DIGIPASS Authentication for Citrix Access Essentials 2.0 Web ...

INTEGRATION GUIDE

DIGIPASS Authentication for Citrix Access Essentials 2.0 Web Interface

[Title]

Disclaimer Disclaimer of Warranties and Limitation of Liabilities All information contained in this document is provided 'as is'; VASCO Data Security assumes no responsibility for its accuracy and/or completeness. In no event will VASCO Data Security be liable for damages arising directly or indirectly from any use of the information contained in this document.

Copyright Copyright © 2010 VASCO Data Security, Inc, VASCO Data Security International GmbH. All rights reserved. VASCO®, Vacman® , IDENTIKEY®, aXsGUARD™™, XsGUARD™™, ® DIGIPASS® and logo are registered or unregistered trademarks of VASCO Data Security, Inc. and/or VASCO Data Security International GmbH in the U.S. and other countries. VASCO Data Security, Inc. and/or VASCO Data Security International GmbH own or are licensed under all title, rights and interest in VASCO Products, updates and upgrades thereof, including copyrights, patent rights, trade secret rights rights,, mask work rights, database rights and all other intellectual and industrial property rights in the U.S. and other countries. Microsoft and Windows are trademarks or registered trademarks of Microsoft Corporation. Other names may be tradema trademarks of their respective owners.

[Title]

Table of Contents Reference guide.............................................................................................. ................................ .............................. 5 1

Problem Description.................................................................................. ................................ .................. 6

2

Solution ................................................................................................ ................................ .................................... 6

3

Technical Concept ..................................................................................... ................................ ..................... 7

4

3.1

General overview .................................................................................. ................................ .................. 7

3.2

Citrix prerequisites ................................................................................ ................................ ................ 7

3.3

IDENTIKEY TIKEY Server Prerequisites .............................................................. .............................. 8

DIGIPASS Pack for Citrix ................................................................ .......................................... 9 4.1

Installation ........................................................................................... ................................ ........................... 9

4.2

DIGIPASS Pack k for Citrix configuration .................................................... ....................12

4.2.1

Quick configuration configuration................................................................ .........................................12

4.2.2 Step by step configurationOpen the DIGIPASS Pack for Citrix Web Interface Configuration. On the authentication tab, select the site “Citrix Web Interface 4.x” and click Edit................................................................. Edit. .........................................13

5

6

4.3

Environment variable configuration ......................................................... .........................18

4.4

IIS configuration .................................................................................. ................................ ..................19

IDENTIKEY Server................................................................................... ................................ ................... 24 5.1

Policy configuration ................................................................ ..............................................24

5.2

Back-End End configuration ................................................................ .........................................27

User configuration .................................................................................. ................................ .................. 29 6.1

ODBC installation ................................................................................. ................................ .................29

6.1.1

User creation ................................................................................. ................................ .................29

6.1.2

DIGIPASS Assignment ................................................................ ....................................34

6.2

Active Directory installation ................................................................ ...................................37

6.2.1

User creation ................................................................................. ................................ .................37

6.2.2

Import DIGIPASS ................................................................ ...........................................39

6.2.3

DIGIPASS assignment................................................................ .....................................43

[Title] 7

8

Test the Web Interface Login ................................................................ .................................. 46 7.1

Response Only ..................................................................................... ................................ .....................46

7.2

Challenge / Response ................................................................ ...........................................47

IDENTIKEY Server features ................................................................ ..................................... 49 8.1

8.1.1

Support for Windows 2003, 2008, IIS6 and IIS7 ................................ ................................49

8.1.2

Support for ODBC databases and Active Directory .............................. ..............................49

8.2

Deployment ......................................................................................... ................................ .........................49

8.2.1

Dynamic User Registration (DUR) ..................................................... .....................49

8.2.2

Autolearn Passwords................................................................ .......................................49

8.2.3

Stored Password Proxy ................................................................ ...................................49

8.2.4

Authentication Methods ................................................................ ...................................49

8.2.5

Policies ......................................................................................... ................................ .........................50

8.2.6

DIGIPASS SS Self Assign ................................................................ .....................................50

8.2.7

DIGIPASS Auto Assign ................................................................ ....................................50

8.2.8

Grace Period .................................................................................. ................................ ..................50

8.2.9

Virtual DIGIPASS ................................................................ ...........................................50

8.3

9

Installation .......................................................................................... ................................ ..........................49

Administration ..................................................................................... ................................ .....................51

8.3.1

Active Directory Users and Computers Extensions .............................. ..............................51

8.3.2

Administration Web Interface........................................................... ...........................52

8.3.3

User Self Management Web Site ...................................................... ......................53

8.3.4

Delegated administration ................................................................ ................................53

8.3.5

Granular access rights ................................................................ ....................................54

About VASCO Data Security ................................................................ .................................... 55

[Title]

Reference guide ID

Title

Author

Publisher

Date

ISBN

[Title]

1 Problem Description The basic Citrix Access Essentials package still uses static passwords to authenticate a user. As this package assures you a safe environment, the authentication should be safe too.

