SlideShare a Scribd company logo

Securing corporate assets_with_2_fa

Hai Nguyen
Hai Nguyen
Technology
1 of 5
Download to read offline
W H I T E PA P E R Securing corporate assets with two factor authentication Published July 2012
Securing corporate assets with two factor authentication Introduction Organizations require users to enter their username and passwords in order to validate their identity. However, with the proliferation of applications, websites and services that require authentication, users are under increasing pressure to maintain their passwords and it has become clear that the simple password scheme is no longer sufficient. In fact there are multiple, high profile cases where passwords have failed both the users and the organizations that provide services, leading to identity theft and data loss. The impact of such breaches is more costly than ever with financial penalties associated to breach of regulatory compliance and the impact of lost business and loss of confidence. This white paper will explore how two-factor authentication can be considered as an alternative to provide secure authentication in order to resolve the risks of unauthorized access to corporate resources. Why static passwords are insufficient - “My password is 1234, and I wrote it down” – Passwords have long been used as a way to authenticate users and provide them services. They rely on the simple fact that only the users know the password and no one else does. This was initially perceived as an effective solution but with the proliferation of systems and resources that require password entry prior to access, the model breaks down in a number of ways. Written down passwords Human memory is known to fail. If a user forgets their password, they typically have to call the IT helpdesk, or reset the password before access is granted again. Since this disrupts a users’ workflow, many users write down passwords, and often leave it next to their place of work, in their laptop bag, or on their laptop! This is a clear security risk as anyone with physical access to the office cube or laptop has complete and unauthorized, access. A recent survey carried out amongst IT professionals confirmed that 29% of respondents knew a colleague’s password details. The risk presented by written down passwords is even greater when considered in context of the volume of connected devices that are lost every day. Surveys suggest that as many as 15,000 laptops are misplaced at airports in Europe and the USA every week. If any of these have an accompanying post-it note with a password attached then no amount of security can protect the organization from loss. Sharing of passwords with websites Since users have to remember so many passwords, they tend to create a standard password and re-use it in multiple places. This means that if the password is compromised in one place the hacker has access to multiple sites and services. Replay attacks Even if the user is extremely careful with their passwords, static passwords are vulnerable to Replay Attacks. After the user enters the password on a site or application, it has to be sent to an authentication server for validation. An intruder can intercept this session or transmission and replay it later on to gain unauthorized access Contents Introduction Why static passwords are insufficient Introducing two-factor authentication Form Factors for OTP delivery Contact information OTP generating mechanisms Integrating Two-factor authentication About Celestix HOTPin Authentication vs. Authorization Authentication and authorization are often, and mistakenly, used interchangeably. Authentication is the process of verifying that “you are who you say are”, while authorization is the process of verifying that “you are permitted to do what you are trying to do”. Authentication precedes authorization.
Securing corporate assets with two factor authentication Social Engineering and Phishing Criminals have used deception for millennia in order to extract confidential information from others. Deception can include face to face diversion tactics and behavioral manipulation but in the computing age, it can also be carried out without the need for in person interaction. Phishing attacks are extremely common and are a source of significant data theft. In a phishing attack, the phisher will send an email that appears to come from a legitimate source such as a bank, requesting the recipient to log in to their account or to verify their account details. The email directs the user to a fraudulent website where account details are captured and can be used to commit fraud. With the evolving complexity and intelligence of fraudulent attacks, the increase in the number of systems requiring password access, and the fact that users will address this by standardizing their passwords and will then write them down, how can organizations protect themselves against such a broad range of issues that can result in attacks on their systems? Introducing two-factor authentication Authentication based on passwords is based on what a user knows. It is reasonable to augment security by enhancing it with what a user has. This simple concept is the basis of two-factor authentication. • What you know – a password or Personal Identification Number (PIN) • What you have – a unique physical characteristic, or device, that only the user has access to With such a scheme, even if a users’ password or PIN is compromised, the attacker will not be able to gain access to the site or service since they don’t possess the second factor required in order to gain access. Conversely, if the attacker gains access to the device that provides the second factor authentication, they won’t know the users’ password or PIN. ATM, or debit cards are the most common example of two-factor authentication. If the card is ever lost or stolen, it still can’t be used without the PIN. Even if an unauthorized user knows the PIN of the bank account, they will still not be able to withdraw money since they don’t have the actual ATM card. One is rendered useless without the other. One Time Passwords ATM cards provide two-factor authentication in the tightly controlled environment of ATM machines, where each machine is equipped with a special card reader. It is not feasible to equip every laptop, desktop or tablet with a special device to read a card. That would be cost-prohibitive, time-consuming and extremely impractical. To provide two-factor authentication for computer services and sites, users rely on a One Time Password that is generated on a device that is uniquely assigned to a user. One Time Passwords (OTP) provides security in a number of ways. Always Changing The OTP changes after a fixed interval of time, commonly every 60 seconds. Even if an unauthorized user noted the OTP, they won’t be able to use it since it would have changed for the next session.
Securing corporate assets with two factor authentication Tied to a device OTPs are generated using a seed that is uniquely associated with a device. Thus, every user’s OTP will be different. Since the device is assigned to a user, the OTP uniquely authenticates a user. and a PC desktop client. By leveraging smart devices or text messaging, the OTP is delivered ‘on demand’ to the user. And, of course, HOTPin easily integrates with AD. Security for IT and users DirectAccess with HOTPin is actually a security tool masquerading as a user convenience tool, a functional duality that, in other solutions, usually results in a trade-off. Form Factors for OTP delivery One Time Passwords can be delivered to end-users via a variety of methods, each with their own pros and cons. Hardware Tokens Hardware tokens, also commonly referred to as authentication tokens, are pocket sized, battery operated devices which are dedicated to generate OTPs. This is the oldest method of generating OTPs. However, they come with their own set of problems. For remote users, the devices need to be shipped to their site, increasing costs. The battery life of these devices is approximately three years. After that, the devices have to be replaced. Larger organizations usually have to maintain stock for devices that need to be replaced or are lost. A subtle, but important problem is that if these devices are lost or stolen, the user might not notice for a few days. That gives an attacker a window of opportunity. Software Token With the increasing popularity of smart phones, users expect not to carry a dedicated device for generating OTPs. Fortunately, smart phones can be leveraged to generate the OTP. Software tokens, or soft tokens, vastly increase the convenience for end users. If the smart phone is ever lost, the end user will most likely notice that much quicker than hardware token. Some software token apps, such as those from Celestix, can be configured to require a PIN before displaying the OTP – further enhancing security. OTPs through text messages / emails One Time Passwords can also be delivered through a text message. This method is convenient for users who might not have smart phones, but still don’t want to carry a dedicated device. Receiving the OTP through text messaging means it is completely separated from regular authentication channels, or Out of Band (OOB), increasing security. OTPs can also be sent via emails. So if users have access to emails on their phones, they can opt to receive OTPs via email.
Securing corporate assets with two factor authentication Contact USA  +1 (510) 668-0700 UK  +44 (0) 1189 596198 Singapore  +65 6781 0700 India  +91 98 208 90884 Japan  +81 (0) 3-5210-2991 www.celestix.com  info@celestix.com ©2012 Celestix Networks Inc. All rights reserved. Version 1.0 OTP generating mechanisms There are various proprietary mechanisms for generating One Time Passwords. The Internet Engineering Task Force (IETF), an international body that develops and promotes internet standards, has adopted an algorithm known as HOTP for generating One Time Passwords. Proprietary vs. Standards-based OTPs HOTP is not the only mechanism for generating One Time Passwords. Alternative proprietary solutions exist for generating one time passwords. However, closed and proprietary solutions have always presented enterprises with multiple challenges. Vendor lock-in Once an enterprise adopts a proprietary system, they often find themselves beholden to the vendor of the solution. Migrating to another solution often becomes impossible. Since there is no open interoperability, customers are locked-in to higher prices and typically, older technologies. Security through obscurity Proprietary algorithms, by definition, are not vetted by security analysts or academic researchers. Relying on open standards ensures that security is not compromised by vulnerabilities in proprietary software or algorithms. Integrating Two-factor authentication Mature two-factor solutions, like Celestix HOTPin, provide an embedded RADIUS server. This can be used to integrate Celestix HOTPin with any remote access gateway solution (e.g. Juniper SA series). For Microsoft UAG specifically, Celestix provides a custom agent that ensures users’ credentials are properly passed on to applications, providing true Single Sign-On. After integration, users have to enter their username, PIN and OTP to authenticate. OTPs are generated on smart phones, hardware tokens (like Celestix Touch) or received through text messages. About Celestix HOTPin Celestix HOTPin enables organizations to provide market-leading levels of authentication to remote users, while lowering the on-going cost of provisioning, management and ownership. Celestix HOTPin is a tokenless two-factor authentication solution that enables organizations to empower their mobile workforce while ensuring industry leading protection of digital identities and protecting against unsolicited access to corporate resources, a primary reason for the loss of data. Celestix HOTPin enables organizations not only to mobilize their workforce but allows them also to leverage the remote workers smart device, PC or tablet to act as a token capable of generating an event based one-time password (OTP). RSA SecurID breach RSA, a division of EMC, provides RSA SecurID, as a two-factor authentication solution. In March 2011, RSA announced that they were subject to an attack which allegedly compromised the security of the One Time Password generation. Customers had to replace the tokens and employ security monitoring services to ensure that their information was not breached. While complementary, these required significant investment in time and posed tactical challenges for customers.

