© 2009 Copyright SecurEnvoy Ltd. All rights reserved

Interop Mumbai 2009

The New Wave of Tokenless Two –Factor Authentication

The process of identifying an individual, usually based on a username and password.

Source www.webopedia.com

Authentication (from Greek: αυθεντικός ; real or genuine, from authentes; author) is the act of establishing or confirming something (or someone) as authentic,

Source www.wikipedia.com

Authenticate

verb prove or show to be authentic.

DERIVATIVES authentication noun authenticator noun

Source Oxford English Dictionary www.askoxford.com

© 2009 Copyright SecurEnvoy Ltd. All rights reserved

- What is authentication

Provides your digital identity

Good - easy to use/remember – cheap – prolific

e.g. Password = child’s name, zip code etc

Bad – hard to remember – compromised

e.g. Password = Q1asw&u$42

• Social engineering

• Guessing password / pin

• Shoulder surfing

• Keystroke logging

• Screen scraping (with Keystroke logging)

• Brute force password crackers

© 2009 Copyright SecurEnvoy Ltd. All rights reserved

- Strength of the Password

© 2009 Copyright SecurEnvoy Ltd. All rights reserved

- Compromising the PasswordPassword Utility - Cain and Abel www.oxid.it

© 2009 Copyright SecurEnvoy Ltd. All rights reserved

- Compromising the Password

Password Utility – L0pht Crack

www.l0phtcrack.com

© 2009 Copyright SecurEnvoy Ltd. All rights reserved

- Compromising the Password

Hardware keystroke logger - Key Ghost www.keyghost.com

• End user must remember to carry the token!

• Deployment - Remote users must be sent a hardware device

• Token may require resynchronisation

• Support - Failed token must be managed

• Smartcards need a reader and software drivers

• Short Term Contractors - Don’t always return the token

• B2B – One to many companies requires many identical tokens

© 2009 Copyright SecurEnvoy Ltd. All rights reserved

- Two Factor Authentication

Quote I got my today, it took just 2 weeks to deliver here

to Finland.

Its so small! Gotta keep an eye for it, losing it would suck

Source http://forumserver.twoplustwo.com/28/internet-

poker/i-got-my-pokerstars-rsa-secureid-token-today-pic-

367093/index33.html

© 2009 Copyright SecurEnvoy Ltd. All rights reserved

- Two Factor Authentication

A phone in every pocket?

3.8 billion GSM connections

(source www.gsmworld.com)

End users protect their phones

A recent poll asked “what’s the worst thing you could lose?”

Your phone 92%

20 Euro’s 7%

Your token 1%

Lost phones are reported missing much faster

2nd factor must be reported missing to be disabled

© 2009 Copyright SecurEnvoy Ltd. All rights reserved

- Two Factor AuthenticationHow can a phone become an authenticator?

Option 1 Adding software on a phone?

Many different phone interfacesMassive QA issuesMajor support issuesLimited supported phone typesSoftware deployment problems

Option 2 On-Demand SMS

What about SMS delaysWhat if I'm in a building with no signalI’m using my phone to connect to the internet

Option 3 Pre-load SMS

Each authentication sends the next passcode

Passcode 651273

© 2009 Copyright SecurEnvoy Ltd. All rights reserved

- On demand v Pre Load SMS

© 2009 Copyright SecurEnvoy Ltd. All rights reserved

- End User Experience

UserID: fredPIN: 3687 Passcode:435891Microsoft Password: P0stcode

Traditional Approach

UserID: fredMicrosoft Password: P0stcodePasscode: 435891

Easiest Approach

Reuse The Microsoft or other LDAP Password as the PINEasier end user authentication experienceNo PIN Administration required

© 2009 Copyright SecurEnvoy Ltd. All rights reserved

- Two Factor Authentication

6 Digit Number from Mobile Phone

Something You Know

Something You Own

PhilU

P0stcode

234836

© 2009 Copyright SecurEnvoy Ltd. All rights reserved

- Two Factor Authentication

Use AD or other LDAP as the database

Active Directory

LDAP SyncSQLDatabase

SQLDatabase

Replication

No changes to the schemaMust be encrypted (128 bit AES)

Re-enter user information

Standard Authentication SolutionsSecurEnvoy Solution

- Resilience

My Domain

AD Domain

Controller

AD Domain

Controller

AD Domain

Controller

AD Domain

Controller

SecurEnvoy

SecurAccessSSL VPN

SecurEnvoy

SecurAccess

SSL VPNSecurEnvoy

SecurAccess

SecurEnvoy

SecurAccess

Site 1 Site 2

Authentication

data

Replicated by

Active

Directory

Leverage existing replication of AD or other LDAP

© 2009 Copyright SecurEnvoy Ltd. All rights reserved

- Supporting Multiple Domains

Mobile

Network

Radius & 2FA Server

VPN Server A

Microsoft AD

Domain A

VPN Server B

eDirectory

Domain B

IIS Web Server

CustomersInternet

End User A

End User B

Customer

ADAM

Central Server

Passcode

971563

Passcode

347219

Customer ADAM

Instance

Passcode

347219

© 2009 Copyright SecurEnvoy Ltd. All rights reserved

© 2009 Copyright SecurEnvoy Ltd. All rights reserved

- Deployment

1. Locate existing users in AD (LDAP)• Search base (OU=Amsterdam)

• Search filter (memberof=vpngroup)

2. Check for known mobile numbers

3. Self enrol via email unknown mobile numbers

Deploy around 300 users per minute• 5000 users in around 16 minutes

© 2009 Copyright SecurEnvoy Ltd. All rights reserved

- Summary

Easy to useNo additional pin

No tokenNext SMS overwrites previous one

Easy to administer and deployNo database, reuse existing central LDAP

Automate DeploymentSelf enrol unknown mobile numbers

ResilientPre-load Passcode’s

Leverage LDAP servers replicationSupport multiple heterogeneous domains

www.SecurEnvoy.com

© 2009 Copyright SecurEnvoy Ltd. All rights reserved

© 2009 Copyright SecurEnvoy Ltd. All rights reserved