Upload
vuongthuy
View
218
Download
0
Embed Size (px)
Citation preview
‘Token-less’ multi factor authentication technologyUse something the user already has……. a mobile device/browserStronger security than simple OTC password solutionsNever enter the PIN into the keyboardIntegrate with most existing remote access productsEasy to deployLow management costsInstant Provisioning of users avoiding shipping of tokens
What is PINsafe?
Overview of PINsafe Operation
User AuthenticationDevice
PINsafeServer
Data Source e.g. ActiveDirectory
RADIUSor XML
security string for One Time Code sent to user
User Login
Data StoreInternal or External
What are the user data sourcesWhat are the Authentication devicesWhere is the PINsafe data to be stored How are the PIN numbers to be delivered to usersHow are security strings to be delivered to usersSoftware or Appliance installHA Active/Passive or Active/Active
Key information
Microsoft Outlook Web AccessMicrosoft IISMicrosoft ISA SeverMicrosoft IAG/WhaleCheckpoint VPNJuniper SSL VPNCitrix Access Gateway and Secure ServerNetillaAventailArray Networks F5CiscoOther Radius SSL technologies
What does PINsafe integrate with?
1st Factor► Something you know – PIN or Password
2nd Factor► Something you have – a token; mobile phone (PINsafe)
3rd Factor► Something you use – the device through which you are authenticating
(Positive ID)
1-3 Factor Authentication…
PINsafe Protocol
Variable length PIN issued to each user► 4 – 10 digits
Randomly generated 10-digit security string► Delivered to a mobile device or browser
A new one-time code (OTC) for each authentication attempt► Cannot be re-used if intercepted
2 4 6 8
5 1 7 3 9 2 0 6 4 8SecurityString
Swivel Protocol
PIN
Changes for every authentication attempt
User repositoryXML ► Internal repository► Managed Via PINsafe
Active Directory► LDAP Sync► Users Managed on AD
LDAP► LDAP Sync► Manage Users by adding them to LDAP Groups
Other Database► Dependant upon database schema
Internal Data Store
Internal Database for use ‘out of the box’
External Repository
(eg AD)
PINsafe ServerSource
InternalDatabase
(Store)
External Data Store
External Database can be specified
External Repository
(eg AD)
PINsafe ServerSource
In/External Store
(eg MS SQL)Database
External Data Store
External Database types available:► MS SQL► MySQL 5► JDBC► Oracle 10g► PosgreSQL 7.4
External Data StoreActive-Active HA solutionOne PINsafe server is master, others are slavesLoad balanced authentication devices can connect to different PINsafe servers
External Repository
(eg AD)
Clustered External Data Store(eg JDBC)
PINsafe Server
#2Source
PINsafe Server
#1
VPNServer
#1
VPNServer
#2
PINsafe AuthenticationDual Channel ‒ Security String Supplied by second method► Increases Security combined with PIN extraction► Relatively easy to implement using RADIUS► 2 Factor Authentication
Single Channel ‒ Security String Supplied in same method as authentication channel► Stronger than a password► Weaker than dual channel► Harder to implement as security string must be presented to user► 1.5 factor Authentication
Positive ID► Can be used in combination with single and dual channel► Verifies PC is also authenticated to connect► Enhances Security► 2 Factor Authentication
PINsafe Dual Channel and Single Channel
Dual Channel ‒ How the user receives their string► SMS by GSM► SMS by SMS Gateway► Swivlet – Security string by GPRS
Single Channel ‒ How the user receives their string► Modified Login screen► Separate Web Page► String in Active Desktop► PINsafe Taskbar utility
The mobile phone as a token:► Select inbox from phone message menu► Select Swivel Message► Retrieve one-time code and type into browser
Dual Channel - SMS
Dual channel increases protection of credential from spywareSecurity string sent via GSM, CDMA/TDMA, SMTP or GPRS networkManually extracted OTC returned via second channel
First Security String delivered as an SMS message upon user registrationSMS refresh (override) after each authentication attemptDevice neutralNo mobile service necessary at end point during authenticationSMS notification if someone trying to logon as userInstant Provisioning of users
PINsafe – SMS
Automatic OTC extraction from keyboard input99 security stringsRegistration and OTC top up through GPRS connection
Swivlet - J2ME MIDlet
Swivlet - J2ME MIDlet
Page Title Arial 24pts Bold
Select ‘Login’from menu Select ‘Get One Time Code’ and enter PIN Retrieve one-time code & type into
browser
Single ChannelUnique user interface (BUTTon, TURing & PATTern)► Single Channel API► Randomly generated GIF► Irregular font and patterned backgrounds ► Immune from OCR software► PIN is never typed during authentication process
Additional PINsafe Single Channel ConfigurationsWeb Page with Security String Image
Taskbar
Active Desktop
PositiveID has been integrated with PINsafe
PositiveID is a third party tool that enables the creation of a unique digital fingerprint for a device such as a PC, laptop or PDA and its use for authentication purposes
Using PositiveID it is possible to restrict users to specific PCs or laptops etc
Can register several devices
Up to 15 different groups of parameters make up the profile
PositiveID
What is the user data source (AD, LDAP?)What is the authentication device (SSL VPN, ISA, IAG, website?)Where is the data (PIN numbers etc) to be stored (Internally in PINsafe or Externally in a database?)How are the PIN numbers to be delivered to users (SMS, email?)How are security strings to be delivered to users (SMS, Email, Turing, Swivlet?)Software or Appliance install?HA Active/Passive or Active/Active
Key Points
User Care Pages - ChangePIN
Enter your OTC, and new PIN using a OTC► Example: if you want your new PIN to be 4925 enter 8451
Authentication appliance HA Active/Passive option on applianceHA Active/Active option on appliancesoftware onlysoftware only with HA Active/Active
Purchase Options