FAQ

The password re-use threshold is a policy to prevent users from using a previous password for at least a specified number of changed passwords. When set to a positive value, the MXI ACCESS, and ACCESS Enterprise Client software incorrectly manages a hashed password history list allowing attackers to execute an off-line attack on the hashes to guess a password in the list.

Affected Software

• ACCESS Enterprise v2.3
• ACCESS Enterprise v2.4
• ACCESS Enterprise v3.0
• ACCESS Enterprise v3.1
• MXI ACCESS v7.1

Fix
A fix is available in the form of a hotfix for ACCESS Enterprise v3.1 and an updated version of MXI ACCESS v7.1. Click here to access the Downloads page and download the hotfix

Recommendations
Customers who have ACCESS Enterprise should upgrade to ACCESS Enterprise v3.1 and apply the Hotfix and distribute a software update package to devices in the field. Administrators for ACCESS Enterprise are advised to only use a re-use threshold of zero until they have applied the hotfix. Users of MXI ACCESS are advised to only use a re-use threshold of zero until they have applied the hotfix.

Acknowledgments
MXI Security thanks Objectif Sécurité SA for reporting the issue.

Windows NT does not support Plug and Play devices and does not have native support for USB.

If the biometric or password access is blocked, then an administrator on the device can unblock the access. If the user cannot authenticate even if the mechanisms are not blocked then the only way to recover data is to inject the user's AES key and set a new password. This is only possible if the user's original key has been backed up in a key backup system and there is still an administrator account on the device that is accessible.

Yes, it is portable from one PC to another. You can manage it by executing ACCESS Software Suite directly from the CD without having to install the software on the host PC. If the device is already configured, you can unlock the device in zero-foot print mode or execute the unlock utility from the read-only partition without having to install the unlock utility on the host PC.

Only one user can login to the device at a time. The last authenticated user will be considered a logged in user.

Up to 5 users can be registered on the device. The MXP will support enrollment of up to 6 fingerprint templates in total with no restrictions on how many templates belong to a user.

It is recommended that you enroll at least two fingers for biometric authentication. Since many factors can affect biometric performance, it is best to have another finger in case the first is not working well if for example it may be injured.

The ACCESS Console lets you define partitions, but does not automatically format them. Before a newly created partition or a re-sized partition can be used it must be formatted. To format partitions you must either use Windows Explorer or Windows Disk Management Administrative tool. A private partition cannot be formatted until it is unlocked.

All data will be lost when a device administrator resizes the partitions. The administrator must temporarily archive all files to a local hard drive before re-sizing. Re-sizing an existing partition always requires a format operation and formatting a partition destroys all the data on the partition. It is strongly recommended that you size the partitions correctly before you deploy the MXP device.

No. ACCESS does not have a key backup system. Such functionality requires integration using the MXI SDK. Please contact the MXI sales department to discuss your needs.

You can no longer manage the MXP device because you can not access the device as an administrator using a biometric or a password. Furthermore, there are no other administrators who can access the device to unblock your access to the device. If you want to manage this device again, your only option is to recycle the device.

No. MXI cannot recover any private data from a device. You're only option to handle situations like this is to implement a key backup system. The devices are secure and there are no back doors.

Close the browser and any application(s) which you were using to do read/write to the read-only, public or private partitions on your MXP device. Wait for few seconds to finish the read/write operation(s). Click on "Unplug or Eject Hardware" icon from the Windows task bar. Select the device and click on "Stop". You can safely disconnect the device from the USB port after you see the message window "The USB Mass Storage Device device can now be safely removed from the system".

If you map a network drive to a resource using the drive letter typically assigned to a MXP device, you will not see the MXP drives in the file manager window when you connect the device. This problem only occurs if you map the drive while the MXP device is disconnected from the computer. You need to disconnect the mapped network drive. To work around the mapping issue, it is recommended that you re-map the network drive using a drive letter from the end of the alphabet, for example, Z or Y. This is a known issue with Microsoft Windows and removable storage devices and is documented at http://support.microsoft.com/?kbid=830238. Also, please find workaround solution with MXI ACCESS service pack 1.

The management code does not give access to any private data or use of key material so there is no security threat from knowing the management code. Its main purpose is to allow device recycling and updating of the read-only partition. However if an organization wishes to manage and fully maintain control of devices that it issues to users, it is recommended that it change the management code and keep it secret. This prevents employees from recycling the device themselves and reconfiguring it for their own purposes.