Recommended

Session 7 e_raja_kailar
Session 7 e_raja_kailarSession 7 e_raja_kailar
Session 7 e_raja_kailarHai Nguyen
 
Sp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guideSp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guideHai Nguyen
 
Sms based otp
Sms based otpSms based otp
Sms based otpHai Nguyen
 
Two factor authentication-in_your_network_e_guide
Two factor authentication-in_your_network_e_guideTwo factor authentication-in_your_network_e_guide
Two factor authentication-in_your_network_e_guideNick Owen
 
Two factor authentication
Two factor authenticationTwo factor authentication
Two factor authenticationHai Nguyen
 
Two-factor Authentication
Two-factor AuthenticationTwo-factor Authentication
Two-factor AuthenticationPortalGuard dba PistolStar, Inc.
 
Why Two-Factor Authentication?
Why Two-Factor Authentication?Why Two-Factor Authentication?
Why Two-Factor Authentication?Fortytwo
 
Pg 2 fa_tech_brief
Pg 2 fa_tech_briefPg 2 fa_tech_brief
Pg 2 fa_tech_briefHai Nguyen
 

Recommended

Session 7 e_raja_kailar
Session 7 e_raja_kailarSession 7 e_raja_kailar
Session 7 e_raja_kailarHai Nguyen
 
Sp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guideSp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guideHai Nguyen
 
Sms based otp
Sms based otpSms based otp
Sms based otpHai Nguyen
 
Two factor authentication-in_your_network_e_guide
Two factor authentication-in_your_network_e_guideTwo factor authentication-in_your_network_e_guide
Two factor authentication-in_your_network_e_guideNick Owen
 
Two factor authentication
Two factor authenticationTwo factor authentication
Two factor authenticationHai Nguyen
 
Two-factor Authentication
Two-factor AuthenticationTwo-factor Authentication
Two-factor AuthenticationPortalGuard dba PistolStar, Inc.
 
