Two-factor authentication provides a more secure method of authentication than simple passwords alone. It adds a second factor of authentication, such as a one-time password (OTP) generated on a user's device, in addition to a username and password. The white paper explores how OTPs delivered via software or text message can provide two-factor authentication without hardware tokens. It also discusses standards-based OTP generation algorithms and integrating two-factor authentication with remote access systems.

1. W H I T E PA P E R
Securing corporate assets with
two factor authentication
Published July 2012

2. Securing corporate assets with two factor authentication
Introduction
Organizations require users to enter their username and passwords in order to
validate their identity. However, with the proliferation of applications, websites and
services that require authentication, users are under increasing pressure to maintain
their passwords and it has become clear that the simple password scheme is no
longer sufficient. In fact there are multiple, high profile cases where passwords have
failed both the users and the organizations that provide services, leading to identity
theft and data loss. The impact of such breaches is more costly than ever with
financial penalties associated to breach of regulatory compliance and the impact of
lost business and loss of confidence.
This white paper will explore how two-factor authentication can be considered
as an alternative to provide secure authentication in order to resolve the risks of
unauthorized access to corporate resources.
Why static passwords are insufficient - “My password is 1234,
and I wrote it down” –
Passwords have long been used as a way to authenticate users and provide them
services. They rely on the simple fact that only the users know the password and
no one else does. This was initially perceived as an effective solution but with the
proliferation of systems and resources that require password entry prior to access,
the model breaks down in a number of ways.
Written down passwords
Human memory is known to fail. If a user forgets their password, they typically have
to call the IT helpdesk, or reset the password before access is granted again. Since
this disrupts a users’ workflow, many users write down passwords, and often leave it
next to their place of work, in their laptop bag, or on their laptop!
This is a clear security risk as anyone with physical access to the office cube
or laptop has complete and unauthorized, access. A recent survey carried out
amongst IT professionals confirmed that 29% of respondents knew a colleague’s
password details.
The risk presented by written down passwords is even greater when considered in
context of the volume of connected devices that are lost every day. Surveys suggest
that as many as 15,000 laptops are misplaced at airports in Europe and the USA
every week. If any of these have an accompanying post-it note with a password
attached then no amount of security can protect the organization from loss.
Sharing of passwords with websites
Since users have to remember so many passwords, they tend to create a standard
password and re-use it in multiple places. This means that if the password is
compromised in one place the hacker has access to multiple sites and services.
Replay attacks
Even if the user is extremely careful with their passwords, static passwords
are vulnerable to Replay Attacks. After the user enters the password on a site
or application, it has to be sent to an authentication server for validation. An
intruder can intercept this session or transmission and replay it later on to
gain unauthorized access
Contents
Introduction
Why static passwords
are insufficient
Introducing two-factor
authentication
Form Factors for OTP delivery
Contact information
OTP generating mechanisms
Integrating Two-factor
authentication
About Celestix HOTPin
Authentication vs.
Authorization
Authentication and
authorization are often,
and mistakenly, used
interchangeably.
Authentication is the
process of verifying that
“you are who you say are”,
while authorization is the
process of verifying that
“you are permitted to do
what you are trying to do”.
Authentication precedes
authorization.

3. Securing corporate assets with two factor authentication
Social Engineering and Phishing
Criminals have used deception for millennia in order to extract confidential
information from others. Deception can include face to face diversion tactics and
behavioral manipulation but in the computing age, it can also be carried out without
the need for in person interaction. Phishing attacks are extremely common and
are a source of significant data theft. In a phishing attack, the phisher will send an
email that appears to come from a legitimate source such as a bank, requesting the
recipient to log in to their account or to verify their account details. The email directs
the user to a fraudulent website where account details are captured and can be used
to commit fraud.
With the evolving complexity and intelligence of fraudulent attacks, the increase
in the number of systems requiring password access, and the fact that users will
address this by standardizing their passwords and will then write them down, how
can organizations protect themselves against such a broad range of issues that can
result in attacks on their systems?
Introducing two-factor authentication
Authentication based on passwords is based on what a user knows. It is reasonable
to augment security by enhancing it with what a user has. This simple concept is the
basis of two-factor authentication.
• What you know – a password or Personal Identification Number (PIN)
• What you have – a unique physical characteristic, or device, that only the user has
access to
With such a scheme, even if a users’ password or PIN is compromised, the attacker
will not be able to gain access to the site or service since they don’t possess the
second factor required in order to gain access. Conversely, if the attacker gains access
to the device that provides the second factor authentication, they won’t know the
users’ password or PIN.
ATM, or debit cards are the most common example of two-factor authentication. If the
card is ever lost or stolen, it still can’t be used without the PIN. Even if an unauthorized
user knows the PIN of the bank account, they will still not be able to withdraw money
since they don’t have the actual ATM card.
One is rendered useless without the other.
One Time Passwords
ATM cards provide two-factor authentication in the tightly controlled environment of
ATM machines, where each machine is equipped with a special card reader. It is not
feasible to equip every laptop, desktop or tablet with a special device to read a card.
That would be cost-prohibitive, time-consuming and extremely impractical.
To provide two-factor authentication for computer services and sites, users rely on a
One Time Password that is generated on a device that is uniquely assigned to a user.
One Time Passwords (OTP) provides security in a number of ways.
Always Changing
The OTP changes after a fixed interval of time, commonly every 60 seconds. Even if
an unauthorized user noted the OTP, they won’t be able to use it since it would have
changed for the next session.

