Embed Size (px)
Citation preview
Frank Schmaering, PreSales Consultant
Advanced Authentication for everyone
2
It is the foundation of every legitimate digital transaction!
Authentication = proof of the identity of a user loggingon to some network
(Source: Wiktionary.org)
Agenda
why authentication is a driver
Talking about the product
Demo
why authentication is a driver
5
Do you think this is an old list ???
Source: http://www.computerworld.com/article/3024404/security/worst-most-common-passwords-for-the-last-5-years.html
▪ 1 - 1234562 - password3 - 123456784 - qwerty5 - 123456 - 1234567897 - letmein8 - 12345679 - football10 - iloveyou11 - admin12 - welcome13 - monkey14 - login15 - abc12316 - starwars17 - 12312318 - dragon19 - passw0rd20 - master21 - hello22 - freedom23 - whatever24 - qazwsx25 - trustno1
7
the 25 Worst Passwords of 2017
Source: https://www.entrepreneur.com/article/306499
Passwords in the news
General challenges and main compliancerequirements
#1 ComplianceNIST, GDPR, PSD2, MaRisk, KRITIS, PCI DSS, Audits (e.g. Volkswagen)
#2 SecurityHacks (PtH, MiM, Ramsomware etc.), Insider abuse etc.
#3 DigitalizationInnovation, User Experience, Process optimization
Notes & Conclusion
Survey respondents were asked to assess the likelihood of the individual global risk on a scale of 1 to 5 (1: very unlikely to happen and 5: very likely to occur). They also assess the impact on each global risk on a scale of 1 to 5 (1: minimal impact and 5: catastrophic impact). Read more about the methodology
Source: http://reports.weforum.org/global-risks-2018/global-risks-landscape-2018/#landscape
The Report concludes by assessing the risks associated with how technology is reshaping physical infrastructure: greater interdependence among different infrastructure networks is increasing the scope for systemic failures – whether from cyberattacks, software glitches, natural disasters or other causes – to cascade across networks and affect society in unanticipated ways.
Inhibitors: The Global WEF Risks Landscape 2018
World Economic Forum 2018: Top 5 Global Risks
16
Willing To Reveal Passwords For Chocolate
▪ 1,208 Participants
▪ 43.5% Willing to provide password if chocolate was offered before ask
▪ 29.8% Willing to provide password if chocolate given after ask
17
What is the daily routine of a user today?
usage: SERVERAL deviceS | Services | Apps | Self-Services
2FA possibilities
22
Where 2 FA is possible….
Source: https://twofactorauth.org/#
would it also be good for the enterprise ?THE PRODUCT!
two factor Authentication
+
What possibilities do we have?
Something you know
PasswordPINPassphrase
Something you have
TokenSmartcardRFID CardTelephone
Something youare
FingerprintFaceIris Voice
Multifactor Authentication
+ +
What possibilities do we have?
Something you know
PasswordPINPassphrase
Something you have
TokenSmartcardRFID CardTelephone
Something youare
FingerprintFaceIris Voice
Authenticators
Password Pin Passphrase
many more …
many more …
Authenticators
Smartphone
SmartcardRFID / NFC
FIDO U2F
SMS OTP
OTP (OATH) GPS Position
Authenticators
many more …
Fingerprint Iris VoiceFace
Fingerprint- and Vein-Scanner
many more …
Advanced Authentication (AAF)
Radius CRL (PKI)
Directory
802.1x device
VPN
Enterprise network
Internet
Remote
Business applications
Business applications, functions, transactions and data
Generic applications,Databases, ServersOperating systems
BusinessWeb
applications
Web
Singlesign-on(eSSO)
Internet
Singlesign-on(wSSO)
User devices:• Desktops/laptops• Windows x86/x64, Citrix, RDP, VDI• Mobile device, tablet, smartphone• Thin/zero clients (Linux)
Directories:• AD/ADLDS• eDirectory• Linux
Enterprise IT-environmentAAF
Capabilities
Linux Windows Mac OS X Security NAM NSL Cloud Access
Pluggable Auth Module
AAF
Credential Provider
Authentication Plug-in
RADIUS/HSM APIs APIs APIs
