Published on


  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide


  1. 1. TriCipher Armored Credential System™ (TACS) Strong Authentication for SalesForce.com Integration Benefits you know (such as a password or PIN), TriCipher enhances SalesForce.com by something you have (such as an seamlessly adding multi-factor functionality authentication token), or something you are to the Username / Password method (biometrics, such as a retina scan, or currently used today. Organizations will fingerprint). Consumers are used to a multi continue to derive the benefits from factor authentication model with ATM cards SalesForce.com and will now have the - the PIN being something you know, the additional capability to transition their ATM card is what you physically have. organizations from weaker password protection to something much stronger. Employing Multi Factor authentication for use online, however, is much more Benefits challenging because it typically requires the user to carry or present something physical. Strong authentication for SalesForce.com that prevents identity theft and fraud Historically, traditional Multi-Factor authentication methods have been too hard Prevents man-in-the middle (MITM) and to deploy and manage for large consumer complex phishing attacks bases, due not only to the high costs associated with initial purchase, but also the Seamless integration with a transition path overhead of initial deployment, from weak password systems to strong lost/replacement, management and authentication customer support. Add to this the fact that many users are not yet ready or prepared Choose from an array of strong multi factor to deal with hardware tokens, scratch cards, authentication methods from the TriCipher client software downloads and extra Authentication Ladder. authentication steps, even if it protects their bank account and identity information. Compliance with stringent audit and TACS Solution regulations such as FFIEC, HIPAA, GLB, etc. The TriCipher Armored Credential System™ (TACS) provides a comprehensive Multi Factor Authentication infrastructure that can be used to address Multi factor authentication by definition is many of these risks. Its unique Multi-part the use of a combination of more than one credential and Flexible Factor technologies factor for the purpose of user enable a single infrastructure to issue authentication. A “factor” can be something credentials of different strengths. This
  2. 2. allows the enterprise to tailor the type of download strong authentication solution. In credential to the specific level of risk B2F, the 2nd factor in the form of an without having to deploy multiple costly encrypted cookie or a browser certificate is infrastructures. transparently given to the users’ browser. Also, as a part of the activation process, the The system architecture is designed to allow user selects an image or a secret text TACS to be easily deployed for external phrase they will recognize when they come Software as a Service (SaaS) applications back to the web site. TriCipher is unique in like SalesForce.com and also to protect this clientless offering by going up the internal web applications. Servicing some of ladder with the B2F Certificate option (as the highest volume financial services cookies are susceptible to certain attacks applications for demanding customers, and can be deleted or copied). TACS provides high reliability, availability and scalability. In addition B2F has advantages as: • Requires no change in user behavior. TACS provides a variety of Multi Factor The user is completely unaware of authentication options (see TriCipher the change and migration to his type Authentication Ladder below), allowing you of credential from a password-only to balance security, cost and ease of use system is transparent (even their based on the results of your risk password remains the same). assessment. • No client software. Browser 2 factor requires no client side software. • Phishing protection. Browser 2 factor protects against phishing attacks whose aim is credential theft. • Authenticate your web site. Showing a welcome message reassures the user that they have reached your site, not a phisher's replica. Device 2 Factor (B2F) strong authentication Perhaps the easiest to use, deploy and manage is using the login device as second factor. With this type of credential, the Browser 2 Factor (B2F) strong second factor is stored securely on the PC. authentication The user has nothing new to carry, but does The Browser 2 Factor rung of the TriCipher need a small piece of client side software, Authentication Ladder offers a zero