2 Solution Domain Controller

User Citrix Access Essentials IDENTIKEY Server

Figure 1: Solution After configuring the Web Interface in the right way, you eliminate the weakest link in any security infrastructure – the use of static passwords – that are easily stolen guessed, reused or shared.

[Title]

3 Technical Concept 3.1

General overview

The DIGIPASS Pack for Citrix has to be installed on the machine that has the Web Interface installed for your Citrix installation. For the Access Essentials suite, everything gets installed on the same machine, so it’s easier to find on which server this component is installed.

3.2

Citrix prerequisites

Please make sure you have a working setup of Citrix Access Essentials. It is very important this is working correctly before you start implementing the DIGIPASS Pack for Citrix.

Figure 2: Citrix prerequisites rerequisites (1)

[Title]

Figure 3: Citrix prerequisites (2)

3.3

IDENTIKEY Server Prerequisites

In this guide we assume you already have IDENTIKEY Server 3.2 (IK)) installed and working. If this is not the case, make sure you get IK working before fore installing any other features.

[Title]

4 DIGIPASS Pack for Citrix 4.1

Installation

You can start the installation from CD. If you didn’t get a CD, you may download the files you need at: http://www.vasco.com/products/identikey/identikey_server/identikey_downloads.aspx Here you can find the IDENTIKEY Server and the DIGIPASS Authentication for Web Web, which include the Citrix part.. Start the Installation of the DIGIPASS Pack for Citrix. Read the license agreement, to continue you have to press the “I “ agree”” button

Figure 4: Setup - License Agreement Following, you have to enterr your serial number.. If you only want to test the installation, then tick the “Use an evaluation license” box and click Next.

Figure 5: Setup – Customer information

[Title] Specify the IP address of the Authentication Server of IDENTIKEY EY Server and click Next.l

Figure 6: Setup – Connection details Next, give an administrators account to create the component in the data store of the authentication server, click Next to continue.

Figure 7: Setup – Administrator login details Choose an installation directory. directory Default “C:\Program Files\VASCO\DIGIPASS DIGIPASS Pack for Citrix Web Interface\” is used. Click Next to continue.

Figure 8: Setup – Select directory

[Title] The installation process will now start, adding also the IIS extension.

Figure 9: Setup – Installation progress When the installation has finished, click Next to go on.

Figure 10: Setup – Installation finis finished If you need a new license, choose to go to the activation page. Otherwise you can instantly load a file you saved before, or continue without adding a license. If you request a new license from the VASCO website, an input screen will be available to point int to your recently downloaded license file. When the installation is finished, it is necessary to restart the operating system.

[Title]

Figure 11: Setup – Restart required

4.2

DIGIPASS Pack for Citrix configuration

The DIGIPASS Pack for Citrix trix expects to find a Web Interface installed belonging to the Citrix Access Suite. So we have to change a few settings to let it work with the Web Interface of Citrix Access Essentials. If you know what to change, you can find a quick configuration sheet below. Otherwise you can follow the guide at 5.2.2 Step by step configuration configuration.

4.2.1

Quick configuration

Configuration parameter

Value

Login Submit URL

/CitrixAccess/auth/login.aspx

Failed Login URL

/CitrixAccess/auth/login.aspx?NFuse_MessageType=Error&NFuse _MessageKey=InvalidCredentials

Username field

user

Password field

password

Domain field

domain

[Title] 4.2.2

Step by step configurationOpen configuration the DIGIPASS Pack for Citrix Web Interface Configuration. On the authentication tab, select the site “Citrix Web Interface 4.x” and click Edit.

Figure 12: DIGIPASS Pack configuration

[Title] Here, you can use the configuration table as found in 5.2.1 2.1 Quick Configuration table to fill up all the necessary fields.