Why Two-Factor Authentication?
Why Two-Factor Authentication?Why Two-Factor Authentication?
Why Two-Factor Authentication?Fortytwo
 
Pg 2 fa_tech_brief
Pg 2 fa_tech_briefPg 2 fa_tech_brief
Pg 2 fa_tech_briefHai Nguyen
 
2 factor authentication 3 [compatibility mode]
2 factor authentication 3 [compatibility mode]2 factor authentication 3 [compatibility mode]
2 factor authentication 3 [compatibility mode]Hai Nguyen
 
Combat the Latest Two-Factor Authentication Evasion Techniques
Combat the Latest Two-Factor Authentication Evasion TechniquesCombat the Latest Two-Factor Authentication Evasion Techniques
Combat the Latest Two-Factor Authentication Evasion TechniquesIBM Security
 
3 reasons your business can't ignore Two-Factor Authentication
3 reasons your business can't ignore Two-Factor Authentication3 reasons your business can't ignore Two-Factor Authentication
3 reasons your business can't ignore Two-Factor AuthenticationFortytwo
 
Avoiding Two-factor Authentication? You're Not Alone
Avoiding Two-factor Authentication? You're Not AloneAvoiding Two-factor Authentication? You're Not Alone
Avoiding Two-factor Authentication? You're Not AlonePortalGuard
 
M-Pass: Web Authentication Protocol
M-Pass: Web Authentication ProtocolM-Pass: Web Authentication Protocol
M-Pass: Web Authentication ProtocolIJERD Editor
 
Webinar - Easy multi factor authentication strategies and PCI DSS
Webinar - Easy multi factor authentication strategies and PCI DSSWebinar - Easy multi factor authentication strategies and PCI DSS
Webinar - Easy multi factor authentication strategies and PCI DSSonionid12
 
Stronger/Multi-factor Authentication for Enterprise Applications
Stronger/Multi-factor Authentication for Enterprise ApplicationsStronger/Multi-factor Authentication for Enterprise Applications
Stronger/Multi-factor Authentication for Enterprise ApplicationsRamesh Nagappan
 
Access management
Access managementAccess management
Access managementVenkatesh Jambulingam
 
Mobile authentication
Mobile authenticationMobile authentication
Mobile authenticationHai Nguyen
 
Two factor authentication presentation mcit
Two factor authentication presentation mcitTwo factor authentication presentation mcit
Two factor authentication presentation mcitmmubashirkhan
 
TWO FACTOR AUTHENTICATION - COMPREHENSIVE GUIDE
TWO FACTOR AUTHENTICATION - COMPREHENSIVE GUIDETWO FACTOR AUTHENTICATION - COMPREHENSIVE GUIDE
TWO FACTOR AUTHENTICATION - COMPREHENSIVE GUIDECTM360
 
Seminar-Two Factor Authentication
Seminar-Two Factor AuthenticationSeminar-Two Factor Authentication
Seminar-Two Factor AuthenticationDilip Kr. Jangir
 
120 i143
120 i143120 i143
120 i143Hai Nguyen
 
Introduction to Solus
Introduction to SolusIntroduction to Solus
Introduction to SolusSolus
 
IRJET-An Economical and Secured Approach for Continuous and Transparent User ...
IRJET-An Economical and Secured Approach for Continuous and Transparent User ...IRJET-An Economical and Secured Approach for Continuous and Transparent User ...
IRJET-An Economical and Secured Approach for Continuous and Transparent User ...IRJET Journal
 
Adding Two Factor Authentication to your App with Authy
Adding Two Factor Authentication to your App with AuthyAdding Two Factor Authentication to your App with Authy
Adding Two Factor Authentication to your App with AuthyNick Malcolm
 
An Overview on Authentication Approaches and Their Usability in Conjunction w...
An Overview on Authentication Approaches and Their Usability in Conjunction w...An Overview on Authentication Approaches and Their Usability in Conjunction w...
An Overview on Authentication Approaches and Their Usability in Conjunction w...IJERA Editor
 
Security Analysis of Mobile Authentication Using QR-Codes
Security Analysis of Mobile Authentication Using QR-Codes Security Analysis of Mobile Authentication Using QR-Codes
Security Analysis of Mobile Authentication Using QR-Codes csandit
 
Two-factor Authentication
Two-factor AuthenticationTwo-factor Authentication
Two-factor AuthenticationPortalGuard dba PistolStar, Inc.
 
An Enhanced Security System for Web Authentication
An Enhanced Security System for Web Authentication An Enhanced Security System for Web Authentication
An Enhanced Security System for Web Authentication IJMER
 
Multi Factor Authentication Whitepaper Arx - Intellect Design
Multi Factor Authentication Whitepaper Arx - Intellect DesignMulti Factor Authentication Whitepaper Arx - Intellect Design
Multi Factor Authentication Whitepaper Arx - Intellect DesignRajat Jain
 
A secure communication in smart phones using two factor authentication
A secure communication in smart phones using two factor authenticationA secure communication in smart phones using two factor authentication
A secure communication in smart phones using two factor authenticationeSAT Journals
 

More Related Content

What's hot

2 factor authentication 3 [compatibility mode]
2 factor authentication 3 [compatibility mode]2 factor authentication 3 [compatibility mode]
2 factor authentication 3 [compatibility mode]Hai Nguyen
 
Combat the Latest Two-Factor Authentication Evasion Techniques
Combat the Latest Two-Factor Authentication Evasion TechniquesCombat the Latest Two-Factor Authentication Evasion Techniques
Combat the Latest Two-Factor Authentication Evasion TechniquesIBM Security
 
3 reasons your business can't ignore Two-Factor Authentication
3 reasons your business can't ignore Two-Factor Authentication3 reasons your business can't ignore Two-Factor Authentication
3 reasons your business can't ignore Two-Factor AuthenticationFortytwo
 
