Overview

On March 2, 2015, Collective Software corrected a design defect which allowed Windows workstations to cache 1-factor password hashes in some circumstances where 2-factor authentication was being used.  In the worst case, this means a session might be unlockable by entering only the password (instead of also requiring the OTP).

To eliminate any potential for users logging on to workstations with 1-factor when they should be blocked, please check whether your configuration is affected, and deploy the new build.

Affected AuthLite Versions

  • AuthLite version 1.x: not affected. You don't need to do anything, apart from make sure you have already updated for the older Advisory #1.
  • AuthLite version 2.0.1-2.0.62: is affected, please see below for update instructions. 

What Should I Do?

You can eliminate this issue by performing the following action:

Install an updated AuthLite version

  • Upgrade your workstations that have AuthLite installed, to AuthLite version 2.0.63 or later from AuthLite.com
  • If your servers allow logon caching (via group policy "Interactive logon: Number of previous logons to cache") then you should also upgrade AuthLite on those systems.
  • You must reboot the computers for the modification to become active.  Prior to rebooting, the systems will still be running the old version of the software in memory.
  • Domain controllers are not affected by this issue because there is no offline logon caching on DCs.  It is OK to run a slightly older install on the DCs during your upgrade process, but you should plan to update them when convenient.

Common Questions and Answers

What is my exposure? Could this issue allow outside users in to my systems?

An attacker who knows the password of a locked session might be able to unlock a presently locked session, thereby letting them impersonate the real user for the duration of the real user's kerberos ticket. 

Should I upgrade from v1.x to version 2?

No, you do not need to do this.  Version 2 is a much more complex product and a proper upgrade requires a substantial amount of planning, configuration, and testing.  We offer professional services just to help with this.  In short, it's not something to be undertaken lightly. 

Where do I have to install the update??

Install the updated software on all workstations that currently have AuthLite installed, and all non-Domain-Controller servers that currently have AuthLite installed, if those servers allow logon caching (which is the default configuration by Microsoft, see policy "Interactive logon: Number of previous logons to cache").

I need help with this, what should I do?

If you require further details, or assistance with installing the update, please open a Support Request from our Support page and reference Upgrade Advisory #4