Figure 13: Citrix Web Interface details (1)

Figure 14:: Citrix Web Interface details (2)

In the General tab, you can activate Full Tracing.. This will enable detailed logging information, assisting you with the troubleshooting and configuration kit.

Figure 15: Enable tracing To be able to see if everything went good so far, it is best to restart the IIS servi service. This is most easily done by running the “iisreset” “ command in the Start - Run menu.

[Title] User Rights configuration To allow the IIS6 module access to the trace file, the Log folder has to be writeable. Right-click click the Log folder and select Properties.

Figure 16:: Log folder properties Go to the Security tab and select the Internet Guest Account.. Tick the Allow Full Control checkbox. Click Apply when done.

Figure 17:: User rights of Internet Guest Account

[Title] Select the IIS_WPG account and make sure it has Read and Write access.

Figure 18:: User rights of IIS_WPG Next, go to the Bin folder in the installation directory. Find the file vmextcfg.xml vmextcfg.xml. Right-click and go to the Properties. Properties

Figure 19:: Bin folder properties

[Title] At the Security tab, give the Internet Guest Account:: Allow Full Control. Click Apply.

Figure 20:: User rights of Internet Guest Account The IIS_WPG account needs only read re access here.

Figure 21:: User rights of IIS_WPG

[Title] 4.3

Environment variable configuration

Right-click My Computer,, select Properties. Go to the Advanced tab, and click the Environment Variables button

Figure 22:: Environment Variables In the system variable list make sure the IKModuleDirectory ModuleDirectory is present. If the variable is not present, add it and set the value to the installation directory.

Figure 23:: List of Environment Variables

[Title] 4.4

IIS configuration

In the Administration tools, open the IIS Manager. Check the Web Service Extensions for the entry “IK IK IIS6 Extension”. If this is not present, right-click click the Web Service Extensions and select “Add a new Web service extension…”.

Figure 24:: Add a new web service extension (1) In the Extension name, fill in: ““IK IIS6 Extension”. Afterwards click Add and go to the Bin folder in the installation folder.

Figure 25:: Add a new web service extension ext (2)

[Title] Select the vmiisext.dll file and click OK

Figure 26:: Add a new web service extension (3) Make sure you tick the “Set Set extension status to Allowed” Allowed” selection and click OK.

Figure 27: Add a new web service extension (4)

[Title] Right-click the CitrixAccess virtual folder under the Default Web Site and select Properties.

Figure 28:: Add a new web service extension (5) Click the Configuration button.

Figure 29:: Add a new web service extension (6)

[Title] At the Wildcard application maps, maps click the Insert button.

Figure 30:: Add a new web service extension (7) Click the Browse button.

Figure 31:: Add a new web service extension (8) Go to the Bin directory of the installation folder and select the vmissext.dll file. Afterwards click Open.

Figure 32:: Add a new web service extension (9)

[Title] Click OK to add the extension to the wildcard application application map. Click OK twice until all properties screens are closed.

Figure 33:: Add a new web service extension (10) To register all changes, restart IIS by running “iisreset” “ in the Start – Run menu.

[Title]

5 IDENTIKEY Server 5.1

Policy configuration

Setting up the IK only requires you to set up a policy to go to the right back back-end and to add an extra Radius and/or back-end Server pointing to the NPS or LDAP LDAP. To add a new policy, right-click click Policies and choose Create Policy.

Figure 34: IK configuration (1)

[Title] There are a few policies available by default. You can also create new policies to suit your needs. Those can be independent policies, inherit or copy their settings from default or other policies. Fill in a policy name and choose the option most suitable in your situation. If you want the policy to inherit setting from another policy, choose the inherit option. If you want to copy an existing policy, choose the copy option and if you want to make a new one, choose the create option.


[Title] We chose to create a new policy and specify all details about the authentication policy. In the policy properties configure it to use the right back-end back end server. This could be the local database, but also Windows (Active Directory) or another radius server (RADIUS). This could the same authentication service as you were previously using in the ISA server. Main Settings tab Local auth.: Back-End Auth.: Back-End End Protocol: User Settings tab Dynamic User Registration: Password Autolearn: Stored Password Proxy: Windows Group Check: Challenge Settings tab 2-Step ep Challenge Response Primary Virtual DIGIPASS

DIGIPASS/Password If Needed Windows Yes Yes Yes No Check None None

After configuring this Policy, the authentication will happen, if needed (when it does not know the user locally), in the back-end back end to Active Directory. User credentials are passed through to the IK, it will check these credentials with the the AD and will answer to the NPS/LDAP server with an Access-Accept Access or Access-Reject Reject RADIUS message.