Avoiding Two-factor Authentication? You're Not Alone
Avoiding Two-factor Authentication? You're Not AloneAvoiding Two-factor Authentication? You're Not Alone
Avoiding Two-factor Authentication? You're Not AlonePortalGuard
 
M-Pass: Web Authentication Protocol
M-Pass: Web Authentication ProtocolM-Pass: Web Authentication Protocol
M-Pass: Web Authentication ProtocolIJERD Editor
 
Webinar - Easy multi factor authentication strategies and PCI DSS
Webinar - Easy multi factor authentication strategies and PCI DSSWebinar - Easy multi factor authentication strategies and PCI DSS
Webinar - Easy multi factor authentication strategies and PCI DSSonionid12
 
Stronger/Multi-factor Authentication for Enterprise Applications
Stronger/Multi-factor Authentication for Enterprise ApplicationsStronger/Multi-factor Authentication for Enterprise Applications
Stronger/Multi-factor Authentication for Enterprise ApplicationsRamesh Nagappan
 
Mobile authentication
Mobile authenticationMobile authentication
Mobile authenticationHai Nguyen
 
Two factor authentication presentation mcit
Two factor authentication presentation mcitTwo factor authentication presentation mcit
Two factor authentication presentation mcitmmubashirkhan
 
TWO FACTOR AUTHENTICATION - COMPREHENSIVE GUIDE
TWO FACTOR AUTHENTICATION - COMPREHENSIVE GUIDETWO FACTOR AUTHENTICATION - COMPREHENSIVE GUIDE
TWO FACTOR AUTHENTICATION - COMPREHENSIVE GUIDECTM360
 
Seminar-Two Factor Authentication
Seminar-Two Factor AuthenticationSeminar-Two Factor Authentication
Seminar-Two Factor AuthenticationDilip Kr. Jangir
 
Introduction to Solus
Introduction to SolusIntroduction to Solus
Introduction to SolusSolus
 
IRJET-An Economical and Secured Approach for Continuous and Transparent User ...
IRJET-An Economical and Secured Approach for Continuous and Transparent User ...IRJET-An Economical and Secured Approach for Continuous and Transparent User ...
IRJET-An Economical and Secured Approach for Continuous and Transparent User ...IRJET Journal
 
Adding Two Factor Authentication to your App with Authy
Adding Two Factor Authentication to your App with AuthyAdding Two Factor Authentication to your App with Authy
Adding Two Factor Authentication to your App with AuthyNick Malcolm
 
An Overview on Authentication Approaches and Their Usability in Conjunction w...
An Overview on Authentication Approaches and Their Usability in Conjunction w...An Overview on Authentication Approaches and Their Usability in Conjunction w...
An Overview on Authentication Approaches and Their Usability in Conjunction w...IJERA Editor
 
Security Analysis of Mobile Authentication Using QR-Codes
Security Analysis of Mobile Authentication Using QR-Codes Security Analysis of Mobile Authentication Using QR-Codes
Security Analysis of Mobile Authentication Using QR-Codes csandit
 
An Enhanced Security System for Web Authentication
An Enhanced Security System for Web Authentication An Enhanced Security System for Web Authentication
An Enhanced Security System for Web Authentication IJMER
 

What's hot (20)

2 factor authentication 3 [compatibility mode]
2 factor authentication 3 [compatibility mode]2 factor authentication 3 [compatibility mode]
2 factor authentication 3 [compatibility mode]
 
Combat the Latest Two-Factor Authentication Evasion Techniques
Combat the Latest Two-Factor Authentication Evasion TechniquesCombat the Latest Two-Factor Authentication Evasion Techniques
Combat the Latest Two-Factor Authentication Evasion Techniques
 
3 reasons your business can't ignore Two-Factor Authentication
3 reasons your business can't ignore Two-Factor Authentication3 reasons your business can't ignore Two-Factor Authentication
3 reasons your business can't ignore Two-Factor Authentication
 
Avoiding Two-factor Authentication? You're Not Alone
Avoiding Two-factor Authentication? You're Not AloneAvoiding Two-factor Authentication? You're Not Alone
Avoiding Two-factor Authentication? You're Not Alone
 
M-Pass: Web Authentication Protocol
M-Pass: Web Authentication ProtocolM-Pass: Web Authentication Protocol
M-Pass: Web Authentication Protocol
 
Webinar - Easy multi factor authentication strategies and PCI DSS
Webinar - Easy multi factor authentication strategies and PCI DSSWebinar - Easy multi factor authentication strategies and PCI DSS
Webinar - Easy multi factor authentication strategies and PCI DSS
 
Stronger/Multi-factor Authentication for Enterprise Applications
Stronger/Multi-factor Authentication for Enterprise ApplicationsStronger/Multi-factor Authentication for Enterprise Applications
Stronger/Multi-factor Authentication for Enterprise Applications
 
Access management
Access managementAccess management
Access management
 
Mobile authentication
Mobile authenticationMobile authentication
Mobile authentication
 
Two factor authentication presentation mcit
Two factor authentication presentation mcitTwo factor authentication presentation mcit
Two factor authentication presentation mcit
 
TWO FACTOR AUTHENTICATION - COMPREHENSIVE GUIDE
TWO FACTOR AUTHENTICATION - COMPREHENSIVE GUIDETWO FACTOR AUTHENTICATION - COMPREHENSIVE GUIDE
TWO FACTOR AUTHENTICATION - COMPREHENSIVE GUIDE
 
Seminar-Two Factor Authentication
Seminar-Two Factor AuthenticationSeminar-Two Factor Authentication
Seminar-Two Factor Authentication
 
120 i143
120 i143120 i143
120 i143
 
Introduction to Solus
Introduction to SolusIntroduction to Solus
Introduction to Solus
 
IRJET-An Economical and Secured Approach for Continuous and Transparent User ...
IRJET-An Economical and Secured Approach for Continuous and Transparent User ...IRJET-An Economical and Secured Approach for Continuous and Transparent User ...
IRJET-An Economical and Secured Approach for Continuous and Transparent User ...
 
