Imprivata has produced version 3 of its OneSign single-sign on (SSO) app, adding support for proximity access cards i.e. the ID card you use to get into your building can also be used to gain access to your network.

OneSign is a box that drops into a network. Users authenticate to it - with a smartcard, password and/or a token, say - and it then authenticates them to their applications.

"There's a convergence of IT security and building security," said Gregg LaRoche, Imprivata's product management VP. "RFID facility access cards are already deployed and accepted, so why not make use of that? Add a password or fingerprint to the card and you have strong authentication."

Most of the access cards in use are passive short-range RFID devices, he claimed, and can have multiple attributes such as one for building access, one for the LAN, one for a picture of the holder. LaRoche said this gives extra options against hacking and impersonation, such as blocking an account from logging in remotely if the system shows that user is already in the building.

"Building security is increasingly running on the network now, so the IT infrastructure people are gaining control and will eventually own those budgets," he said. "So they'll want a single access policy to cover both."

The link to building access cards is one of several additions in OneSign's new version. Others include support for extra finger biometric enrollment methods and devices, most notably the integrated finger reader in the IBM T42 laptop, and a facility called Extension Objects which can trigger client-side events such as drive mappings and startup scripts.

"OneSign's ability to ESSO-enable all of our applications without scripting helped us make single sign-on a reality," said Jamie Bowie, director of information systems and telecommunications at The Credit Valley Hospital. "OneSign Extension Objects will assist us in satisfying the need to message users and give us additional functionality."

"We have seen tremendous validation for our approach to single sign-on and credentials management," said LaRoche, adding that a OneSign system supporting 1,000 users would cost around $40,000.

"A large majority of the people we talk to have tried to solve the problem quite recently and given up," he said. "The most common reaction when we say SSO is a rolling of the eyes and 'We tried that and gave up - it was just too hard to do'.

"Custom apps are the problem for everyone, for example if you use client-side automation you need to interact with the application on the client, and there's only a limited number of ways to do that. Typically people use a scripting approach, but the application may behave unexpectedly and the procedure will fail.

"We use a different learning-based approach that's not dependent on static triggers. It learns the interface, it's state-based and can accommodate variability. It's still a problem when you get a custom app but we're quicker at dealing with it."

He added that applications work in particular ways, so you need to define cases or prototypes, not specific apps. "In order of ease of implementation it's web apps, then Win32, then Java, ActiveX and so on," he said. "The most difficult category is proprietary hosted apps, such as proprietary terminal emulation, because they're one of a kind and don't conform to any standards."