Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

White Paper The Principles of Tokenless Two

advertisement 
White Paper
The Principles of Tokenless
Two-Factor Authentication
Table of contents
Instroduction............................................................................................................. 2
What is two-factor authentification? .......................................................................... 2
Access by hardware token ....................................................................................... 3
Advantages and disadvantages of tokens ................................................................ 3
Authentication using smartcards ............................................................................... 4
Digital certificates are a thing of the past .................................................................. 4
Tokenless two-factor authentication: BYOD becomes BYOT.................................... 4
Flexibility is key ........................................................................................................ 5
An overview of the advantages of tokenless 2FA ..................................................... 7
Summary .................................................................................................................. 7
1
Introduction
The subject of IT security plays an ever more important role in these times of virtual
warfare, increasingly complex malware threats and online spyware attacks. This is
of particular concern to firms because trends, such as Bring Your Own Device
(BYOD), are making corporate networks more open to attack. Attacks are no longer
limited to the company's premises and have spread to home offices, hotels and
airports – locations where, for example, sales representatives spend time and from
where they would like to access corporate information.
Various methods have been developed to ensure that it is, in fact, employee XYZ
who is logging in and not a cyber-gangster misusing login information for his own
purposes. The main method is the password, which, together with the user name,
enables the user to log in. However, studies have shown that passwords are often
chosen with little thought, making them easy to hack and resulting in the account
being hijacked in no time at all.
More security is provided by what are known as two-factor authentication solutions.
This white paper explains the details of how they work, the versions available and
the advantages they bring to companies.
What is two-factor authentication?
The development of IT security measures - especially for authentication processes has seen security specialists move towards combining several mechanisms with
each other. This category also includes two-factor authentication (abbreviated as
2FA). In this approach, at least two of three possible factors are required to clearly
identify a user:
 something known only to the user (e.g. PIN);
 a tangible item that the user alone possesses (e.g. a token in the form of a USB
stick) and/or
 something that is inseparable from and unique to the user, such as a finger print.
A common example of authentication using the two-factor method is obtaining
money from a cash machine: to complete the transaction successfully, the customer
needs his own bank card as well as his PIN. Access to the account is refused if
either of these two components is missing or if the PIN is not entered correctly.
2
This double protection reduces the risk of criminals immediately being able to
misuse stolen access data to hijack someone else's account. In many 2FA
solutions, something in the user's possession is combined with a sequence of
numbers for one-time use, i.e. a one-time passcode (OTP). This OTP is either
generated by an item in the user's possession, such as a security token, or a
reliable server generates the OTP and sends it as a second factor to the
device/token. An example of one such transfer method is a text message sent to the
user's mobile phone. As a new number is generated each time, OTPs are far less
likely to be hijacked than static or simple passwords, which can also be hijacked by
means of phishing, keylogging or replay attacks.
Access by hardware token
The conventional method used in a 2FA solution is a hardware token. A token can,
for example, be a USB stick or a key fob. A display often shows the combination of
numbers to be entered by the user in order to log in. The OTP generated by the
token is then used together with personal login details to clearly identify the user.
Advantages and disadvantages of tokens
This type of token can be used at any time and anywhere for user authentication.
Furthermore, the user is not reliant on any additional hardware or the need to install
programs. The disadvantages of this method, however, mainly concern token
handling, security and costs. For example, it is necessary to allocate a token to a
specific user. This causes the IT department a lot of allocation work to deploy: the
more employees who receive a token, the more individual configurations are
required.
Additional costs are incurred due to the limited life of the devices (about three to four
years) and through loss or theft. If employees are based all over the world, costs are
also incurred in sending the devices to them. There is also the aspect that the user
is reliant on the token because he has to take it with him at all times to authenticate
himself. If the token is lost or forgotten, access is not possible. Over time, the
employee could find it a nuisance to always have to take the token with him "just in
case". A security issue exists and is highlighted as the user doesn’t always carry a
3
token with them, so when its not with the user, where is it? This vulnerability is a
major security issue and emphasized as users may have multiple tokens to carry.