4. Securing corporate assets with two factor authentication
Tied to a device
OTPs are generated using a seed that is uniquely associated with a device. Thus,
every user’s OTP will be different. Since the device is assigned to a user, the OTP
uniquely authenticates a user.
and a PC desktop client. By leveraging smart devices or text messaging, the OTP is
delivered ‘on demand’ to the user. And, of course, HOTPin easily integrates with AD.
Security for IT and users
DirectAccess with HOTPin is actually a security tool masquerading as a user
convenience tool, a functional duality that, in other solutions, usually results in a
trade-off.
Form Factors for OTP delivery
One Time Passwords can be delivered to end-users via a variety of methods, each
with their own pros and cons.
Hardware Tokens
Hardware tokens, also commonly referred to as authentication tokens, are pocket
sized, battery operated devices which are dedicated to generate OTPs. This is
the oldest method of generating OTPs. However, they come with their own set of
problems. For remote users, the devices need to be shipped to their site, increasing
costs. The battery life of these devices is approximately three years. After that, the
devices have to be replaced. Larger organizations usually have to maintain stock for
devices that need to be replaced or are lost.
A subtle, but important problem is that if these devices are lost or stolen, the user
might not notice for a few days. That gives an attacker a window of opportunity.
Software Token
With the increasing popularity of smart phones, users expect not to carry a
dedicated device for generating OTPs. Fortunately, smart phones can be leveraged
to generate the OTP.
Software tokens, or soft tokens, vastly increase the convenience for end users. If the
smart phone is ever lost, the end user will most likely notice that much quicker than
hardware token.
Some software token apps, such as those from Celestix, can be configured to
require a PIN before displaying the OTP – further enhancing security.
OTPs through text messages / emails
One Time Passwords can also be delivered through a text message. This method
is convenient for users who might not have smart phones, but still don’t want to
carry a dedicated device. Receiving the OTP through text messaging means it is
completely separated from regular authentication channels, or Out of Band (OOB),
increasing security.
OTPs can also be sent via emails. So if users have access to emails on their phones,
they can opt to receive OTPs via email.

5. Securing corporate assets with two factor authentication
Contact
USA +1 (510) 668-0700
UK +44 (0) 1189 596198
Singapore +65 6781 0700
India +91 98 208 90884
Japan +81 (0) 3-5210-2991
www.celestix.com
info@celestix.com
©2012 Celestix Networks Inc. All rights reserved.
Version 1.0
OTP generating mechanisms
There are various proprietary mechanisms for generating One Time Passwords.
The Internet Engineering Task Force (IETF), an international body that develops
and promotes internet standards, has adopted an algorithm known as HOTP for
generating One Time Passwords.
Proprietary vs. Standards-based OTPs
HOTP is not the only mechanism for generating One Time Passwords. Alternative
proprietary solutions exist for generating one time passwords. However, closed and
proprietary solutions have always presented enterprises with multiple challenges.
Vendor lock-in
Once an enterprise adopts a proprietary system, they often find themselves beholden to
the vendor of the solution. Migrating to another solution often becomes impossible. Since
there is no open interoperability, customers are locked-in to higher prices and typically,
older technologies.
Security through obscurity
Proprietary algorithms, by definition, are not vetted by security analysts or academic
researchers. Relying on open standards ensures that security is not compromised by
vulnerabilities in proprietary software or algorithms.
Integrating Two-factor authentication
Mature two-factor solutions, like Celestix HOTPin, provide an embedded RADIUS server.
This can be used to integrate Celestix HOTPin with any remote access gateway solution
(e.g. Juniper SA series).
For Microsoft UAG specifically, Celestix provides a custom agent that ensures users’
credentials are properly passed on to applications, providing true Single Sign-On.
After integration, users have to enter their username, PIN and OTP to authenticate. OTPs
are generated on smart phones, hardware tokens (like Celestix Touch) or received through
text messages.
About Celestix HOTPin
Celestix HOTPin enables organizations to provide market-leading levels of authentication
to remote users, while lowering the on-going cost of provisioning, management and
ownership.
Celestix HOTPin is a tokenless two-factor authentication solution that enables
organizations to empower their mobile workforce while ensuring industry leading
protection of digital identities and protecting against unsolicited access to corporate
resources, a primary reason for the loss of data.
Celestix HOTPin enables organizations not only to mobilize their workforce but allows
them also to leverage the remote workers smart device, PC or tablet to act as a token
capable of generating an event based one-time password (OTP).
RSA SecurID breach
RSA, a division of EMC,
provides RSA SecurID, as
a two-factor authentication
solution.
In March 2011, RSA
announced that they were
subject to an attack which
allegedly compromised the
security of the One Time
Password generation.
Customers had to replace
the tokens and employ
security monitoring
services to ensure that
their information was
not breached. While
complementary, these
required significant
investment in time and
posed tactical challenges
for customers.