ADFS Plug-in Mobile APIs/RADIUS
RADIUS/APIs Web Service API
APIs APIs APIs
Microsoft ADMobile Platforms
Applications BrowserPassword Reset
DRA PAM
SSO
SSO/Federation/Web Enterprise SSO SaaS Federation SMB Focus
35
Smartphone Geo-Fencing FIDO U2F Bluetooth Windows Hello Multi-Tenant AWS / Azure ADFS Windows CP Citrix Devices
Out-Of-Band pushto iOS, Android orWindows Phones
Smartphone Based GPS
Location Validation
“Fast Identity Online” for Chrome / API
(Win)
Device-in-Range login
and lock for Windows
(Win)
Support Win10
Hello Methods
(Win)
- Support Multi
Divisions or Clients
- Tenant Dashboard
Public cloud
Deployment options
ADFSPlug-in Integration
(ASML)
Credential Provider Win
7, 8 and 10
Citrix Device
Redirection Support
Out-of-Band Google Auth Microsoft Live Voice OTP SMS OTP SAML RADIUS REST Mac OS X Citrix SSO
Agent Out-of-Bounds
External Google Authenticator
OTP
External Microsoft Live OATHOTP
Voice-call delivered
OTP
Short MessageService delivered
OTP
Connect application
via SAML2
Internal RADIUS Server
and RADIUS client
Light Weight
Programming Interface
OS X Authentication
Plug-In
Facilitate user authentication to Citrix App/Session
Face Soft Token Hard Token PKI – PKCS7 PKI – PKCS11 OAuth2 FIPS 140-2 Caching Linux PAM Card Tool
Face Biometrics on
Windows 8/10
Application
OATH Based
TOTP / HOTP
Device
OATH Based
TOTP / HOTP
Smartcard (or other)
w/Certificate Validation
(Win, Lin, Mac)
Smartcard (or other)
w/Certificate Validation
(Win, Lin, Mac)
Connect applications
via Open Authorization
Token / Open ID
“FIPS Inside”
Via OpenSSL
FIPS Module
Second Factor Skipping
for admin specified
window of time
RPM and DEB modules Identify found cards
with a tap
NFC RFID Emergency PW Email OTP Swisscom Impersonation HTTP Proxy Dashboard RDP/Term Svcs Off-Line
13.56Mhz Cards, Tokens, etc.
(Win, Lin, Mac)
125kHz Proximity Cards, Tokens, etc.
(Win, Lin, Mac)
HelpdeskAssistedPassword
Delivered
OTP
External Swisscom
SmartPhone PKI
Authentication
Linked Account
Authenticator
Secure AA Behind
Network with Proxy
Customizable Administration Console
Card and PKI
Redirection
Workstation Login (Win,
Mac, Linux)
RADIUS Client Voice Call Challenge PIN Code BankID Incorporate App Policy Localization Tap-N-Go BYOD
Interface with existing RADIUS Solutions
Voice Call with
Prompt for User
PIN validation
User enrolled Challenge / Response
User enrolled PIN Code
as a Factor
Swedish BankID(PKI) support
Mobile SDK
to integrate with
any App
Mobile AppPolicy
Enforcement
User facing interface
strings all localized
Windows Login /
Logout with card tap
(and PIN Caching)
Non-Domain
Workstation Support
Advanced Authentication 6.0
Standards and Integrations
Methods Remote Access Edition Key Features Enterprise Edition Key Features
Fingerprint Fingerprint Fingerprint Fingerprint Fingerprint Kerberos ReCaptcha Token NIST
Windows Biometric
Framework
Support MS Modern
Keyboard with
Biometrics
Lumidigm / HID Direct API Integration
Digital Persona Driver Based Integration
NEXT BiometricsDirect API Integration
SSO with Kerberos
Ticket Systems
To Consoles
Force Google ReCaptcha for Web
based events
Standalone
Token administration
Use NIST
Biometric Image
Software
SAML OAuth2 TouchID AAaaS ConnectWise Migration
SAML Federatedvalidation
OpenID Connect
validation
Mac OSX
TouchID Fingerprint
MFA Available As-A-Service
Partner Dashboard Integration for RMM-
to-MSPs
Export / Import
configuration
HSPD-12 OAuth2
RADIUSMicrosoft
Live OATHGoogle AuthMac OS XKerberos
Windows HelloNFC ISO/IECPKCS 7 / 11 FIPS Inside
BiometricImage Software
HSPD-12 OAuth2
RADIUSMicrosoft
Live OATHGoogle AuthMac OS XKerberos
Windows Hello
Use Cases
Daily Business Requirements…
SEC
Privileged User
Frank
I’m a Security Officer handling sensitive data and
I also have access to critical security dashboards
and systems. Therefore my digital identity needs
to be secured.
