OTP and Challenge/Response Algorithms for Financial and e-government Identity Assurance: Current Landscape and Trends
|
|
- Alvin Buddy Boone
- 5 years ago
- Views:
Transcription
1 WP WP ActivIdentity OTP and Challenge/Response Algorithms for Financial and e-government Identity Assurance P 1 WHITE PAPER OTP and Challenge/Response Algorithms for Financial and e-government Identity Assurance: Current Landscape and Trends Executive Summary This paper will analyze the current landscape of One Time Password (OTP) and Challenge-Response algorithms. It will detail the technical and security differences between algorithms such as the OATH algorithms (HOTP, OCRA, HOTP time based), EMV CAP and the proprietary algorithms from ActivIdentity. The paper describes the most common use cases and applicability as important tools for identity assurance in the financial and e-government industry sectors. It also outlines observed trends in current usage and future trends providing the audience with the valuable information to make a more informed choice in their identity assurance challenges.
2 OTP and Challenge/Response Algorithms for Financial and e-government Identity Assurance P 2 Table of Contents Executive Summary Anatomy of OTP algorithms What is a one-time password (OTP) OTP moving factor analysis Time only based algorithms Event only based algorithms Time and Event algorithms (combines best of above) OTP algorithm analysis OTP algorithms using asymmetric cryptography OTP algorithms using symmetric cryptography. 4 OTP authenticaion how it works History and evolution of OTP algorithms. 5 Traditionally - proprietary. 5 Emerging - based on Industry standard (Financial Services) Recently - Open and Royalty free (OATH) Evolution of use case and form factor. 7 Why is OTP still relevant? There are other interaction channels than the internet Advantages of OTP Algorithm comparison. 9 ActivIdentity algorithm family EMV CAP algorithm family OATH algorithm family Algorithm comparison matrix Trends Conclusion References. 15
3 OTP and Challenge/Response Algorithms for Financial and e-government Identity Assurance P 3 Anatomy of OTP algorithms Before delving into the history and differences between the various OTP algorithms lets start with the basics. This will allow the understanding of where the differences lie between algorithms and how they impact security and usability. What is a one-time password (OTP) A code that changes after every use, can only be used once, hence is a onetime-password, or OTP. An OTP is based on a cryptographic algorithm using a key K a cryptogram is generated Cryptogram = f(k) Computing the cryptogram with other, moving factors makes the output random and one time: Counter - increased with each usage (also called event) and/or Time number of time intervals (e.g. seconds) Cryptogram = f(k,c,t) A truncation function makes it short and human readable: OTP = Truncate (f(k,c,t)) OTP moving factor analysis The moving factors used to make the password one-time have implications both for the usage and the security of the overall OTP algorithm: Time only based algorithms the OTP changes based on time-interval (e.g. every 30 seconds) the OTP has a time to live (e.g. can be used within next 2 minutes) the OTP is harder to phish because it must be used within the time to live
4 OTP and Challenge/Response Algorithms for Financial and e-government Identity Assurance P 4 it is not possible to generate a new OTP within the same time interval (e.g. user needs to wait for next interval -> up to 30 seconds) needs replay protection on the server since a simple algorithm would successfully validate attempts with the same OTP within the same time interval Event only based algorithms the OTP can be requested at any time (no need to wait for time interval to pass) the OTP can be used at any time after being produced = no time to live easier to phish since phisher does not need to use the OTP within a time to live but can harvest the passwords and use them later Replay protection is simply based on forward moving counter only Time and Event algorithms (combines best of above) the OTP has a time to live (e.g. can be used within next 2 minutes) the OTP can be requested at any time (no need to wait for time interval to pass) the OTP is harder to phish because it must be used within the time to live Replay protection is simply based on forward moving counter only Needs more complex auto-resync (2 moving factors instead of 1 that could go out of sync between the server and the device) OTP algorithm analysis Let s look more closely at what cryptographic algorithms can be used to generate OTPs: OTP algorithms using asymmetric cryptography Because of the nature of asymmetric keys the verifier will need the complete signature to be able to validate it. The length of PKI signatures depend on the length of the key used so for example: RSA 1024 = 1024 bits long = 128 bytes long = not easy to type This makes the use of asymmetric algorithms less suitable for OTP algorithms, they could be used in situations where there is no human involved when transcribing the OTP for transmission to the validation server, for example in an OTP device that is connected via the USB port to a laptop. OTP algorithms using symmetric cryptography The nature of symmetric key cryptography means that the same Cryptogram can be regenerated by the verifying party and only part of the cryptogram (the truncated bit) can be compared. This means that an arbitrary length of the cryptogram can be used as the OTP making it short and easy to type. Historically all well known OTP algorithms are based on symmetric key cryptography.