Adding Two Factor Authentication to your App with Authy
Adding Two Factor Authentication to your App with AuthyAdding Two Factor Authentication to your App with Authy
Adding Two Factor Authentication to your App with Authy
 
An Overview on Authentication Approaches and Their Usability in Conjunction w...
An Overview on Authentication Approaches and Their Usability in Conjunction w...An Overview on Authentication Approaches and Their Usability in Conjunction w...
An Overview on Authentication Approaches and Their Usability in Conjunction w...
 
Security Analysis of Mobile Authentication Using QR-Codes
Security Analysis of Mobile Authentication Using QR-Codes Security Analysis of Mobile Authentication Using QR-Codes
Security Analysis of Mobile Authentication Using QR-Codes
 
Two-factor Authentication
Two-factor AuthenticationTwo-factor Authentication
Two-factor Authentication
 
An Enhanced Security System for Web Authentication
An Enhanced Security System for Web Authentication An Enhanced Security System for Web Authentication
An Enhanced Security System for Web Authentication
 

Similar to Securing corporate assets_with_2_fa

Multi Factor Authentication Whitepaper Arx - Intellect Design
Multi Factor Authentication Whitepaper Arx - Intellect DesignMulti Factor Authentication Whitepaper Arx - Intellect Design
Multi Factor Authentication Whitepaper Arx - Intellect DesignRajat Jain
 
A secure communication in smart phones using two factor authentication
A secure communication in smart phones using two factor authenticationA secure communication in smart phones using two factor authentication
A secure communication in smart phones using two factor authenticationeSAT Journals
 
A secure communication in smart phones using two factor authentications
A secure communication in smart phones using two factor authenticationsA secure communication in smart phones using two factor authentications
A secure communication in smart phones using two factor authenticationseSAT Publishing House
 
Two Factor Authentication Using Smartphone Generated One Time Password
Two Factor Authentication Using Smartphone Generated One Time PasswordTwo Factor Authentication Using Smartphone Generated One Time Password
Two Factor Authentication Using Smartphone Generated One Time PasswordIOSR Journals
 
Two factor authentication
Two factor authenticationTwo factor authentication
Two factor authenticationHai Nguyen
 
Multi Factor Authentication
Multi Factor AuthenticationMulti Factor Authentication
Multi Factor AuthenticationPing Identity
 
Iaetsd fpga implementation of rf technology and biometric authentication
Iaetsd fpga implementation of rf technology and biometric authenticationIaetsd fpga implementation of rf technology and biometric authentication
Iaetsd fpga implementation of rf technology and biometric authenticationIaetsd Iaetsd
 
IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...
IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...
IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...IJERD Editor
 
Two aspect authentication system using secure mobile
Two aspect authentication system using secure mobileTwo aspect authentication system using secure mobile
Two aspect authentication system using secure mobileUvaraj Shan
 
Two aspect authentication system using secure mobile devices
Two aspect authentication system using secure mobile devicesTwo aspect authentication system using secure mobile devices
Two aspect authentication system using secure mobile devicesUvaraj Shan
 
Role Of Two Factor Authentication In Safeguarding Online Transactions
Role Of Two Factor Authentication In Safeguarding Online TransactionsRole Of Two Factor Authentication In Safeguarding Online Transactions
Role Of Two Factor Authentication In Safeguarding Online TransactionsITIO Innovex
 
5 Reasons Why Your Business Should Consider Strong Authentication!
5 Reasons Why Your Business Should Consider Strong Authentication!5 Reasons Why Your Business Should Consider Strong Authentication!
5 Reasons Why Your Business Should Consider Strong Authentication!Caroline Johnson
 
Two Factor Authentication
Two Factor AuthenticationTwo Factor Authentication
Two Factor AuthenticationNikhil Shaw
 
Two aspect authentication system using secure
Two aspect authentication system using secureTwo aspect authentication system using secure
Two aspect authentication system using secureUvaraj Shan
 
Two aspect authentication system using secure
Two aspect authentication system using secureTwo aspect authentication system using secure
Two aspect authentication system using secureUvaraj Shan
 

Similar to Securing corporate assets_with_2_fa (20)

Multi Factor Authentication Whitepaper Arx - Intellect Design
Multi Factor Authentication Whitepaper Arx - Intellect DesignMulti Factor Authentication Whitepaper Arx - Intellect Design
Multi Factor Authentication Whitepaper Arx - Intellect Design
 
A secure communication in smart phones using two factor authentication
A secure communication in smart phones using two factor authenticationA secure communication in smart phones using two factor authentication
A secure communication in smart phones using two factor authentication
 
A secure communication in smart phones using two factor authentications
A secure communication in smart phones using two factor authenticationsA secure communication in smart phones using two factor authentications
A secure communication in smart phones using two factor authentications
 
Two Factor Authentication Using Smartphone Generated One Time Password
Two Factor Authentication Using Smartphone Generated One Time PasswordTwo Factor Authentication Using Smartphone Generated One Time Password
Two Factor Authentication Using Smartphone Generated One Time Password
 
Two factor authentication
Two factor authenticationTwo factor authentication
Two factor authentication
 
87559489 auth
87559489 auth87559489 auth
87559489 auth
 
Evolution of MFA.pptx
Evolution of MFA.pptxEvolution of MFA.pptx
Evolution of MFA.pptx
 
Multi Factor Authentication
Multi Factor AuthenticationMulti Factor Authentication
Multi Factor Authentication
 
Iaetsd fpga implementation of rf technology and biometric authentication
Iaetsd fpga implementation of rf technology and biometric authenticationIaetsd fpga implementation of rf technology and biometric authentication
Iaetsd fpga implementation of rf technology and biometric authentication
 
E0962833
E0962833E0962833
E0962833
 
IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...
IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...
IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...
 
