctors can establish a session to connect to a clinical-records package, for example; in this scenario, when the doctor leaves a terminal, the session follows her securely to the next terminal. There’s no logon/logoff; it’s ubiquitous computing: the tools are securely available instantly wherever the authorized user goes.

Q: How much does the system cost?

A: It depends on how big your installation is. The server-only version is XyLoc MD, and it includes single sign-on and secure kiosk. For the largest, it ends up about $150 per seat with an 18% maintenance agreement per year. Smaller installations cost more because of fixed costs. You can buy a single device called the XyLoc Solo (it’s really a demo item) at about $180 plus tax – but that doesn’t have a lot of software; it just locks and unlocks for Windows.