Tokenless Two-Factor Authentication

Graham Field

‘Token-less’ multi factor authentication technologyUse something the user already has……. a mobile device/browserStronger security than simple OTC password solutionsNever enter the PIN into the keyboardIntegrate with most existing remote access productsEasy to deployLow management costsInstant Provisioning of users avoiding shipping of tokens

What is PINsafe?

Overview of PINsafe Operation

User AuthenticationDevice

PINsafeServer

Data Source e.g. ActiveDirectory

RADIUSor XML

security string for One Time Code sent to user

User Login

Data StoreInternal or External

What are the user data sourcesWhat are the Authentication devicesWhere is the PINsafe data to be stored How are the PIN numbers to be delivered to usersHow are security strings to be delivered to usersSoftware or Appliance installHA Active/Passive or Active/Active

Key information

Microsoft Outlook Web AccessMicrosoft IISMicrosoft ISA SeverMicrosoft IAG/WhaleCheckpoint VPNJuniper SSL VPNCitrix Access Gateway and Secure ServerNetillaAventailArray Networks F5CiscoOther Radius SSL technologies

What does PINsafe integrate with?

Dual Channel and Multi-factor Authentication…

…explained

login

Channel I Channel II

SecuritySecurity StringString OTCOTC

What is Dual Channel?

1st Factor► Something you know – PIN or Password

2nd Factor► Something you have – a token; mobile phone (PINsafe)

3rd Factor► Something you use – the device through which you are authenticating

(Positive ID)

1-3 Factor Authentication…

Pin Protection

…explained

PINsafe Protocol

Variable length PIN issued to each user► 4 – 10 digits

Randomly generated 10-digit security string► Delivered to a mobile device or browser

A new one-time code (OTC) for each authentication attempt► Cannot be re-used if intercepted

PIN

Swivel Protocol

2 4 6 8 Stays the same

2 4 6 8

5 1 7 3 9 2 0 6 4 8SecurityString

Swivel Protocol

PIN

Changes for every authentication attempt

22 4 6 8

5 11 7 3 9 2 0 6 4 8

11

Swivel Protocol

PIN

SecurityString

OTC

2 44 6 8

5 1 7 33 9 2 0 6 4 8

1 33

Swivel Protocol

PIN

SecurityString

OTC

2 4 66 8

5 1 7 3 9 22 0 6 4 8

1 3 22

Swivel Protocol

PIN

OTC

SecurityString

2 4 6 88

5 1 7 3 9 2 0 66 4 8

1 3 2 66

Swivel Protocol

PIN

SecurityString

OTC

OTC 1 3 2 61 3 2 6

2 4 6 8

5 1 7 3 9 2 0 6 4 8

Swivel Protocol

PIN

SecurityString

OTC 951372951372

951372

PINless Option

SecurityString

User Data Sources

User repositoryXML ► Internal repository► Managed Via PINsafe

Active Directory► LDAP Sync► Users Managed on AD

LDAP► LDAP Sync► Manage Users by adding them to LDAP Groups

Other Database► Dependant upon database schema

Data Storage

Internal Data Store

Internal Database for use ‘out of the box’

External Repository

(eg AD)

PINsafe ServerSource

InternalDatabase

(Store)

External Data Store

External Database can be specified

External Repository

(eg AD)

PINsafe ServerSource

In/External Store

(eg MS SQL)Database

External Data Store

External Database types available:► MS SQL► MySQL 5► JDBC► Oracle 10g► PosgreSQL 7.4

External Data StoreActive-Active HA solutionOne PINsafe server is master, others are slavesLoad balanced authentication devices can connect to different PINsafe servers

External Repository

(eg AD)

Clustered External Data Store(eg JDBC)

PINsafe Server

#2Source

PINsafe Server

#1

VPNServer

#1

VPNServer

#2

Security String Delivery

PINsafe AuthenticationDual Channel ‒ Security String Supplied by second method► Increases Security combined with PIN extraction► Relatively easy to implement using RADIUS► 2 Factor Authentication

Single Channel ‒ Security String Supplied in same method as authentication channel► Stronger than a password► Weaker than dual channel► Harder to implement as security string must be presented to user► 1.5 factor Authentication

Positive ID► Can be used in combination with single and dual channel► Verifies PC is also authenticated to connect► Enhances Security► 2 Factor Authentication

PINsafe Dual Channel and Single Channel

Dual Channel ‒ How the user receives their string► SMS by GSM► SMS by SMS Gateway► Swivlet – Security string by GPRS

Single Channel ‒ How the user receives their string► Modified Login screen► Separate Web Page► String in Active Desktop► PINsafe Taskbar utility

The mobile phone as a token:► Select inbox from phone message menu► Select Swivel Message► Retrieve one-time code and type into browser

Dual Channel - SMS

Dual channel increases protection of credential from spywareSecurity string sent via GSM, CDMA/TDMA, SMTP or GPRS networkManually extracted OTC returned via second channel

First Security String delivered as an SMS message upon user registrationSMS refresh (override) after each authentication attemptDevice neutralNo mobile service necessary at end point during authenticationSMS notification if someone trying to logon as userInstant Provisioning of users

PINsafe – SMS

Automatic OTC extraction from keyboard input99 security stringsRegistration and OTC top up through GPRS connection

Swivlet - J2ME MIDlet

Swivlet - J2ME MIDlet

Page Title Arial 24pts Bold

Select ‘Login’from menu Select ‘Get One Time Code’ and enter PIN Retrieve one-time code & type into

browser

Single ChannelUnique user interface (BUTTon, TURing & PATTern)► Single Channel API► Randomly generated GIF► Irregular font and patterned backgrounds ► Immune from OCR software► PIN is never typed during authentication process

PINsafe Single Channel Configurations

Modified Login Screens:

Additional PINsafe Single Channel ConfigurationsWeb Page with Security String Image

Taskbar

Active Desktop

PositiveID has been integrated with PINsafe

PositiveID is a third party tool that enables the creation of a unique digital fingerprint for a device such as a PC, laptop or PDA and its use for authentication purposes

Using PositiveID it is possible to restrict users to specific PCs or laptops etc

Can register several devices

Up to 15 different groups of parameters make up the profile

PositiveID

Summary of Key Points

What is the user data source (AD, LDAP?)What is the authentication device (SSL VPN, ISA, IAG, website?)Where is the data (PIN numbers etc) to be stored (Internally in PINsafe or Externally in a database?)How are the PIN numbers to be delivered to users (SMS, email?)How are security strings to be delivered to users (SMS, Email, Turing, Swivlet?)Software or Appliance install?HA Active/Passive or Active/Active

Key Points

ChangePIN

User Care Pages - ChangePIN

Enter your OTC, and new PIN using a OTC► Example: if you want your new PIN to be 4925 enter 8451

Pinsafe Options

Authentication appliance HA Active/Passive option on applianceHA Active/Active option on appliancesoftware onlysoftware only with HA Active/Active

Purchase Options

Tokenless Two-Factor Authentication

Graham Field