[Title]

5.2

Back-End configuration

For testing purposes you can change the existing RADIUS Client (default RADIUS client that listens for all connections) by right-clicking right and choose Properties Properties. If you already eady use the default RADIUS client, it would be better to create a new RADIUS back-end.


[Title] In the policy field you should find your newly created policy. Fill in the shared secret you entered also in the RADIUS server properties on the NPS server. Click Create.

Figure 40: IK configuration (7) All configuration is done by now. The next chapter shows you how to add a user manually. In our policy we enabled the Dynamic User Recognition (DUR). So users who get verified through the Active Directory, and are not known in the local database, are automatically atically added. It also shows how to assign a DIGIPASS to a user.

[Title]

6 User configuration The user creation steps you will find in this chapter are optional when you didn’t activate the option Dynamic User Registration (DUR) and/or Password Autolearn in your policy licy settings. The assignment of a DIGIPASS can happen manually as explained in the steps below. The user creation and DIGIPASS assignment steps depend on which database back backend you installed IDENTIKEY Server. Server. Either you installed it with an ODBC back back-end or with an Active Directory back-end. back

6.1 6.1.1

ODBC installation User creation

User creation, while using an ODBC back-end, back will happen in the IDENTIKEY Server Web Administration. Right-click click the Users folder and select Create User ... ....

Figure 50: ODBC User Creation eation (1)

[Title] Fill in the username and password fields. Optionally choose the right domain and Organizational Unit and click the Create button.

Figure51:: ODBC User Creation (2) The user will now show up in the Users list of you IDENTIKEY Server Web Administration.. At this point it will be exactly the same as when Dynamic User Recognition (DUR) was enabled.

Figure52:: ODBC User Creation (3)

[Title] Import DIGIPASS Click the DIGIPASS-Tab and select Import... .

Figure53: Import DIGIPASS (1)

[Title] Browse for your *.DPX file, fill in the Transport Key, Key click Upload and look at your available applications . You can either import all applications or only the ones you selected.

Figure54: Import DIGIPASS (2)

Figure 55: Import DIGIPASS (3)

[Title] Click Next to select the domain for the DIGIPASS import.

Figure 56: Import DIGIPASS (4) When the DIGIPASS is imported successfully you will see the DIGIPASS in the list. list


[Title] 6.1.2

DIGIPASS Assignment

There are two possible ways to assign a DIGIPASS to a user. You can search for a DIGIPASS and assign it to a user or you can search for a user and assign it to a DIGIPASS.. You can see the difference in the following two figures. Select a user and click Assign DIGIPASS and follow the next steps or…

Figure58: DIGIPASS assignment (1) … in the TAB DIGIPASS, select a serial number for a DIGIPASS and follow the next steps.

Figure 59: DIGIPASS assignment (2)

[Title] If you type in the User ID and press the Search button, you will get a list of all the available ailable users in the same domain as the DIGIPASS.. The usernames are partly searchable too. Notice: If no users show up, make sure the domains of the DIGIPASS and the user match.


[Title]

When assigning a DIGIPASS to a user the same procedure will be applicable. You can either select the desired option to search for a DIGIPASS or search through serial number. Leaving all options blank will show all possibilities in the same domain. When the DIGIPASS gets successfully successfully added to your user you will get a confirmation message.


[Title] 6.2 6.2.1

Active Directory installation User creation

User creation, while using an Active Directory back-end, back end, will happen in the Active Directory Users and Computers MMC. Right-click a user and select Properties Properties. This can happen automatically when the Dynamic User Registration (DUR) option in the policy settings is active.

Figure 62:: Active Directory User Creation (1)

[Title] In the DIGIPASS User Account tab you will see a field to manually add a password. This can also be automatically filled by enabling the Password Autolearn option in the policy settings.

Figure 41:: Active Directory User Creation (2) After clicking the Apply button you will see the Update History fields being filled with the current date and time. When these fields are filled it means the DIGIPASS account exists and can be used.

[Title]

Figure 64:: Active Directory User Creation (3)

6.2.2

Import DIGIPASS

To make sure you can see the DIGIPASS folders in the MMC, go to View and select the Advanced Features.. This way you will see the DIGIPASS folders.


[Title]

Right-click the DIGIPASS-Pool Pool folder and select Import DIGIPASS … .


