Philip Underwood - The New Wave of Tokenless Two-factor Authentication - Interop Mumbai 2009
Upcoming SlideShare
Loading in...5
×
 

Philip Underwood - The New Wave of Tokenless Two-factor Authentication - Interop Mumbai 2009

on

  • 1,609 views

Underwood’s session will introduce tokenless two-factor authentication via SMS. It will discuss the end-user authentication experience and the merits of on-demand versus pre-loading passcodes via ...

Underwood’s session will introduce tokenless two-factor authentication via SMS. It will discuss the end-user authentication experience and the merits of on-demand versus pre-loading passcodes via SMS and how to resolve any delivery delays or signal dead spots. He will also discuss the best practices that are vital to support multiple internal business units, external third-party businesses and customer authentication, including how two-factor authentication security can be maintained within a disaster recovery environment. At the end of this session attendees will have a better understanding of the next generation of tokenless authentication, and will be able to save costs by eliminating tokens and reducing servers.

Statistics

Views

Total Views
1,609
Views on SlideShare
1,605
Embed Views
4

Actions

Likes
0
Downloads
37
Comments
0

2 Embeds 4

http://www.slideshare.net 3
http://www.docshut.com 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Philip Underwood - The New Wave of Tokenless Two-factor Authentication - Interop Mumbai 2009 Philip Underwood - The New Wave of Tokenless Two-factor Authentication - Interop Mumbai 2009 Presentation Transcript

    • Interop Mumbai 2009 The New Wave of Tokenless Two –Factor Authentication © 2009 Copyright SecurEnvoy Ltd. All rights reserved
    • - What is authentication The process of identifying an individual, usually based on a username and password. Source www.webopedia.com Authentication (from Greek: αυθεντικός ; real or genuine, from authentes; author) is the act of establishing or confirming something (or someone) as authentic, Source www.wikipedia.com Authenticate verb prove or show to be authentic. DERIVATIVES authentication noun authenticator noun Source Oxford English Dictionary www.askoxford.com © 2009 Copyright SecurEnvoy Ltd. All rights reserved
    • - Strength of the Password Provides your digital identity Good - easy to use/remember – cheap – prolific e.g. Password = child’s name, zip code etc Bad – hard to remember – compromised e.g. Password = Q1asw&u$42 • Social engineering • Guessing password / pin • Shoulder surfing • Keystroke logging • Screen scraping (with Keystroke logging) • Brute force password crackers © 2009 Copyright SecurEnvoy Ltd. All rights reserved
    • - Compromising the Password Password Utility - Cain and Abel www.oxid.it © 2009 Copyright SecurEnvoy Ltd. All rights reserved
    • - Compromising the Password Password Utility – L0pht Crack www.l0phtcrack.com © 2009 Copyright SecurEnvoy Ltd. All rights reserved
    • - Compromising the Password Hardware keystroke logger - Key Ghost www.keyghost.com © 2009 Copyright SecurEnvoy Ltd. All rights reserved
    • - Two Factor Authentication Quote I got my today, it took just 2 weeks to deliver here • to Finland.must remember to carry the token! End user • Its so small! Gotta keep an eye for it, losing it would suck device Deployment - Remote users must be sent a hardware • Source http://forumserver.twoplustwo.com/28/internet- Token may require resynchronisation • poker/i-got-my-pokerstars-rsa-secureid-token-today-pic- Support - Failed token must be managed • 367093/index33.htmlreader and software drivers Smartcards need a • Short Term Contractors - Don’t always return the token • B2B – One to many companies requires many identical tokens © 2009 Copyright SecurEnvoy Ltd. All rights reserved
    • - Two Factor Authentication A phone in every pocket? 3.8 billion GSM connections (source www.gsmworld.com) End users protect their phones A recent poll asked “what’s the worst thing you could lose?” Your phone 92% 20 Euro’s 7% Your token 1% Lost phones are reported missing much faster 2nd factor must be reported missing to be disabled © 2009 Copyright SecurEnvoy Ltd. All rights reserved
    • - Two Factor Authentication How can a phone become an authenticator? Option 1 Adding software on a phone? Many different phone interfaces Massive QA issues Major support issues Limited supported phone types Passcode 651273 Software deployment problems Option 2 On-Demand SMS What about SMS delays What if I'm in a building with no signal I’m using my phone to connect to the internet Option 3 Pre-load SMS Each authentication sends the next passcode © 2009 Copyright SecurEnvoy Ltd. All rights reserved
    • - On demand v Pre Load SMS © 2009 Copyright SecurEnvoy Ltd. All rights reserved
    • - End User Experience Traditional Approach UserID: fred PIN: 3687 Passcode:435891 Microsoft Password: P0stcode Easiest Approach UserID: fred Microsoft Password: P0stcode Passcode: 435891 Reuse The Microsoft or other LDAP Password as the PIN Easier end user authentication experience No PIN Administration required © 2009 Copyright SecurEnvoy Ltd. All rights reserved
    • - Two Factor Authentication PhilU P0stcode Something You Know 234836 Something You Own 6 Digit Number from Mobile Phone © 2009 Copyright SecurEnvoy Ltd. All rights reserved
    • - Two Factor Authentication Standard Authentication Solutions SecurEnvoy Solution Re-enter user information SQL Active LDAP Sync Database Directory Replication Use AD or other LDAP as the SQL database Database No changes to the schema Must be encrypted (128 bit AES) © 2009 Copyright SecurEnvoy Ltd. All rights reserved
    • - Resilience Leverage existing replication of AD or other LDAP Site 1 My Domain Site 2 SecurEnvoy AD Domain Authentication AD Domain SecurEnvoy SSL VPN data SSL VPN SecurAccess Controller Controller SecurAccess Replicated by SecurEnvoy AD Domain Active AD Domain SecurEnvoy SecurAccess Directory Controller Controller SecurAccess © 2009 Copyright SecurEnvoy Ltd. All rights reserved
    • - Supporting Multiple Domains Domain A Mobile End User A VPN Server A Network Microsoft AD End User B Passcode 347219 971563 Domain B Customer VPN Server B Central Server eDirectory Radius & 2FA Server Internet Customers IIS Web Server ADAM Customer ADAM Instance © 2009 Copyright SecurEnvoy Ltd. All rights reserved
    • - Deployment 1. Locate existing users in AD (LDAP) • Search base (OU=Amsterdam) • Search filter (memberof=vpngroup) 2. Check for known mobile numbers 3. Self enrol via email unknown mobile numbers Deploy around 300 users per minute • 5000 users in around 16 minutes © 2009 Copyright SecurEnvoy Ltd. All rights reserved
    • - Summary Easy to use No additional pin No token Next SMS overwrites previous one Easy to administer and deploy No database, reuse existing central LDAP Automate Deployment Self enrol unknown mobile numbers Resilient Pre-load Passcode’s Leverage LDAP servers replication Support multiple heterogeneous domains www.SecurEnvoy.com © 2009 Copyright SecurEnvoy Ltd. All rights reserved
    • © 2009 Copyright SecurEnvoy Ltd. All rights reserved
    • © 2009 Copyright SecurEnvoy Ltd. All rights reserved