Implementing Two-Factor Authentication for Remote Access using PhoneFactorA Proof-of-Concept Experiment for an Accountancy Firm (AF)

Michael G. Kaishar, MSIA | CISSP | Security+Sr. Information Security Architect & Consultant

A Master of Science Research Practicum Presentation

Graduate School of ManagementUniversity of Dallas

Partial Fulfillment of the Requirementsfor the Master of Science Degree

in Information Assurance

Saturday, March 27, 2010

Saturday, March 27, 2010 Michael G. Kaishar 2

Implementing Two-Factor Authentication for Remote Access using PhoneFactorA Proof-of-Concept Experiment for an Accountancy Firm (AF)

INTRODUCTION Michael G. Kaishar Practicum Study

An Experiment for an Accountancy Firm (AF) Implementing Two-Factor Authentication for

Remote Access using PhoneFactor Significance

Feasible Address issue of unauthorized access

Saturday, March 27, 2010 Michael G. Kaishar 3

Implementing Two-Factor Authentication for Remote Access using PhoneFactorA Proof-of-Concept Experiment for an Accountancy Firm (AF)

MATERIALS Hardware

Dell Laptop with sufficient resources Cell Phone

Software & Service Operating Systems (XP and W2K3 Server) VMware & 2X Remote Access Server PhoneFactor Two-Factor Authentication Internet Connectivity

Saturday, March 27, 2010 Michael G. Kaishar 4

Implementing Two-Factor Authentication for Remote Access using PhoneFactorA Proof-of-Concept Experiment for an Accountancy Firm (AF)

ANALYSIS Built Test Environment using VMware

Simulated AF’s production infrastructureWithout PhoneFactorWith PhoneFactor

Figure 1. Illustration of remote connectivity process Figure 2. VMWare Inc. Illustration of where virtual machines reside in reference to the Dell Laptop Hardware Layer

Saturday, March 27, 2010 Michael G. Kaishar 5

Implementing Two-Factor Authentication for Remote Access using PhoneFactorA Proof-of-Concept Experiment for an Accountancy Firm (AF)

VIDEO DEMONSTRATION 1 Current Procedures for Connectivity

Username Password

Saturday, March 27, 2010 Michael G. Kaishar 6

Implementing Two-Factor Authentication for Remote Access using PhoneFactorA Proof-of-Concept Experiment for an Accountancy Firm (AF)

VIDEO DEMONSTRATION 2 Proposed Solution for Connectivity

Username Password Two-Factor Authentication using PhoneFactor

Saturday, March 27, 2010 Michael G. Kaishar 7

Implementing Two-Factor Authentication for Remote Access using PhoneFactorA Proof-of-Concept Experiment for an Accountancy Firm (AF)

VIDEO DEMONSTRATION 3 Failed Attempt for Connectivity

Username Password PhoneFactor

Saturday, March 27, 2010 Michael G. Kaishar 8

Implementing Two-Factor Authentication for Remote Access using PhoneFactorA Proof-of-Concept Experiment for an Accountancy Firm (AF)

RESULTS PhoneFactor worked as advertised Easy to install, configure, and manage Easy to integrate into existing system Required little to no downtime AF is very pleased with outcome Cost Effective (free for up to 25 users)

Saturday, March 27, 2010 Michael G. Kaishar 9

Implementing Two-Factor Authentication for Remote Access using PhoneFactorA Proof-of-Concept Experiment for an Accountancy Firm (AF)

CONCLUSIONS Recommendations

Augment security strategy Separate systems for each function Balance between security and functionality

Limitations Isolated (Sand-boxed) Virtualized Environment Single client (lack of system load)

Saturday, March 27, 2010 Michael G. Kaishar 10

Implementing Two-Factor Authentication for Remote Access using PhoneFactorA Proof-of-Concept Experiment for an Accountancy Firm (AF)

CONCLUSIONS Future Work

Voice recognition Text-based authentication (SMS)

Saturday, March 27, 2010 Michael G. Kaishar 11

Implementing Two-Factor Authentication for Remote Access using PhoneFactorA Proof-of-Concept Experiment for an Accountancy Firm (AF)

Questions?

Saturday, March 27, 2010 Michael G. Kaishar 12

Implementing Two-Factor Authentication for Remote Access using PhoneFactorA Proof-of-Concept Experiment for an Accountancy Firm (AF)

Thank You