Tokenless™
Authentication
Stephen Crick
Business Development Manager
SecurEnvoy Overview
•
•
•
•
•
•
•
UK company - Founded in 2003
Inventors of Tokenless ™ Authentication
Represented in 38 Countries (and growing)
700 global customers
¾ Million End User Devices
Pure Channel Partner Sales Model
Private and profitable company
Who uses SecurEnvoy?
© 2009 Copyright SecurEnvoy Ltd. All rights reserved
SecurEnvoy Products
SecurAccess
SecurICE
SecurPassword
SecurMail
Evolving User Base
Simplicity
Usability
Versaility
Cost
1980
1990
2000
2010
2011+
Mobile Workforce
• Technology is driving mobility
• Consumer and Business devices are
becoming the same thing
• Social Networking is driving
communications and business
• Connect Anytime, Anywhere on-demand
• Make it Secure and not Complex
Simple Facts
• Usability – Consumer / End User
Simple Facts
• Versatility – Technology / Capability
Simple Facts
• Simplicity – Administration
Simple Facts
• Cost – Upfront / On-going
Two Factor Authentication
• Factor One – Something You Know
• Factor Two – Something You Have
Problems With Passwords
• “Social engineering”
• Finding written password
– Post-It Notes
– 10 PIN’s a day!
• Guessing password / pin
– Dog / Kid’s name / Birthday
• Shoulder surfing
• Keystroke logging
– Can be resolved with mouse based entry
• Screen scraping (with Keystroke logging)
• Brute force password crackers
– L0phtcrack
Are you Secure?
Protect Yourself / Company
• Compliance
– PCI
– Sox
– HIPAA
– Government / Military / Education
– E-Initiatives
• Policy
– Stronger Security
• It’s now Your Digital Profile!
– Your money
– Your identity
Adding Another Level
Andyk
P0stcode
234836
Something You Know
Something You Own
Deploying 2FA
Tokenless ™
SecurAccess
Tokens Vs Tokenless ™
Traditional Tokens
•
•
•
•
Usability
•
– Extra hardware
– Usually extra complexity to login
– Not globally recognised
Simplicity
– Nightmare to manage
•
– Extra Servers
– Extra Databases
– Extra Security Required
– Extra maintenance
Versatility
– Usually One solution per item
•
Cost
– Expensive upfront and ongoing
•
Tokenless ™
Usability
– Uses what you already have (5
Billion Phones globally)
– Intuitive process for login
– Everyone understand SMS and
Phones
Simplicity
– 20,000+ users deployed in an Hr
– Uses what you already have
•
•
•
•
NO
NO
NO
NO
Extra
Extra
Extra
Extra
Servers
Databases
Security Required
maintenance
Versatility
– Can support multiple apps
Cost
– Around 60% cheaper
SMS or Soft Token
SMS - Reliability
SMS – Secure?
• Phone Trojans
– Need to install on the phone?
• Seed Record Hacking
– No seed records
• Man in the Middle
– User alerted on login attempt
– Session cookie is fingerprinted
– OTP – once the code is used it is locked / changed
• SMS capturing
– User alerted on login attempt
– Without Username & Password what is the SMS for?
– Unidirectional – not susceptible to DDoS attacks
One SMS Solution?
• Real Time
– What is true Real Time
• Flash vs Pure Text
– What if there is no network
coverage?
– What if there are delays?
• Pre-Load
–
–
–
–
Available Now
Multiple Code Options
Still Secure
Uses SMS protocol to
simplify
• Web Gateway / Modem
– Voice / SMS / Pager
SecurMail
SecurMail
Password Reset Traditional Method
Traditional approach
Enrollment
User
Enrolls with
Separate
security
questions
Database
of user
information
Mothers Name
First School
Child Name
First job
Street name
Password reset
User answers a random
set of security questions
User
Password
resets password
Reset
Complete
via API
SecurPassword
User Authenticates with Two-Factor
Enrollment
User
Enabled
upon in
All
User
data stored
SecurEnvoy
server
LDAP
(AES 256
bit)
Supported
LDAP
User sent automatic
servers:
enrollment request
Microsoft AD
Novell e-Dir
UserOne
selects Security
Sun
questions
Linux
IBM
User provides
Security answers
User enrollment
process complete
Self Service Reset
User selects
password reset link
User enters passcode
and security answer
User enters new
password
Password policy
elements are displayed
SecurEnvoy
Usability – Consumer / End User
Versatility – Technology / Capability
Simplicity – Administration
Cost – Upfront / On-going
Case Study
• T-Mobile (UK) – Mobile Telecoms Company
– RSA User – 2000 approx.
• Change? Cost / Complexity – admin contractors etc.
– SecurAccess – 6000 approx.
– Competition
• Cryptocard
• Swivel
– Reasons for choosing SecurAccess
• Simplicity – Administration / Msoft AD integration
• Cost savings (initial and ongoing)
– Other benefits
• Deployed over a weekend
• Scripted for all new users – self administrating
Case Study
• Sykhuspartner (Norway) – Health Services
– New user requirement – 70,000 users
– SecurAccess – 25,000+ approx.
– Competition
• SMS Passcode
• RSA
– Reasons for choosing SecurAccess
• Simplicity – Administration / Msoft AD integration
• Cost savings (initial and ongoing)
• Reliability for delivering SMS (pre-load)
– Other benefits
• Now looking at SecurPassword – 70,000 users
Case Study
• Imperial Tobacco (Global)
– RSA User & SecurAccess – 12000 approx.
• Change? Cost / Complexity
– SecurAccess – 7500 approx.
– Competition
• RSA
• Vasco
– Reasons for choosing SecurAccess
• Simplicity – Administration
• Cost savings (initial and ongoing)
– Other benefits
• Due to RSA breach moving all over to SecurAccess
• Ability to support SMS Gateways
• Delivery of SMS
Case Study