Demo: What you will see
▪ Frank‘s Windows logon screen
▪ Frank‘s desktop with his mobile
▪ A credential provider with flexible authentication chain options:
▪ PIN + Smartphone (the new standard)
SEC
Frank
Demo: 2FA Desktop Login
Daily Business Requirements…
SEC
Privileged User
Frank
I’m an external contractor and am helping out
the business in different projects. In case of
urgency and to save time and costs it is efficient
to work from home and need access to critical
security dashboards and systems.
Demo: What you will see
▪ Frank‘s logon screen on his portable corporate device
▪ Frank‘s laptop with a YubiKey attached
▪ A credential provider with flexible authentication chain options:
▪ PIN + U2F (the new standard)
▪ U2F + TOTP
▪ U2F + SMS
▪ Password + U2F
SEC
Frank
Demo: 2FA Desktop Login
Daily Business Requirements…
SEC
Privileged User
Frank
I’m an external contractor and am helping out
the business in different projects. In case of
urgency and to save time and costs it is efficient
to access information from everywhere
Demo: What you will see
▪ A PC in an Internet Café or from my personal device at home
▪ Frank‘s smartphone
▪ Access to my companies CRM system using a restricted authenticationchain option:
▪ Password + Smartphone push notification (new standard for SaaS applications while on the road)
SEC
Frank
Daily Business Requirements…
SEC
Privileged User
Frank
I’m an external contractor and am helping out
the business in different projects. In case of
urgency and to save time and costs it is efficient
to access my homedrive from everywhere. Also
to share information with my colleagues and
externals like Kevin!
Demo: What you will see
▪ A PC in an Internet Café or from my personal device at home
▪ Frank‘s smartphone
▪ Access to my companies File, Sync and Share solution using a restrictedauthentication chain option:
▪ Password + Smartphone push notification (new standard for SaaS applications while on the road)
SEC
Frank
Daily Business Requirements…
SEC
Privileged User
Frank
I’m an external contractor and am helping out
the business in different projects. In case of
urgency and to save time and costs it is efficient
to access my e-mails from everywhere.
Demo: What you will see
▪ A PC in an Internet Café or from my personal device at home
▪ Frank‘s smartphone
▪ Access to my Office365 hosted mails using a flexible authenticationchains option:
▪ Password for ADFS Login
▪ Hardware token
▪ PIN and SMS (the new Standard)
▪ Soft Token
SEC
Frank
Daily Business Requirements…
SEC
Privileged User
Mike
I’m an external contractor, colleague of Frank
and am helping out the business in different
projects. In case of urgency and to save time and
costs it is efficient to work from home. But I need
VPN access. Kevin just approved VPN access
and I can enroll.
Demo: Enrollment and 2FA VPN Access
Daily Business Requirements…
SEC
Privileged User
Frank
I’m an external contractor and am helping out
the business in different projects. In case of
urgency and to save time and costs it is efficient
to manage SQL databases
Demo: What you will see
▪ A corporate device
▪ Frank‘s smartphone
▪ Access to manage SQL databases secured by NetIQ SecureLogin entering username and password using a static authentication chain option:
▪ Password + Smartphone push notification (new standard for SSMS SQL Management and applications secured my NetIQ SecureLogin)
SEC
Frank
69
Use this page style to put an image and a simple statement together for a nice emphasis.
Be smart & relax
#MFAnow
Demo
Deployment options
80
Deployment options
Load Balancer Load Balancer
WS1WS2
WS3WS4
WS5WS6
WS7WS8
AMProxy RestProxy ADLogin VPN
Cluster1 DR Cluster1
WS1 WS2 WS3 WS4 WS5 WS6 WS7 WS8 WS1 WS2 WS3 WS4 WS5 WS6 WS7 WS8
Web Servers (WS1 to 8)Support 100 Authentications per second (APS) per server if more is required additional WS server can be added to
cater for the load
Global Master (GM) together with Database servers (DB) Support 0 - 3000 Authentications per second (APS) per server if more is required additional Database Master servers can be added
to cater for the load.
SITE DRIs a replica of Site 1 and provide Disaster recovery functionality if and when
required.
Services AMProxy, RestProxy, ADLogin and VPNServices can be serviced by specific web servers as per diagram AMProxy is serviced by WS1 and WS2 if more resources are required
additional WS s can be added
AA Database Server 1
WS1WS2
WS3WS4
WS5WS6
WS7WS8
AMProxy RestProxy ADLogin VPN
Advanced Authentication Production and DR
AA Database Server 2
Global Master AA DR Database Master
AA Database Server 1 AA Database Server 2
LDAP sources LDAP sources
Full Global Master replication to Database Master
Thank You.
