Seamless Two-Factor Authentication: DS3 Incorporates Support for Intel® Identity Protection Technology

Challenge

•Providingstrongauthenticationrequiressupportingadiverserangeoftokensandauthentication mechanisms, including added support for new technologies that are reachingthemarket.

•Theneedforstrong,easy-to-use,two-factorauthenticationhasincreasedas hackerattackshavebecomemoresophisticatedandonlinebanking,commerce, andgovernmenttransactionshavebecomemorecommonplace.

•Hardwaretokenspresentproblemsinprovisioning,management,andpotentialloss.Softwaretokens—whileconvenient—providealowerlevelofsecurityandaprimetargetformalware.

Solution

•DesigningtheDS3AuthenticationServertoaccommodateanextensiverangeofauthenticationmechanisms—quicklyadaptingtopowerful,emergingtechnologiesastheyareintroduced—deliverstheflexibilityandtherigorousidentityprotectionthatenterprisebusinesscustomersrequire.

•IncorporatingIntel®IdentityProtectionTechnology(Intel®IPT)intoasolution,suchastheDS3AuthenticationServer,strengthenssecuritybyusingone-timepasswords(OTPs)generatedwithinatamper-resistantmoduleinhardware.TheseOTPscanbegeneratedandpassedthroughwithorwithoutuseraction.

“The reason why I am so bullish

about the [Intel] IPT solution is

that it offers a new light at the

end of the tunnel, where we

have the ability to turn on strong

authentication for every person

out there in the entire online

world who has an Ultrabook.”

— Teik Guan, CEO, DS3

Solution Briefintel® identity Protection technology

(orrelyonsoftwaretokens).Multi-factorlog-intothecorporatenetworkorVPNissimplified.ThoseemployeeswithIntelIPT-equippedPCsdon’tneedtocarryanduseaseparatetoken.ThecredentialssuppliedbythePCitselfallowthemtoaccess thenetwork.

Capsule Description: DS3 authentication ServerTheDS3AuthenticationServerapplianceoffers multi-factor authentication withend-to-endencryptionofkeysprovidedbyaFIPS-certifiedHardwareSecurityModule.WithextensivesupportforavarietyoftokentypesandOTPmechanismsfromdifferentvendors(includingIntelIPTsupport),thisauthenticationserveraccommodatesthestringentrequirementsoffinancialinstitutions and is also gaining popularity in other industries where protection against fraud and information theft isvital—includingeCommercesites,telecommunicationsservices,cloudcomputing portals, logistics operations, educationalinstitutions,andgovernmentorganizations.

TeikGuan,DS3’sCEO,commented,“Whenwe were initially presented with the Intel IPToffering,fromaDS3perspectivewesaweveryIPT-equippedPCasessentiallyafront-endtoken.ThiswasnaturallyagoodfitforwhatDS3doesbecausewewanttobeabletoofferaplatform-freetokenacrossthewidestrangeofselections—tobothnewandexistingcustomers,sothateveryonecouldchoosewhatexactlytheyneededfortheirapplication.It’snotsomuchadecisionthat is made only at the point-of-purchase, butadecisionbasedonwhattokensacustomer’senduserswillbeabletouse,throughoutthelifecycleoftheapplication.

DS3 encourages customers to select the kindsoftokensandmechanismsthatbestmatchtheirbusinesspractices.“Byhavingaback-endsystemthatflexiblycombinestwooreventhreeofthesetypesofofferingstogether,”Guansaid,“customerswillnotberestrictedbychoiceoftokenorbychoiceofinfrastructure.Customersareabletochoosewhatapproachmakesthebestsensefortheirbusinesses.That, Iwouldsay,isaverygoodthing.Ifyou

reducing Data theft risksThetrade-offbetweenrigoroussecurityandease-of-usehasbeenanongoingchallenge since the earliest days of personalcomputing.Ifsecuritypracticesaretoodifficultforuserstofollowonaregularbasis,they’llfindwaystocircumventthepracticesorbecomecareless.Loweringthesecuritystandardstomakethesystemeasiertouseexposessensitiveinformationtolossortheft.Cyberattacksthatdeliberatelytargettokenusehavebecomeincreasinglysuccessful.WiththelatestversionoftheDS3AuthenticationServer,whichincludessupportforIntelIPT,therisksofdataexposureortheftaresubstantiallydiminished.

BasedinSingapore,DS3introducedtheDS3AuthenticationServer,itsflagshipenterprisesolution,in2003.In2012,DS3addedsupportforIntelIPTtobringtheadvantagesofhardware-basedauthenticationusingOTPstotheircustomers.DS3continuestofollowthroughonitsmission:togivecustomersthewidestpossibleselectionofauthenticationoptions.Asnew,promisingtwo-factor authentication technologies aredevelopedandvalidatedbytheindustry, DS3 integrates them into its serversolutions.

advanced Protection technologyHardware-generatedOTPs,coupledwithback-endserversupport,representoneofthemostadvanced,provenmethodsfordisruptinghackereffortsandreducingtheriskofaccountbreaches.IntelIPTisbuiltintoallIntel-inspiredUltrabook™devices,selectsecond-generationIntel®Core™processors,andIntel®vPro™technology-basedPCsthatfeaturethird-generationandsecond-generationIntel®Core™vPro™processors.BysupportingthistechnologyinthelatestversionsoftheDS3AuthenticationServer,DS3eliminatestheneedforcustomerstoacquireandmanageseparatephysicaltokens

features and Benefits of intel® identity Protection technology (intel® iPt)Mostsecurityexpertsregardhardware-basedauthentication,asimplementedbyIntelIPT,asmoreeffectivethansoftware-onlyauthentication.IntelIPToffersthesefeaturesandbenefits:

•one-time password (otP) generation.AchipsetembeddedinanIntelIPT-equippedPCgeneratesasingle-usesix-digitpasswordinperiodictimedintervals(inisolationfromthePCoperatingsystem).Theauthenticationserversynchronizesandconfirmsthispasswordontheback-end,validatingthataccess isbeinggrantedtoauseronatrustedplatform,notmalware.