  3. 3. the TACS ID Tool. The device 2nd factor Additional credential types provides strong protection against all types TACS provides for other credential types, of phishing including man-in-the-middle. including smart cards and using three or The client software also provides the more authentication factors. additional benefit of performing an optional security presence check before TriCipher Authentication Gateway authentication. Device 2 factor is often used (TAG) strong authentication for high net worth consumers, business The TAG is an integral part of the TriCipher banking customers, active traders, Armored Credential System (TACS), The administrators at individual branches (or at TriCipher Authentication Gateway (TAG) client companies) and channels such as acts as a services layer for web applications. mortgage brokers. The TAG reduces the time to deploy strong authentication, increases authentication Portable 2 Factor performance, and ensures the security of Portable 2 factor takes advantage of the the login process by providing a single security of multi-part credentials to use standardized strong authentication service commodity storage products or consumer for use by every application within an electronics as a 2nd factor for organization. The TAG, based on patent authentication. Users can choose something pending technology, manages the they carry already such as an MP3 player or authentication for every level of the USB memory stick, or the financial TriCipher Authentication Ladder including institution can issue something branded. passwords, browser cookies/certifications, The 2nd factor in this case is protected by PCs, portable devices, tokens, smart cards rolling key technology to defeat would-be and biometrics to provide a unified thieves. Portable 2 Factor provides strong authentication infrastructure. When users protection against all types of phishing log into any web application, they are including man-in-the-middle. The TACS ID handed off to the TAG to manage the entire Tool is required for this type of credential authentication process and verify the and provides the additional benefit of credentials of each user with the ID Vault. performing an optional security presence Once authenticated through the ID Vault, check before authentication. the TAG delivers a SAML token to the SaaS Armored Token 2 Factor solution like SalesForce.com which either Armored Token 2 factor protects one time validates the SAML assertion or passes it via password tokens from man-in-the-middle a back trusted channel to the TAG for re- attacks. This type of credential also requires validation and then provides the user the the TACS ID Tool and provides the option of appropriate level of access. a security presence check. Armored Token 2 How does the integration work? factor is often used to protect existing one time password deployments. The TACS solution consists of the TAG and the ID Vault. The solution can either be
  4. 4. hosted internal to the organization or as a 2) User then strongly authenticates to TAG. hosted service. TAG validates the users’ strong authentication credentials with the ID Vault. Users are initially given a strong credential before the single sign-on feature for 3) Once the TAG authenticates the users’ SalesForce.com is turned on. This involves strong credential, it submits the user id and batch loading the users into the TriCipher a SAML token (as password) to system and generating a one-time-use SalesForce.com. activation code that can be sent to the users via email, SMS or even a phone call. 4) SalesForce.com then validates the user id and then sends a SOAP/XML message with Based on the type of licensed user id and SAML token (the one we passed SalesForce.com Edition you may need to them in step 3) to a web service on the request SalesForce.com to turn on single TAG. sign-on (SSO) AFTER your users have registered for strong authentication. The 5) TAG then validates the SAML token and if Enterprise and Unlimited Editions are more valid it returns a SOAP/XML message flexible and allow you to turn on single sign- confirming the user authentication to on on a per user basis by creating a new SalesForce.com profile for SSO. You can turn on SSO before the users register and enable SSO 6) SalesForce.com then allows the user to individually for each user by clicking on a access (single sign-on) to their checkbox in SalesForce.com SalesForce.com application. Users go through a registration period where they login to the TAG and are given their second factor for strong authentication. On the cut-over day, single sign-on is turned on for the users and they are provided the HTTP link to login to SalesForce.com – this can be on an internal customer portal where users click on a URL to login to SalesForce.com securely. The process flow for the user to login to salesforce.com is as below: 1) User clicks on the URL for Strong Authentication to SalesForce.com. User lands on TAG and inputs their username. Users are now required to login to
  5. 5. SalesForce.com using TriCipher strong authentication. Users that try to go directly to SalesForce.com will not succeed as they are required to login securely via TriCipher. Summary The TriCipher solution gives organizations powerful, seamless and flexible strong authentication capabilities to secure access to SalesForce.com. Customers can further leverage this central authentication infrastructure to secure access to internal and external web applications. Contact TriCipher Headquarters: 750 University Avenue, Suite 260 Los Gatos, CA 95032 Phone: +1.650.372.1300 Fax: +1.650.376.8301 TriCipher US sales: Email: sales@tricipher.com Phone: +1.650.376.8326 Fax: +1.650.376.8301 TriCipher EMEA sales: Email: emea@tricipher.com Phone: +44 (0) 1223 451 075 Fax: +44 (0)1223 451 1