This document discusses options for implementing two-factor authentication for access to sensitive PeopleSoft data and transactions. It describes how GreyHeller can facilitate redirecting users to a third-party authentication solution or provide its own interface for generating and validating authentication tokens. It also explains how GreyHeller allows inheriting existing two-factor desktop authentication rules for mobile access and provides the ability to dynamically challenge users and generate one-time passwords for additional authentication from untrusted locations without requiring customizations to PeopleSoft transactions.

1. Page 1 GreyHeller, Proprietary and Confidential
ERP Firewall: 2 Factor Authentication
2-factor Authentication
Purpose
This document addressesthe different options for providing 2-factor authentication
to PeopleSoft transactions.
Overview
Security is an important concern about providing access to sensitive PeopleSoft
data and transactions. One common way to protect systems when the user may be
connecting from untrusted locations is to implement a 2-factor authentication
solution.
Because organizations may have already standardized on a 2-factor solution but
not yet applied it to PeopleSoft, GreyHeller facilitates this process in the following
ways:
In the event that a 3rd
party authentication solution is used for other
systems, we facilitate the redirection to validate the 2nd
authentication
token provided to the user.
We also provide our own user interface for generating tokens, notifying
users of those tokens, and validating those tokens.
In mobile, we automatically handle any 2-factor authentication rules that
may have already been implemented for desktop access.
This gives our customers the flexibility to easily implement the solution that meets
their needs.
Inheriting 2-factor authentication from desktop access
PeopleSoft provides a mechanism for enhancing the signon process to incorporate
additional authentication schemes. This includes the following:

2. Page 2 GreyHeller, Proprietary and Confidential
Customizing the delivered signon screen to prompt for the additional
authentication token and utilizing that screen on public-facing web servers
Writing sign-on PeopleCode to validate the additional token as part of the
authentication process
There are a number of organizations that have utilized this technique for providing
access to PeopleSoft on desktop browsers. Because our mobile product utilizes the
same authentication process, these modifications would automatically utilized
without any additional coding.
Redirecting to a 3rd-party page to prompt for the 2nd factor
Another option is to dynamically redirect the user to a 3rd
party page for accepting
and validating the additional authentication token. Customers choose this option,
when they’ve already standardized on an enterprise solution for creating and
validating these tokens.
One additional benefit of this approach is that the additional challenge can occur
outside of the initial authentication process. This allows organizations the flexibility
to selectively enforce additional challenges based on the sensitivity of that content.
For example, accessing an employee’s historical expense reports may not require
an additional challenge, but updating his/her personal information may.
Utilizing GreyHeller to both challenge and manage
authentication tokens
Finally, GreyHeller provides the ability to generate, notify, and challenge for
additional authentication tokens when an enterprise solution has not been chosen
or implemented. This allows organizations to do the following:
Dynamically challenge users and generate automatically expiring tokens
that must be used prior to accessing restricted content from untrusted
locations.
Allow generation of 1-time passwords that can be used only once to grant
access to restricted content from untrusted locations.
Automatically Generated Tokens
When using automatically generated tokens, the user is automatically transferred
to a page that generates the PIN and stores it along with the IP address, user id,
and expiration time of that token. By default, the user is notified of the PIN by
email using the default email address stored in their PeopleSoft user profile. Upon
successful use, the PIN number is valid for the standard duration set in the system
for 2-factor PINs.

3. Page 3 GreyHeller, Proprietary and Confidential
1-time Passwords
Another way of handling 2-factor authentication is to pre-generate a 1-time
password prior to use. This password can be generated either by an administrator
or by the user and is only valid for a single PeopleSoft session.
No Customization Required
ERP Firewall 2-factor authentication is a layer that sits on top of your existing
PeopleSoft application, allowing you to enforce the additional challenge without
requiring you to modify the transactions you’re securing. In order to enforce the
challenge, all that’s required is to identify the parts of the system that requires the
authentication (or alternatively, the parts that don’t require authentication), and
the system enforces the challenge automatically.