Authentication using smartcards
Another method is smartcards, which also support personal access processes in the
same way as hardware tokens. The advantages of smartcards is the multiple use of
the card for building access and for storing multiple certificates in one place. The
downside is the deployment of the smartcards and also the delivery and security of
the certificates that live on them. Equally a certificate has a time to live and this is
the biggest issue with certificate management where administrators need to replace
or revoke a certificate. In addition to the deployment of the smartcard so ancillaries
are needed in addition as the user's terminal needs to have a smartcard reader,
which is often not integrated. This means appropriate hardware or software has to
be installed. This usually results in an increased need for employee support as they
have to learn how to use the smartcards and the associated hardware and software.
Another disadvantage is that smartcards cannot be used with mobile terminals, as a
special reading device is not integrated and cannot be installed or connected due to
the slim design of mobile terminals in general.
Digital certificates are a thing of the past
The use of digital certificates is now largely obsolete, as they are not suitable for
flexible, location-independent logins and are linked to a single computer. This results
in a further disadvantage because anyone using that computer can log in, as the
certificate is not assigned to a specific person. If the PC is reformatted or if the hard
disk is destroyed, access by means of certificate is irrevocably blocked anyway.
Tokenless two-factor authentication: BYOD becomes BYOT
A more flexible approach is offered by tokenless two-factor authentication methods.
These are not based on separate hardware solutions, but instead use devices
already in the user's possession. This may, for example, be a mobile phone, a
smartphone or a tablet PC – irrespective of whether it is provided by the firm or is
used as a personal device. These tokenless 2FA solutions provide all the security
functions of hardware tokens but there is no need for additional hardware. This
means that BYOD immediately becomes BYOT: Bring Your Own Token.
4
Users have so far been able to authenticate themselves without tokens in two
different ways: software installed on the device either generates new passcodes on
request or the user receives access data in real time by text message. The pitfall
with the software solution is the existence of many different types of mobile phone
and the associated wide variety of operating systems. In this case, it is not just
procurement that is cost-intensive, the IT department would also have to be trained
in all three types of software.
An alternative is to send the passcode by text, as text messages do not constitute
an invasion of personal property. The downside to this solution is, however, the
need for real-time mobile network connections.
Flexibility is key
For greater independence, 2FA solutions, such as SecurAccess, provide flexible
passcode transmission options:
 Pre-loaded text message: whenever an OTP is used, this causes a new OTP to
be sent so that the latest passcode is always available.
 Real-time text message
 Text message with three codes: a single text contains three OTPs; codes that
have been used are dynamically replaced in the same text message.
 Periodically sent text message: The OTPs are sent at a set time after a certain
number of days. The current code can be used several times.
 Soft-token app for smartphones: available for devices with iOS, Android,
Windows (7) or Blackberry operating systems. The user scans a seed record
using a QR code and then receives an OTP that changes every 30 seconds.
 Soft token for laptops (Microsoft/Mac): Clicking on the software generates an
OTP that changes every 30 seconds.
 Voice call: First the user enters a PIN or passcode and a six-digit passcode is
then displayed. A call is automatically initiated at the same time. The user takes
the call and enters the passcode using the telephone keypad.
 Pre-loaded email: This operates in the same way as the pre-loaded text
messages. The same applies to the following three methods:
 real-time email;
 email with three codes and
 periodically sent email.
5
This enables the user to be particularly flexible in order to be able to adapt to the
given circumstances. For example, in the case of a road warrior who continually has
to log on remotely to see company information, the periodically sent text message or
email would make sense because the representative would then have reusable
codes at his disposal. Staff who rarely log in remotely or who do not have a mobile
phone can use the voice call method. Users who know in advance that they will
have only a poor or no network connection in a certain region can fall back on the
three-code method in order to have a ready supply of OTPs. A unique point for
SecurEnvoy is the ability to go between devices with only one having a live
capability.