[Title] Browse for your *.DPX file, fill in the Transport Key, Key click next and look at your available applications. You can either import all applications or only the ones you selected.



[Title] When the DIGIPASS is imported successfully you will receive a confirmation message.


[Title] 6.2.3

DIGIPASS assignment

There are two possible ways to assign a user to a DIGIPASS.. You can search for a DIGIPASS and assign it to a user or you can search for a user and assign it to a DIGIPASS.. You can see the difference in the following two figures. Right-click a User and select Assign DIGIPASS... or ...

Figure 69: DIGIPASS Assignment (1) … right-click a DIGIPASS and select Assign DIGIPASS … .

[Title]

Figure 70: DIGIPASS Assignment (2) If you leave the User ID blank and press the Find button, you will get a list of all the available users in the same domain as the DIGIPASS.. The usernames are partly searchable too.

[Title]

Figure 71: DIGIPASS Assignment (3) (3

Figure 72: DIGIPASS Assignment (4) When assigning a DIGIPASS to a user the same procedure will be applicable. You can either select the desired option to search for a DIGIPASS or through serial number. Leaving all options ns blank will show you all possibilities. Remember to check the “Search upwards …”” checkbox.

[Title]

7 Test the Web Interface Login Go to the Web Interface of your Citrix Access Essentials installation. Try to login with a user that was able to login before you installed the DIGIPASS Pack for Citrix. If you attached a DIGIPASS to a user, this is the moment you can use a One Time Password (OTP).

7.1

Response Only

Figure 73: Response Only (1) If everything goes well, you will be authenticated and the the Citrix applications will be show.

[Title]

Figure 74: Response Only (2)

7.2

Challenge / Response

For the challenge response test, enter your Name and Password (challenge/response trigger). Click the Login button. In our case the challenge/response trigger is the user’s us static password.

Figure 42:: Challenge / Response (1) You will be presented with a DP300 Challenge code. Use a pin pad enabled DIGIPASS to enter the challenge and calculate the response. Enter the response in the Answer field and click OK. OK

[Title]

Figure 76:: Challenge / Response (2) If everything goes well, you will be authenticated and the Citrix applications will be show.

Figure 77:: Challenge / Response (3) If something went wrong, you can always check the *.trace file for detailed logging information. It is better to turn off the detailed logging when you use IDENTIKEY Server in production. There will be more system recourses available when detailed logging is turned off.

[Title]

8 IDENTIKEY Server features 8.1

Installation

The IDENTIKEY Server (IK)) installation is very easy and straightforward. IK runs on Windows platforms, supports a variety of databases and uses an online registration. Different authentication methods allow a seamless integration into existing environments.

8.1.1

Support for Windows 2003, 200 2008, IIS6 and IIS7 7

IK can be installed on Windows dows 2003 200 and Windows 2008.. Web modules exist for IIS IIS6 and IIS7 to protect Citrix Web Interface, Citrix Secure Gateway, Citrix Secure Access Manager (Form-based based authentication), Citrix Access Gateway and Microsoft Outlook Web Access 2003 and 2007 (Basic Authentication Au and Form-Based Based Authentication).

8.1.2

Support for ODBC databases and Active Directory

Any ODBC compliant database can be used instead of the default PostgreSQL database (MS SQL Server, Oracle). Since Version 3.1 of IDENTIKEY Server, your DIGIPASS infrastructure nfrastructure is now also full integrated into the AD management tools. This option requires an AD schema update.

8.2

Deployment

Several IDENTIKEY Server features exist to facilitate deployment. Combining these features provides different deployment scenarios from manual to fully automatic.

8.2.1

Dynamic User Registration (DUR)

This feature allows IK to check a username and password not in the database with a back-end end RADIUS server or a Windows domain controller and, if username and password are valid, to create the username in the IK database.

8.2.2

Autolearn Passwords

Saves administrators time and effort by allowing them to change a user’s password in one location only. If a user tries to log in with a password that does not match the password stored in the IK database, IK can verify it with the back-end end RADIUS server or the Windows domain controller and, if correct, store it for future use.

8.2.3

Stored Password Proxy

Allows IK to save a user’s RADIUS server password or Windows domain controller password in the database (static (static password). User’s can then log in with only username and dynamic one-time time password (OTP). If this feature is disabled, users must log in with username and static password immediately followed by the OTP.

