Interop Mumbai 2009

           The New Wave of
Tokenless Two –Factor Authentication




                           © 2009...
- What is authentication

The process of identifying an individual, usually based on a username and password.
            ...
- Strength of the Password
Provides your digital identity

   Good - easy to use/remember – cheap – prolific
             ...
- Compromising the Password
   Password Utility - Cain and Abel www.oxid.it




                                          ...
- Compromising the Password
Password Utility – L0pht Crack
www.l0phtcrack.com




                                 © 2009 ...
- Compromising the Password
   Hardware keystroke logger - Key Ghost www.keyghost.com




                                ...
- Two Factor Authentication
  Quote I got my today, it took just 2 weeks to deliver here
• to Finland.must remember to car...
- Two Factor Authentication
   A phone in every pocket?
   3.8 billion GSM connections
                    (source www.gsm...
- Two Factor Authentication
How can a phone become an authenticator?

Option 1 Adding software on a phone?

   Many differ...
- On demand v Pre Load SMS




                         © 2009 Copyright SecurEnvoy Ltd. All rights reserved
- End User Experience
   Traditional Approach

                  UserID: fred
                  PIN: 3687
                ...
- Two Factor Authentication




               PhilU

               P0stcode          Something You Know
               2...
- Two Factor Authentication

Standard Authentication Solutions
SecurEnvoy Solution
Re-enter user information

     SQL    ...
- Resilience
      Leverage existing replication of AD or other LDAP


                Site 1                  My Domain  ...
- Supporting Multiple Domains
                                                                          Domain A


   Mobi...
- Deployment
1. Locate existing users in AD (LDAP)
    • Search base (OU=Amsterdam)
    • Search filter (memberof=vpngroup...
- Summary
        Easy to use
               No additional pin
               No token
               Next SMS overwrites ...
© 2009 Copyright SecurEnvoy Ltd. All rights reserved
© 2009 Copyright SecurEnvoy Ltd. All rights reserved
Upcoming SlideShare
Loading in...5
×

Philip Underwood - The New Wave of Tokenless Two-factor Authentication - Interop Mumbai 2009

1,058

Published on

Underwood’s session will introduce tokenless two-factor authentication via SMS. It will discuss the end-user authentication experience and the merits of on-demand versus pre-loading passcodes via SMS and how to resolve any delivery delays or signal dead spots. He will also discuss the best practices that are vital to support multiple internal business units, external third-party businesses and customer authentication, including how two-factor authentication security can be maintained within a disaster recovery environment. At the end of this session attendees will have a better understanding of the next generation of tokenless authentication, and will be able to save costs by eliminating tokens and reducing servers.

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,058
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
40
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Philip Underwood - The New Wave of Tokenless Two-factor Authentication - Interop Mumbai 2009