•Public key infrastructure (PKi) signing.IntelIPTalsoprovidesaccess-pointprotectionthroughaPKIcertificate,embeddedinthesamemannerastheOTPcredentials.Enterprisescanrelyonthishardware-basedPKIcertificatetoeliminatearequirementforanyadditionalsmartcardortoken.

•Protected transaction display.EncryptedI/OtechnologythatworksincombinationswithIntelIPTorPKIdeliversanotherlayerofprotectionwheneversensitiveonlinetransactionsaretakingplace.Thisfeatureconfirmstheuserpresence,verifiesthetransactions,andblocksmalwarescreenscrapersfromharvestingdatafromthePCdisplay.

2

DS3 Incorporates Support for Intel® Identity Protection Technology

lookatsecuritypracticeseven10yearsago,mostbusinessuserswererestrictedbywhattheycoulduseanddeploytotheircustomers.Theywereoftentoldbythesecurityadministrator,‘No,youcannotdothis.’And,now,withawidechoiceoffront-enddevicestooffer—withthis stronger authentication ecosystem in place—thebusinessusershavetheability

figure 1. OverviewoftheDS3AuthenticationServerandIntel®IdentityProtectionTechnologycomponents.

DS3 Authentication Server

Backend

Host OS

Chipset

Embedded IPT App in the Chipset

Web Server Intel Service VerificationServer Library

Intel® Identity Protection Technology Middleware

Intel-providedcomponent

ISVcomponent

Internet

Browser

Intel IdentityProtection

Technology Plug-in

Ultrabook™ or PCfeaturing Intel IdentityProtection Technology

3Credentials are sent to the DS3 Authentication Server for authentication.

1 From a Web portal, user enters username and password.

2 OTP is generated by Intel IPT from Ultrabook or IPT-enabled PC.

4 If credentials are authenticated, user can access the Web portal

DS3’sphilosophyistooffercustomersauthentication that matches their security needsandbusinesspractices,advancingitssolutioncapabilitiesasquicklyassecuritytechnologiesevolve.IntelIPTextendspowerfulnewcapabilitiestoDS3solutions.

“We’re seeing a need for strong

authentication that is deployed even

for non-financial or government-

based applications. Intel IPT provides

bank-grade security protocol for the

masses. Now when an enterprise

wants to secure the remote access

for its partners or employees, it can

have almost the equivalent level of

security as the banks use. It can have

this same level of security without

needing to set up the same level of

infrastructure—where we’re talking

about token issuance, token logistics,

token management—because all

of these can be simply addressed

through a combination of the Intel

IPT-enabled notebooks, which are the

Ultrabook devices, and a flexible back-

end authentication system:

the DS3 server.”

— Teik Guan, CEO, DS3

todecidewhatbestworksforthem.This,Ibelieve,isagoodvaluepropositionandagoodfitfortheindustry.”

Withthedramaticincreaseinfinancialandbusinesstransactionsperformedonline,strongauthenticationhasbecomeanessentialrequirementtopreserveprivacyandprotectbusinessassets.

3

DS3 Incorporates Support for Intel® Identity Protection Technology

3

for More information ForadditionaldetailsabouttheDS3AuthenticationServer,visitds3global.com.

ForacurrentlistofPCsthatfeatureIntelIdentityProtectionTechnology,visit ipt.intel.com.

TowatchavideothatexplainshowIntelIdentityProtectionTechnologyworks,goto ipt.intel.com/how-it-works.aspx.

Solution provided by:

DS3 Incorporates Support for Intel® Identity Protection Technology

1 No system can provide absolute security under all conditions. Requires an Intel® IPT-enabled system, including a 2nd or 3rd generation Intel® Core™ processor, enabled chipset, firmware, and software. Available only on participating Web sites. Consult your system manufacturer. Intel assumes no liability for lost or stolen data and/or systems or any resulting damages.

Information in this document is provided in connection with Intel® products. No license, express or implied, by estoppel or otherwise, to any intellectual property rights is granted by this document. Except as provided in Intel‘s terms and conditions of sale for such products, Intel assumes no liability whatsoever, and Intel disclaims any express or implied warranty, relating to sale and/or use of Intel products including liability or warranties relating to fitness for a particular purpose, merchantability, or infringement of any patent, copyright or other intellectual property right. Unless otherwise agreed in writing by Intel, the Intel products are not designed nor intended for any application in which the failure of the Intel product could create a situation where personal injury or death may occur. .

Intel may make changes to specifications and product descriptions at any time, without notice. Designers must not rely on the absence or characteristics of any features or instructions marked “reserved” or “undefined.” Intel reserves these for future definition and shall have no responsibility whatsoever for conflicts or incompatibilities arising from future changes to them. The information here is subject to change without notice. Do not finalize a design with this information.

The products described in this document may contain design defects or errors known as errata which may cause the product to deviate from published specifications. Current characterized errata are available on request. Contact your local Intel sales office or your distributor to obtain the latest specifications and before placing your product order. Copies of documents which have an order number and are referenced in this document, or other Intel literature, may be obtained by calling 1-800-548-4725, or by visiting Intel’s Web site at www.intel.com.

Copyright © 2012 Intel Corporation. All rights reserved. Intel, Intel Core, Intel vPro, Ultrabook and the Intel logo are trademarks of Intel Corporation in the U.S. and other countries. *Other names and brands may be claimed as the property of others. Printed in USA 0912/JK/MESH/PDF Please Recycle 327944-001US