Life Cycle Management is a term SecurEnvoy now use to describe the creation,
movement and management of seed records of devices. Traditionally seeds are
created and installed onto a device, however if you use multiple devices and/or
change the type of authentication you wish to use these seeds are not easily
disposed of and very difficult re-enable! They are also quite expensive and cannot
be reused on another device. Understanding how users manage and use their
devices has allowed SecurEnvoy to build a solution that allows the user to move
between devices and methods of authentication without leaving a footprint behind.
Traditional seed records are created by the vendor where a copy is normally kept,
the recipient then installs this onto a device and uses the device as a virtual token.
However if the users chooses to use another method of authentication so the seed
must either be deleted or left running. The issue with this, now we live with multiple
devices, is leaving multiple devices with live capabilities when they are in our
possession and when they are not. With this older method of seed management it
leaves a lot to go wrong and isn’t as secure as it should be.
SecurEnvoy allow the user to have as many devices as they choose to have the
technology available to them, at no extra cost, but allow only one of these devices to
be the authenticator at one time and thus alleviating any potential compromise of a
user’s identity. This seed and identity management is key in securing the user and
ensuring the company has business grade technology that is 100 % reliable. Equally
it’s important that these sedds are not kept by the vendor, so uniquely, SecurEnvoy
don’t provide the seeds themselves and nor do they have access to them, instead
6
the customer installs the on-premise software and create their own seeds and
manage these themselves. This method is the same for our cloud providers who
alos benefit from this methodology as they also don’t keep or manage the seeds,
only the client does. From a security perspective this is key critical to the longer term
trust of a solution.
Finally security is most powerful when the seed cannot be compromised, it is for this
reason SecurEnvoy uniquely create split keys. One part is a finger print of the
device and resides on the device and the other part sitting securely back in the
enterprise. If either side were compromised the seed is not available for compromise
and is unique to the device. This same method works for our customers because
each seed is created on the fly to allow the user to move between devices. Should
one device be compromised only one part is taken, the other part can be deleted
from the server and alleviates any possible compromise.
An overview of the advantages of tokenless 2FA
 Cost savings: there is no need for additional hardware tokens, which have to be
purchased, configured, maintained and regularly replaced if lost or stolen.
 It works with all the latest mobile phones, smartphones, laptops, tablets,
Microsoft PCs and Apple Macs.
 Flexible code transmission options, for example by text, email, soft token or voice
call
 The user has the choice and is in control, taking a lot of the strain off the IT
department, as it only needs to define the general conditions, such as the specific
time for periodic passcode updates and such like.
 There is no need for personalised configuration, unlike the case with tokens, so
this also reduces the workload.
Summary
With the help of 2FA, companies can ensure that their staff can clearly identify and
authenticate themselves, as only the correct combination of user data and OTP
allows them to log in. The tokenless method also has further advantages, for
example cost savings, as there is no need to invest in separate tokens. The staff do
not have to carry an additional device around with them either, instead they simply
use their existing mobile terminal. The authentication method is particularly secure
7
because one component is known only to the user and the other is sent to a device
that is only in the user's possession. Even if the employee loses his smartphone or
login details or if they are stolen – these factors, on their own, are of no use to a
thief. A range of transmission options also provides flexibility and can be adapted to
different working conditions.
8
Related documents
Minnesota_State_Fair_2013
Minnesota_State_Fair_2013
MANAGING YOUR CLASSROOM USING A TOKEN ECONOMY
MANAGING YOUR CLASSROOM USING A TOKEN ECONOMY
here
here
CS 3120 - Programming Language Concepts
CS 3120 - Programming Language Concepts
cpt
cpt
Slide 1
Slide 1
CodeMeter as Token - Wibu
CodeMeter as Token - Wibu
Download
advertisement