No, it is recommended that you always created an administrator with a reliable means to authenticate (be it password or biometric) and then define a second user for your day to day use. The administrator account has privileges that you don’t want to be exposed if for example you leave your device unlocked and unattended.

Windows NT does not support Plug and Play devices and does not have native support for USB.

Yes, remote access can be done using MXP with existing infrastructures such as Terminal Services, Citrix, and remote access authentication servers such as RSA ACE servers for one-time-password verification. Furthermore MXP will operate on thin clients that support USB mass storage allowing true portability of remote access with strong three-factor authentication.

Yes. Customized and streamlined workflows can be created and integrated into enterprise management systems on a per customer basis. Please contact the MXI sales department to discuss your needs.

Yes, MXI is releasing support for industry standard interfaces for PKCS#11 and Microsoft CAPI. This will allow MXP devices to be used as cryptographic tokens for integration with many PKI applications, including smart card logins for Windows. Please contact the MXI sales for availability and release dates.

MXI is currently working with single sign-on vendors to use MXP devices in their solutions as strong authentication devices and portable credential carriers.

Many cryptographic functions can be accessed through our PKCS#11 and CSP interfaces. However if you needs require more functionality, then the full suite of cryptographic services can be accessed through the MXI SDK. Please contact the MXI sales department to discuss your needs.

Yes, ClipDrive Secure is portable from one PC to another as long as the ClipDrive Secure drivers are installed on the PC in order to access the secure partition on the device. An administrative utility (ACCESS Console) is included with the product to allow user management and device configuration.

Only one user can login to a ClipDrive Secure device at a time. The last authenticated user will be considered a logged in user.

Up to 5 users can be registered (enrolled) on the device.

The ACCESS Console lets you define partitions, but does not allow you to format them. Before a newly created partition or a re-sized partition can be used it must be formatted. To format partitions you must either use Windows Explorer or Windows Disk Management Administrative tool. A private partition cannot be formatted until it is unlocked.

All data will be lost when users resize the partitions. Users must temporarily archive all files to a local hard drive before re-sizing. Re-sizing an existing partition always requires a format operation and formatting a partition destroys all the data on the partition. It is strongly recommended that you size the partitions correctly before you give ClipDrive Secure to users.

If your password access to ClipDrive Secure is blocked, you have to contact your administrator to unblock your user account.

You can no longer manage ClipDrive Secure because you can not access the device as an administrator using a password. Furthermore, there are no other administrators who can access the device to unblock your access to device. If you want to manage this device again, your only option is to recycle the device.

Some machines have a BIOS configuration that will not allow it to boot when a USB device is plugged in. To avoid this problem, disconnect the ClipDrive Secure when booting the machine.

Close the browser and any application(s) which you were using to write to the public or private partitions on your ClipDrive Secure. Wait for few seconds to finish the write operation. Click on "Unplug or Eject Hardware" icon from the Windows task bar. Select the device and click on "Stop". You can safely disconnect the device from the USB port after you see message window "The USB Mass Storage device can now be safely removed from the system".

The ClipDrive™ will not allow copying if it is set to write protect mode. Please, verify that the write protection switch located on the underside of the ClipDrive™ is set to unlock. You must disconnect and reconnect the ClipDrive™ each time you want to change the write protection mode. Please note not all ClipDrive models have a write protection switch.

Yes, as long as the ClipDrive™ formatting is supported by the OS (FAT and FAT32) and the PC has the proper drivers.

You can use FAT or FAT32 to reformat the ClipDrive™. NTFS is not supported.

Verify if the LED on the ClipDrive™ is flashing. If the LED is not ON or flashing, connect it directly to the Computer's USB port to verify if the problem comes from the USB cable. Also, check in the Device Manager to see if the ClipDrive™ is recognized by the USB controller. If it is not recognized, make sure that the USB port is enabled in the BIOS. Some times the computer needs to be rebooted when the ClipDrive™ is connected for the first time. Reboot your computer and try again.

If you map a network drive to a resource using the drive letter typically assigned to ClipDrive, you will not see the ClipDrive drive in the file manager window when you connect the device. This problem only occurs if you map the drive while ClipDrive is disconnected from the computer. You need to disconnect the mapped network drive. To work around the mapping issue, it is recommended that you re-map the network drive using a drive letter from the end of the alphabet, for example, Z or Y.