  1. 1. Interop Mumbai 2009 The New Wave of Tokenless Two –Factor Authentication © 2009 Copyright SecurEnvoy Ltd. All rights reserved
  2. 2. - What is authentication The process of identifying an individual, usually based on a username and password. Source www.webopedia.com Authentication (from Greek: αυθεντικός ; real or genuine, from authentes; author) is the act of establishing or confirming something (or someone) as authentic, Source www.wikipedia.com Authenticate verb prove or show to be authentic. DERIVATIVES authentication noun authenticator noun Source Oxford English Dictionary www.askoxford.com © 2009 Copyright SecurEnvoy Ltd. All rights reserved
  3. 3. - Strength of the Password Provides your digital identity Good - easy to use/remember – cheap – prolific e.g. Password = child’s name, zip code etc Bad – hard to remember – compromised e.g. Password = Q1asw&u$42 • Social engineering • Guessing password / pin • Shoulder surfing • Keystroke logging • Screen scraping (with Keystroke logging) • Brute force password crackers © 2009 Copyright SecurEnvoy Ltd. All rights reserved
  4. 4. - Compromising the Password Password Utility - Cain and Abel www.oxid.it © 2009 Copyright SecurEnvoy Ltd. All rights reserved
  5. 5. - Compromising the Password Password Utility – L0pht Crack www.l0phtcrack.com © 2009 Copyright SecurEnvoy Ltd. All rights reserved
  6. 6. - Compromising the Password Hardware keystroke logger - Key Ghost www.keyghost.com © 2009 Copyright SecurEnvoy Ltd. All rights reserved
  7. 7. - Two Factor Authentication Quote I got my today, it took just 2 weeks to deliver here • to Finland.must remember to carry the token! End user • Its so small! Gotta keep an eye for it, losing it would suck device Deployment - Remote users must be sent a hardware • Source http://forumserver.twoplustwo.com/28/internet- Token may require resynchronisation • poker/i-got-my-pokerstars-rsa-secureid-token-today-pic- Support - Failed token must be managed • 367093/index33.htmlreader and software drivers Smartcards need a • Short Term Contractors - Don’t always return the token • B2B – One to many companies requires many identical tokens © 2009 Copyright SecurEnvoy Ltd. All rights reserved
  8. 8. - Two Factor Authentication A phone in every pocket? 3.8 billion GSM connections (source www.gsmworld.com) End users protect their phones A recent poll asked “what’s the worst thing you could lose?” Your phone 92% 20 Euro’s 7% Your token 1% Lost phones are reported missing much faster 2nd factor must be reported missing to be disabled © 2009 Copyright SecurEnvoy Ltd. All rights reserved
  9. 9. - Two Factor Authentication How can a phone become an authenticator? Option 1 Adding software on a phone? Many different phone interfaces Massive QA issues Major support issues Limited supported phone types Passcode 651273 Software deployment problems Option 2 On-Demand SMS What about SMS delays What if I'm in a building with no signal I’m using my phone to connect to the internet Option 3 Pre-load SMS Each authentication sends the next passcode © 2009 Copyright SecurEnvoy Ltd. All rights reserved
  10. 10. - On demand v Pre Load SMS © 2009 Copyright SecurEnvoy Ltd. All rights reserved
  11. 11. - End User Experience Traditional Approach UserID: fred PIN: 3687 Passcode:435891 Microsoft Password: P0stcode Easiest Approach UserID: fred Microsoft Password: P0stcode Passcode: 435891 Reuse The Microsoft or other LDAP Password as the PIN Easier end user authentication experience No PIN Administration required © 2009 Copyright SecurEnvoy Ltd. All rights reserved
  12. 12. - Two Factor Authentication PhilU P0stcode Something You Know 234836 Something You Own 6 Digit Number from Mobile Phone © 2009 Copyright SecurEnvoy Ltd. All rights reserved
  13. 13. - Two Factor Authentication Standard Authentication Solutions SecurEnvoy Solution Re-enter user information SQL Active LDAP Sync Database Directory Replication Use AD or other LDAP as the SQL database Database No changes to the schema Must be encrypted (128 bit AES) © 2009 Copyright SecurEnvoy Ltd. All rights reserved
  14. 14. - Resilience Leverage existing replication of AD or other LDAP Site 1 My Domain Site 2 SecurEnvoy AD Domain Authentication AD Domain SecurEnvoy SSL VPN data SSL VPN SecurAccess Controller Controller SecurAccess Replicated by SecurEnvoy AD Domain Active AD Domain SecurEnvoy SecurAccess Directory Controller Controller SecurAccess © 2009 Copyright SecurEnvoy Ltd. All rights reserved
  15. 15. - Supporting Multiple Domains Domain A Mobile End User A VPN Server A Network Microsoft AD End User B Passcode 347219 971563 Domain B Customer VPN Server B Central Server eDirectory Radius & 2FA Server Internet Customers IIS Web Server ADAM Customer ADAM Instance © 2009 Copyright SecurEnvoy Ltd. All rights reserved
  16. 16. - Deployment 1. Locate existing users in AD (LDAP) • Search base (OU=Amsterdam) • Search filter (memberof=vpngroup) 2. Check for known mobile numbers 3. Self enrol via email unknown mobile numbers Deploy around 300 users per minute • 5000 users in around 16 minutes © 2009 Copyright SecurEnvoy Ltd. All rights reserved
  17. 17. - Summary Easy to use No additional pin No token Next SMS overwrites previous one Easy to administer and deploy No database, reuse existing central LDAP Automate Deployment Self enrol unknown mobile numbers Resilient Pre-load Passcode’s Leverage LDAP servers replication Support multiple heterogeneous domains www.SecurEnvoy.com © 2009 Copyright SecurEnvoy Ltd. All rights reserved
  18. 18. © 2009 Copyright SecurEnvoy Ltd. All rights reserved
  19. 19. © 2009 Copyright SecurEnvoy Ltd. All rights reserved
  1. Gostou de algum slide específico?

    Recortar slides é uma maneira fácil de colecionar informações para acessar mais tarde.

×