Two aspect authentication system using secure mobile
Two aspect authentication system using secure mobileTwo aspect authentication system using secure mobile
Two aspect authentication system using secure mobile
 
Two aspect authentication system using secure mobile devices
Two aspect authentication system using secure mobile devicesTwo aspect authentication system using secure mobile devices
Two aspect authentication system using secure mobile devices
 
C02
C02C02
C02
 
Role Of Two Factor Authentication In Safeguarding Online Transactions
Role Of Two Factor Authentication In Safeguarding Online TransactionsRole Of Two Factor Authentication In Safeguarding Online Transactions
Role Of Two Factor Authentication In Safeguarding Online Transactions
 
5 Reasons Why Your Business Should Consider Strong Authentication!
5 Reasons Why Your Business Should Consider Strong Authentication!5 Reasons Why Your Business Should Consider Strong Authentication!
5 Reasons Why Your Business Should Consider Strong Authentication!
 
C0210014017
C0210014017C0210014017
C0210014017
 
Two Factor Authentication
Two Factor AuthenticationTwo Factor Authentication
Two Factor Authentication
 
Two aspect authentication system using secure
Two aspect authentication system using secureTwo aspect authentication system using secure
Two aspect authentication system using secure
 
Two aspect authentication system using secure
Two aspect authentication system using secureTwo aspect authentication system using secure
Two aspect authentication system using secure
 

More from Hai Nguyen

Scc soft token datasheet
Scc soft token datasheetScc soft token datasheet
Scc soft token datasheetHai Nguyen
 
Rsa two factorauthentication
Rsa two factorauthenticationRsa two factorauthentication
Rsa two factorauthenticationHai Nguyen
 
Quest defender provides_secure__affordable_two-factor_authentication_for_okla...
Quest defender provides_secure__affordable_two-factor_authentication_for_okla...Quest defender provides_secure__affordable_two-factor_authentication_for_okla...
Quest defender provides_secure__affordable_two-factor_authentication_for_okla...Hai Nguyen
 
Ouch 201211 en
Ouch 201211 enOuch 201211 en
Ouch 201211 enHai Nguyen
 
N ye c-rfp-two-factor-authentication
N ye c-rfp-two-factor-authenticationN ye c-rfp-two-factor-authentication
N ye c-rfp-two-factor-authenticationHai Nguyen
 
Multiple credentials-in-the-enterprise
Multiple credentials-in-the-enterpriseMultiple credentials-in-the-enterprise
Multiple credentials-in-the-enterpriseHai Nguyen
 
Ijcsi 9-4-2-457-462
Ijcsi 9-4-2-457-462Ijcsi 9-4-2-457-462
Ijcsi 9-4-2-457-462Hai Nguyen
 
Identity cues two factor data sheet
Identity cues two factor data sheetIdentity cues two factor data sheet
Identity cues two factor data sheetHai Nguyen
 
Hotpin datasheet
Hotpin datasheetHotpin datasheet
Hotpin datasheetHai Nguyen
 
Ds netsuite-two-factor-authentication
Ds netsuite-two-factor-authenticationDs netsuite-two-factor-authentication
Ds netsuite-two-factor-authenticationHai Nguyen
 
Datasheet two factor-authenticationx
Datasheet two factor-authenticationxDatasheet two factor-authenticationx
Datasheet two factor-authenticationxHai Nguyen
 
Cryptomathic white paper 2fa for banking
Cryptomathic white paper 2fa for bankingCryptomathic white paper 2fa for banking
Cryptomathic white paper 2fa for bankingHai Nguyen
 
Citrix sb 0707-lowres
Citrix sb 0707-lowresCitrix sb 0707-lowres
Citrix sb 0707-lowresHai Nguyen
 
Attachment 1 – mitigation measures for two factor authentication compromise
Attachment 1 – mitigation measures for two factor authentication compromiseAttachment 1 – mitigation measures for two factor authentication compromise
Attachment 1 – mitigation measures for two factor authentication compromiseHai Nguyen
 
Ams 2 fa april 2013
Ams 2 fa april 2013Ams 2 fa april 2013
Ams 2 fa april 2013Hai Nguyen
 
10695 sidtfa sb_0210
10695 sidtfa sb_021010695 sidtfa sb_0210
10695 sidtfa sb_0210Hai Nguyen
 
9697 aatf sb_0808
9697 aatf sb_08089697 aatf sb_0808
9697 aatf sb_0808Hai Nguyen
 

More from Hai Nguyen (20)

Scc soft token datasheet
Scc soft token datasheetScc soft token datasheet
Scc soft token datasheet
 
Rsa two factorauthentication
Rsa two factorauthenticationRsa two factorauthentication
Rsa two factorauthentication
 
Quest defender provides_secure__affordable_two-factor_authentication_for_okla...
Quest defender provides_secure__affordable_two-factor_authentication_for_okla...Quest defender provides_secure__affordable_two-factor_authentication_for_okla...
Quest defender provides_secure__affordable_two-factor_authentication_for_okla...
 