8.2.4

Authentication Methods

Different authentication methods can be set on server level and on user level: local authentication (IK only), Back Back-End End authentication (Windows or RADIUS). On top of that a combination of local and back-end back end can be configured. The additional parameters ‘always’, ‘if needed’ and ‘never’ ever’ offers you additional customization of the back back-end authentication process. The configuration of authentication methods is done within the policy (policies).

[Title] 8.2.5

Policies

Policies specify various settings that affect the User authentication process. Each authentication request is handled according to a Policy that is identified by the applicable Component record. Components can be radius clients, authentication servers or Citrix web interfaces.

8.2.6

DIGIPASS Self Assign

Allows users to assign DIGIPASS to themselves by providing the serial number of the DIGIPASS,, the static password and the OTP.

8.2.7

DIGIPASS Auto Assign

Allows automatic assignment of the first available DIGIPASS to a user on user creation.

8.2.8

Grace Period

Supplies a user with a certain amount of time (7 days by default) between assignment of a DIGIPASS and the user being required to log in using the OTP. The Grace Period will expire automatically on first successful use u of the DIGIPASS.

8.2.9

Virtual DIGIPASS

Virtual DIGIPASS uses a text message to deliver a One Time Password to a User’s mobile phone. The User then logs in to the system using this One Time Password. Primary Virtual DIGIPASS ha similarly to a standard physical DIGIPASS DIGIPASS. It is A Primary Virtual DIGIPASS is handled imported into the IDENTIKEY Server database, assigned to a User, and treated by the IDENTIKEY Server database as any other kind of DIGIPASS. Backup Virtual DIGIPASS The Backup Virtual DIGIPASS feature e simply allows a User to request an OTP to be sent to their mobile phone. It is not treated as a discrete object by IDENTIKEY Server, Server and is not assigned to Users, only enabled or disabled. It can be enabled for Users with another type of DIGIPASS already assigned, and used when the User does not have their DIGIPASS available.

[Title] 8.3 8.3.1

Administration Active Directory Users and Computers Extensions

Since IDENTIKEY Server version 3.0, Managing the users and DIGIPASS can be done within the Active Directory Users and Computers section. Selecting the properties of a user, offers complete User-DIGIPASS DIGIPASS management.

Figure 78: IK Features (1)

[Title] 8.3.2

Administration Web Interface

A highly intuitive Administration Web interface exists to administer the product. An Audit Console is available to give an instant view on all actions being performed on the IK.. Both can be installed on the IK server itself or on a separate PC.


[Title] 8.3.3

User Self Management Managemen Web Site

A web site running on IIS has been developed to allow users to register themselves to the IK with their username and back-end back end (RADIUS or Windows) password, to do a DIGIPASS self assign, to update their back-end ba password stored in the IK database, to do a change PIN (Go-3/Go-8 8 DIGIPASS), to do a DIGIPASS test.


8.3.4

Delegated administration

Administration can be delegated by appointing different administrators per organizational unit (OU). These administrators can only see the DIGIPASS DIGIPASSes and users that were added to his OU.

[Title] 8.3.5

Granular access rights

It is possible in IDENTIKEY Server to setup different permission per user. This can be in function of a domain or an organizational unit. Administrators belonging to the Master Domain may be assigned administration privileges for all domains in the database, or just their own domain. Administrators belonging to any other Domain will have the assigned administration privileges for that Domain only. It’s possible to set different operator access levels. E.g. A user can be created that only has the rights to unlock a DIGIPASS.


[Title]

9 About VASCO Data Security VASCO designs, develops, markets and supports patented Strong User Authentication products for e-Business and e-Commerce. VASCO’s ’s User Authentication software is carried by the end user on its DIGIPASS products which are small “calculator” hardware devices, or in a software format on mobile phones, other portable devices, and PC’s. At the server side, VASCO’s VACMAN products guarantee antee that only the designated DIGIPASS user gets access to the application. VASCO’s ’s target markets are the applications and their several hundred million users that utilize fixed password as security. based system generates a “one-time” “one password ord that changes with every use, and VASCO’s time-based is virtually impossible to hack or break. VASCO designs, develops, markets and supports patented user authentication products for the financial world, remote access, e-business business and e-commerce. e VASCO’s ’s user authenticati authentication software is delivered via its DIGIPASS hardware and software security products. With over 25 million DIGIPASS products sold and delivered, VASCO has established itself as a world world-leader for strong User Authentication with over 500 international financia financiall institutions and almost 3000 blue-chip chip corporations and governments located in more than 100 countries