Interop Mumbai 2009
The New Wave of
Tokenless Two –Factor Authentication
© 2009 Copyright SecurEnvoy Ltd. All rights reserved

- What is authentication
The process of identifying an individual, usually based on a username and password.
Source www.webopedia.com
Authentication (from Greek: αυθεντικός ; real or genuine, from authentes; author) is
the act of establishing or confirming something (or someone) as authentic,
Source www.wikipedia.com
Authenticate
verb prove or show to be authentic.
DERIVATIVES authentication noun authenticator noun
Source Oxford English Dictionary www.askoxford.com
© 2009 Copyright SecurEnvoy Ltd. All rights reserved

- Strength of the Password
Provides your digital identity
Good - easy to use/remember – cheap – prolific
e.g. Password = child’s name, zip code etc
Bad – hard to remember – compromised
e.g. Password = Q1asw&u$42
• Social engineering
• Guessing password / pin
• Shoulder surfing
• Keystroke logging
• Screen scraping (with Keystroke logging)
• Brute force password crackers
© 2009 Copyright SecurEnvoy Ltd. All rights reserved

- Compromising the Password
Password Utility - Cain and Abel www.oxid.it
© 2009 Copyright SecurEnvoy Ltd. All rights reserved

- Compromising the Password
Password Utility – L0pht Crack
www.l0phtcrack.com
© 2009 Copyright SecurEnvoy Ltd. All rights reserved

- Compromising the Password
Hardware keystroke logger - Key Ghost www.keyghost.com
© 2009 Copyright SecurEnvoy Ltd. All rights reserved

- Two Factor Authentication
Quote I got my today, it took just 2 weeks to deliver here
• to Finland.must remember to carry the token!
End user
• Its so small! Gotta keep an eye for it, losing it would suck device
Deployment - Remote users must be sent a hardware
• Source http://forumserver.twoplustwo.com/28/internet-
Token may require resynchronisation
• poker/i-got-my-pokerstars-rsa-secureid-token-today-pic-
Support - Failed token must be managed
• 367093/index33.htmlreader and software drivers
Smartcards need a
• Short Term Contractors - Don’t always return the token
• B2B – One to many companies requires many identical tokens
© 2009 Copyright SecurEnvoy Ltd. All rights reserved

- Two Factor Authentication
A phone in every pocket?
3.8 billion GSM connections
(source www.gsmworld.com)
End users protect their phones
A recent poll asked “what’s the worst thing you could lose?”
Your phone 92%
20 Euro’s 7%
Your token 1%
Lost phones are reported missing much faster
2nd factor must be reported missing to be disabled
© 2009 Copyright SecurEnvoy Ltd. All rights reserved

- Two Factor Authentication
How can a phone become an authenticator?
Option 1 Adding software on a phone?
Many different phone interfaces
Massive QA issues
Major support issues
Limited supported phone types Passcode 651273
Software deployment problems
Option 2 On-Demand SMS
What about SMS delays
What if I'm in a building with no signal
I’m using my phone to connect to the internet
Option 3 Pre-load SMS
Each authentication sends the next passcode
© 2009 Copyright SecurEnvoy Ltd. All rights reserved

- On demand v Pre Load SMS
© 2009 Copyright SecurEnvoy Ltd. All rights reserved

- End User Experience
Traditional Approach
UserID: fred
PIN: 3687
Passcode:435891
Microsoft Password: P0stcode
Easiest Approach
UserID: fred
Microsoft Password: P0stcode
Passcode: 435891
Reuse The Microsoft or other LDAP Password as the PIN
Easier end user authentication experience
No PIN Administration required
© 2009 Copyright SecurEnvoy Ltd. All rights reserved

- Two Factor Authentication
PhilU
P0stcode Something You Know
234836 Something You Own
6 Digit Number from Mobile Phone
© 2009 Copyright SecurEnvoy Ltd. All rights reserved

- Two Factor Authentication
Standard Authentication Solutions
SecurEnvoy Solution
Re-enter user information
SQL Active
LDAP Sync
Database Directory
Replication Use AD or other
LDAP as the
SQL database
Database
No changes to the schema
Must be encrypted (128 bit AES)
© 2009 Copyright SecurEnvoy Ltd. All rights reserved

- Resilience
Leverage existing replication of AD or other LDAP
Site 1 My Domain Site 2
SecurEnvoy AD Domain Authentication AD Domain SecurEnvoy
SSL VPN data SSL VPN
SecurAccess Controller Controller SecurAccess
Replicated by
SecurEnvoy AD Domain Active AD Domain SecurEnvoy
SecurAccess
Directory
Controller Controller SecurAccess
© 2009 Copyright SecurEnvoy Ltd. All rights reserved

- Supporting Multiple Domains
Domain A
Mobile
End User A VPN Server A
Network
Microsoft AD
End User B
Passcode
347219
971563
Domain B
Customer
VPN Server B
Central Server
eDirectory
Radius & 2FA Server
Internet Customers
IIS Web Server
ADAM
Customer ADAM
Instance © 2009 Copyright SecurEnvoy Ltd. All rights reserved

- Deployment
1. Locate existing users in AD (LDAP)
• Search base (OU=Amsterdam)
• Search filter (memberof=vpngroup)
2. Check for known mobile numbers
3. Self enrol via email unknown mobile numbers
Deploy around 300 users per minute
• 5000 users in around 16 minutes
© 2009 Copyright SecurEnvoy Ltd. All rights reserved

- Summary
Easy to use
No additional pin
No token
Next SMS overwrites previous one
Easy to administer and deploy
No database, reuse existing central LDAP
Automate Deployment
Self enrol unknown mobile numbers
Resilient
Pre-load Passcode’s
Leverage LDAP servers replication
Support multiple heterogeneous domains
www.SecurEnvoy.com
© 2009 Copyright SecurEnvoy Ltd. All rights reserved

© 2009 Copyright SecurEnvoy Ltd. All rights reserved

© 2009 Copyright SecurEnvoy Ltd. All rights reserved