Ouch 201211 en
Ouch 201211 enOuch 201211 en
Ouch 201211 en
 
N ye c-rfp-two-factor-authentication
N ye c-rfp-two-factor-authenticationN ye c-rfp-two-factor-authentication
N ye c-rfp-two-factor-authentication
 
Multiple credentials-in-the-enterprise
Multiple credentials-in-the-enterpriseMultiple credentials-in-the-enterprise
Multiple credentials-in-the-enterprise
 
Ijcsi 9-4-2-457-462
Ijcsi 9-4-2-457-462Ijcsi 9-4-2-457-462
Ijcsi 9-4-2-457-462
 
Identity cues two factor data sheet
Identity cues two factor data sheetIdentity cues two factor data sheet
Identity cues two factor data sheet
 
Hotpin datasheet
Hotpin datasheetHotpin datasheet
Hotpin datasheet
 
Gambling
GamblingGambling
Gambling
 
Ds netsuite-two-factor-authentication
Ds netsuite-two-factor-authenticationDs netsuite-two-factor-authentication
Ds netsuite-two-factor-authentication
 
Datasheet two factor-authenticationx
Datasheet two factor-authenticationxDatasheet two factor-authenticationx
Datasheet two factor-authenticationx
 
Csd6059
Csd6059Csd6059
Csd6059
 
Cryptomathic white paper 2fa for banking
Cryptomathic white paper 2fa for bankingCryptomathic white paper 2fa for banking
Cryptomathic white paper 2fa for banking
 
Citrix sb 0707-lowres
Citrix sb 0707-lowresCitrix sb 0707-lowres
Citrix sb 0707-lowres
 
Bi guardotp
Bi guardotpBi guardotp
Bi guardotp
 
Attachment 1 – mitigation measures for two factor authentication compromise
Attachment 1 – mitigation measures for two factor authentication compromiseAttachment 1 – mitigation measures for two factor authentication compromise
Attachment 1 – mitigation measures for two factor authentication compromise
 
Ams 2 fa april 2013
Ams 2 fa april 2013Ams 2 fa april 2013
Ams 2 fa april 2013
 
10695 sidtfa sb_0210
10695 sidtfa sb_021010695 sidtfa sb_0210
10695 sidtfa sb_0210
 
9697 aatf sb_0808
9697 aatf sb_08089697 aatf sb_0808
9697 aatf sb_0808
 

Recently uploaded

Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 

Recently uploaded (20)

Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 

Securing corporate assets_with_2_fa

  • 1. W H I T E PA P E R Securing corporate assets with two factor authentication Published July 2012
  • 2. Securing corporate assets with two factor authentication Introduction Organizations require users to enter their username and passwords in order to validate their identity. However, with the proliferation of applications, websites and services that require authentication, users are under increasing pressure to maintain their passwords and it has become clear that the simple password scheme is no longer sufficient. In fact there are multiple, high profile cases where passwords have failed both the users and the organizations that provide services, leading to identity theft and data loss. The impact of such breaches is more costly than ever with financial penalties associated to breach of regulatory compliance and the impact of lost business and loss of confidence. This white paper will explore how two-factor authentication can be considered as an alternative to provide secure authentication in order to resolve the risks of unauthorized access to corporate resources. Why static passwords are insufficient - “My password is 1234, and I wrote it down” – Passwords have long been used as a way to authenticate users and provide them services. They rely on the simple fact that only the users know the password and no one else does. This was initially perceived as an effective solution but with the proliferation of systems and resources that require password entry prior to access, the model breaks down in a number of ways. Written down passwords Human memory is known to fail. If a user forgets their password, they typically have to call the IT helpdesk, or reset the password before access is granted again. Since this disrupts a users’ workflow, many users write down passwords, and often leave it next to their place of work, in their laptop bag, or on their laptop! This is a clear security risk as anyone with physical access to the office cube or laptop has complete and unauthorized, access. A recent survey carried out amongst IT professionals confirmed that 29% of respondents knew a colleague’s password details. The risk presented by written down passwords is even greater when considered in context of the volume of connected devices that are lost every day. Surveys suggest that as many as 15,000 laptops are misplaced at airports in Europe and the USA every week. If any of these have an accompanying post-it note with a password attached then no amount of security can protect the organization from loss. Sharing of passwords with websites Since users have to remember so many passwords, they tend to create a standard password and re-use it in multiple places. This means that if the password is compromised in one place the hacker has access to multiple sites and services. Replay attacks Even if the user is extremely careful with their passwords, static passwords are vulnerable to Replay Attacks. After the user enters the password on a site or application, it has to be sent to an authentication server for validation. An intruder can intercept this session or transmission and replay it later on to gain unauthorized access Contents Introduction Why static passwords are insufficient Introducing two-factor authentication Form Factors for OTP delivery Contact information OTP generating mechanisms Integrating Two-factor authentication About Celestix HOTPin Authentication vs. Authorization Authentication and authorization are often, and mistakenly, used interchangeably. Authentication is the process of verifying that “you are who you say are”, while authorization is the process of verifying that “you are permitted to do what you are trying to do”. Authentication precedes authorization.
  • 3. Securing corporate assets with two factor authentication Social Engineering and Phishing Criminals have used deception for millennia in order to extract confidential information from others. Deception can include face to face diversion tactics and behavioral manipulation but in the computing age, it can also be carried out without the need for in person interaction. Phishing attacks are extremely common and are a source of significant data theft. In a phishing attack, the phisher will send an email that appears to come from a legitimate source such as a bank, requesting the recipient to log in to their account or to verify their account details. The email directs the user to a fraudulent website where account details are captured and can be used to commit fraud. With the evolving complexity and intelligence of fraudulent attacks, the increase in the number of systems requiring password access, and the fact that users will address this by standardizing their passwords and will then write them down, how can organizations protect themselves against such a broad range of issues that can result in attacks on their systems? Introducing two-factor authentication Authentication based on passwords is based on what a user knows. It is reasonable to augment security by enhancing it with what a user has. This simple concept is the basis of two-factor authentication. • What you know – a password or Personal Identification Number (PIN) • What you have – a unique physical characteristic, or device, that only the user has access to With such a scheme, even if a users’ password or PIN is compromised, the attacker will not be able to gain access to the site or service since they don’t possess the second factor required in order to gain access. Conversely, if the attacker gains access to the device that provides the second factor authentication, they won’t know the users’ password or PIN. ATM, or debit cards are the most common example of two-factor authentication. If the card is ever lost or stolen, it still can’t be used without the PIN. Even if an unauthorized user knows the PIN of the bank account, they will still not be able to withdraw money since they don’t have the actual ATM card. One is rendered useless without the other. One Time Passwords ATM cards provide two-factor authentication in the tightly controlled environment of ATM machines, where each machine is equipped with a special card reader. It is not feasible to equip every laptop, desktop or tablet with a special device to read a card. That would be cost-prohibitive, time-consuming and extremely impractical. To provide two-factor authentication for computer services and sites, users rely on a One Time Password that is generated on a device that is uniquely assigned to a user. One Time Passwords (OTP) provides security in a number of ways. Always Changing The OTP changes after a fixed interval of time, commonly every 60 seconds. Even if an unauthorized user noted the OTP, they won’t be able to use it since it would have changed for the next session.
  • 4. Securing corporate assets with two factor authentication Tied to a device OTPs are generated using a seed that is uniquely associated with a device. Thus, every user’s OTP will be different. Since the device is assigned to a user, the OTP uniquely authenticates a user. and a PC desktop client. By leveraging smart devices or text messaging, the OTP is delivered ‘on demand’ to the user. And, of course, HOTPin easily integrates with AD. Security for IT and users DirectAccess with HOTPin is actually a security tool masquerading as a user convenience tool, a functional duality that, in other solutions, usually results in a trade-off. Form Factors for OTP delivery One Time Passwords can be delivered to end-users via a variety of methods, each with their own pros and cons. Hardware Tokens Hardware tokens, also commonly referred to as authentication tokens, are pocket sized, battery operated devices which are dedicated to generate OTPs. This is the oldest method of generating OTPs. However, they come with their own set of problems. For remote users, the devices need to be shipped to their site, increasing costs. The battery life of these devices is approximately three years. After that, the devices have to be replaced. Larger organizations usually have to maintain stock for devices that need to be replaced or are lost. A subtle, but important problem is that if these devices are lost or stolen, the user might not notice for a few days. That gives an attacker a window of opportunity. Software Token With the increasing popularity of smart phones, users expect not to carry a dedicated device for generating OTPs. Fortunately, smart phones can be leveraged to generate the OTP. Software tokens, or soft tokens, vastly increase the convenience for end users. If the smart phone is ever lost, the end user will most likely notice that much quicker than hardware token. Some software token apps, such as those from Celestix, can be configured to require a PIN before displaying the OTP – further enhancing security. OTPs through text messages / emails One Time Passwords can also be delivered through a text message. This method is convenient for users who might not have smart phones, but still don’t want to carry a dedicated device. Receiving the OTP through text messaging means it is completely separated from regular authentication channels, or Out of Band (OOB), increasing security. OTPs can also be sent via emails. So if users have access to emails on their phones, they can opt to receive OTPs via email.
  • 5. Securing corporate assets with two factor authentication Contact USA  +1 (510) 668-0700 UK  +44 (0) 1189 596198 Singapore  +65 6781 0700 India  +91 98 208 90884 Japan  +81 (0) 3-5210-2991 www.celestix.com  info@celestix.com ©2012 Celestix Networks Inc. All rights reserved. Version 1.0 OTP generating mechanisms There are various proprietary mechanisms for generating One Time Passwords. The Internet Engineering Task Force (IETF), an international body that develops and promotes internet standards, has adopted an algorithm known as HOTP for generating One Time Passwords. Proprietary vs. Standards-based OTPs HOTP is not the only mechanism for generating One Time Passwords. Alternative proprietary solutions exist for generating one time passwords. However, closed and proprietary solutions have always presented enterprises with multiple challenges. Vendor lock-in Once an enterprise adopts a proprietary system, they often find themselves beholden to the vendor of the solution. Migrating to another solution often becomes impossible. Since there is no open interoperability, customers are locked-in to higher prices and typically, older technologies. Security through obscurity Proprietary algorithms, by definition, are not vetted by security analysts or academic researchers. Relying on open standards ensures that security is not compromised by vulnerabilities in proprietary software or algorithms. Integrating Two-factor authentication Mature two-factor solutions, like Celestix HOTPin, provide an embedded RADIUS server. This can be used to integrate Celestix HOTPin with any remote access gateway solution (e.g. Juniper SA series). For Microsoft UAG specifically, Celestix provides a custom agent that ensures users’ credentials are properly passed on to applications, providing true Single Sign-On. After integration, users have to enter their username, PIN and OTP to authenticate. OTPs are generated on smart phones, hardware tokens (like Celestix Touch) or received through text messages. About Celestix HOTPin Celestix HOTPin enables organizations to provide market-leading levels of authentication to remote users, while lowering the on-going cost of provisioning, management and ownership. Celestix HOTPin is a tokenless two-factor authentication solution that enables organizations to empower their mobile workforce while ensuring industry leading protection of digital identities and protecting against unsolicited access to corporate resources, a primary reason for the loss of data. Celestix HOTPin enables organizations not only to mobilize their workforce but allows them also to leverage the remote workers smart device, PC or tablet to act as a token capable of generating an event based one-time password (OTP). RSA SecurID breach RSA, a division of EMC, provides RSA SecurID, as a two-factor authentication solution. In March 2011, RSA announced that they were subject to an attack which allegedly compromised the security of the One Time Password generation. Customers had to replace the tokens and employ security monitoring services to ensure that their information was not breached. While complementary, these required significant investment in time and posed tactical challenges for customers.