SecurEnvoy Next Generation Two

Report
Next Generation
Two Factor Authentication
21st Century Remote Access
• Laptop
• Home / Other Business PC
• Hotel / Cyber Café / Airport
• Smart Phone / Blackberry
Who is using your VPN
Problems With Passwords
• “Social engineering”
• Finding written password
– Post-It Notes
• Guessing password / pin
– Dog/Kid’s name/ Birthday
• Shoulder surfing
• Keystroke logging
– Can be resolved with mouse based entry
• Screen scraping (with Keystroke logging)
• Brute force password crackers
– L0phtcrack
Two Factor Authentication
• Something you know
• Pin
• Password
• Mothers Maiden Name
• Something you own
• Keys
• Credit Card
• Token
• Phone
• Something you are
• Fingerprint
• DNA
• Two Factor Authentication is Two of the above
• Example: ATM Cash Machine
• Something you Know – Pin
• Something you Own - Cash Card (Chip)
Existing Form Factors
Smartcards / USB Tokens
• End user must remember to carry the card!
• Smartcards need readers
• Both need software drivers
• Remote Users can’t use other PC’s or Cybercafés
• Smart phones, Blackberry’s, PocketPC etc are limited by size
• Requires certificate enrolment and replacement
• Deployment - Remote users must be sent a hardware device
• Support – Pin Management & Failed token must be managed
Existing Form Factors
Hardware Tokens
• End user must remember to carry the token!
• Deployment - Remote users must be sent a hardware device
• Token may require resynchronisation
• Support – Pin Management & Failed token must be managed
• Short Term Contractors - Don’t always return the token
• B2B – One to many companies requires many identical
tokens
The Next Generation
Mobile Phone based Authentication
Mobile Phones solve all the previous issues however
• Adding Software to a range of Phones is difficult to
support
• SMS at peak times sometimes cause delay of
several minutes
Pre-Load vs. On demand SMS
8
The SecurEnvoy Approach
Passcode
Passcode
573921
347865
198462
The first 6 digit passcode is sent at enrolment
One Time Code
Each authentication (good or bad) send’s the next required code
Each Code can only be used once
Day Code
Each day (or set number of days) a new code is sent if used
If the current day code hasn’t been used, it’s still secret and will
not require updating
Each day code can be reused for the current and following day
Tmp Code
A pre-agreed static code that automatically switches back to
One Time or Day Code after a set number of days
10 failed attempts in a row disables account and
SMS messages (all modes)
PIN Management
Traditional Approach
UserID: fred
PIN: 3687
Passcode:435891
Microsoft Password: P0stcode
Two Factor Authentication requires something you know
& something you own
Why authenticate with two things you know?
The SecurEnvoy Approach
UserID: fred
Microsoft Password: P0stcode
Passcode: 435891
Reuse The Microsoft or other LDAP Password as the PIN
Easier end user authentication experience
No PIN Administration required
Can also support a PIN if required
Ease Of Use (Cost) Vs Risk
Cost Vs Risk
Expensive / Hard
Cost / Use
Tokens /
Smartcards
SecurEnvoy
30 Day
SecurEnvoy
SecurEnvoy
1 Day Code
One Time Code
7 Day Code
Password
Fixed
Cheap
Easy
Password
High Risk
Risk
Low Risk
The SecurEnvoy Approach
Standard Authentication Solutions
SecurEnvoy Solution
Re-enter user information
SQL
Database
LDAP Sync
Replication
SQL
Database
Active
Directory
Use AD or other
LDAP as the
database
No schema change required
Data Encrypted with 128 bit AES
SecurAccess Authentication
SecurAccess Authentication
Andyk
Passcode
573921
P0stcode
234836
Something You Know
Something You Own
Enter 6 Digit Number from Mobile Phone
Summary
The Next Generation is Mobile Phone Based Authentication
Up to 60% cheaper that Hardware Tokens
No Software on the phone
Must Allow for SMS Delays & Loss of Signal
Must Be Easy To Use (6 Digit Display On Phone)
Should Re-Use Existing Passwords (Windows) as the PIN
Should Use LDAP as the Database
www.SecurEnvoy.com

similar documents