5 OTP and Challenge/Response Algorithms for Financial and e-government Identity Assurance P 5 OTP authenticaion how it works Figure 1: OTP algorithm in action History and evolution of OTP algorithms Traditionally proprietary Traditionally strong authentication algorithms using OTP were invented by private companies and their use immediately protected via patents. One of the best known such algorithms is SecurID, invented in the U.S.A. by the company Security Dynamics, then acquired by RSA, now part of EMC. Initially these technologies were used to protect the network as part of authenticating a user strongly for access to the enterprise. The same problem was solved independently on the old continent by companies such as ActivCard (now re-branded to ActivIdentity) out of France, now headquartered in Fremont California and later by Vasco (Belgium) now headquartered in Zurich. With the emergence of Internet based financial services, the need to protect those services became crucial and the same algorithms and technologies were used. Furthermore the requirement to protect specific transactions brought the emergence of challenge/response and Symmetric Key Signature (MAC over several parameter) algorithms. Emerging based on Industry standard (Financial Services) The Europay MasterCard Visa Chip Authentication Program (EMV/CAP) is a set of specifications that detail the use of existing device technology [Mas04] (EMV compliant smartcard with unattached reader) for the use of consumer authentication for cardholder not present services e.g. internet based.
6 OTP and Challenge/Response Algorithms for Financial and e-government Identity Assurance P 6 The specifications detail: A one time password algorithm A handheld reader A validation service In 2003 MasterCard CAP was harmonized with an equivalent standard from the UK s Association of Payment and Clearing Services (APACS). APACS is currently developing a new specification which refines the user interface model for a handheld reader. This specification makes no proposed changes to the algorithm or validation service. The EMV CAP specification seeks to leverage the extensive deployments of EMV chip based debit and credit cards, by expanding their use to include strong authentication and simple transaction signatures. MasterCard CAP can also be used for transaction verification, either through forcing a re-authentication or more effectively through a Challenge/Response mechanism. To use EMV for authentication requires the use of a Hand Held Device (HHD) that generates a One Time Password from the EMV card application (after correct PIN entry); The resulting Cryptogram can be used for authentication to access and manage accounts held by the cardholder or during cardholder not present payments. As with other OTP technologies the model is suitable for use over the internet or other channels such as a call-centre. Another benefit of the EMV CAP model is that the PIN used to activate the card is typically the same as the PIN that is already used with the card, for example to access ATM based services. This has the advantage that the customer is not required to remember an additional secret, and the infrastructure for PIN issuance and reset is already in place. Visa, aside from a few minor changes to the standard, have adopted the MasterCard CAP specification, thus enabling re-use of CAP readers for Visa members. In Visa terminology, CAP is referred to as Dynamic Passcode Authentication DPA. The focus of this paper will hence treat the two as common under EMV CAP. Currently EMV CAP is being deployed by major financial services institutions in the UK, Netherlands and France as an authentication mechanism for their retail customer base.
7 OTP and Challenge/Response Algorithms for Financial and e-government Identity Assurance P 7 Recently Open and Royalty free (OATH) The Initiative for open authentication [OATH] is an industry consortium launched in 2004 and now grown to almost 100 members. OATH was formed after analysis of the existing algorithms for one time passwords suitable for a strong authentication ecosystem showed that they were all proprietary and from competing companies. OATH therefore endeavoured to create a royalty and patent free algorithm based on HMAC. This algorithm was submitted as a draft to IETF and has now become an RFC [RFC4226]. Based on the work done for RFC4226, OATH realised that some applications require an algorithm that is based on a challenge response mechanism, hence a new draft has been submitted to the IETF as OATH Challenge Response Algorithm [OCRA]. Additionally the interest in a royalty free, time based OTP algorithm was growing and the community asked OATH to produce one. In 2008 the first version of the time based OTP, TOTP, specification [TOTP], based on RFC4226 was submitted to IETF. All OATH algorithms, being royalty free and easily embeddable bode well for a very wide adoption. Evolution of use case and form factor Together with the evolution of the algorithms themselves there has been an evolution of the use cases and applications of the technology. Especially since the launch of the royalty free algorithms the number of implementations has flourished in diverse form factors. The following is an attempt to show a timeline combining both use case and form factor evolution: Figure 2: Evolution of use case and form factors in OTP devices
8 OTP and Challenge/Response Algorithms for Financial and e-government Identity Assurance P 8 Why is OTP still relevant? There are other interaction channels than the internet When considering phishing and online fraud attacks it is important to consider all interaction channels a user has, some of these channels are often overlooked in phishing analysis that focuses only on the internet channel: Figure 3: Possible user interaction channels Additionally from a user and support perspective it is highly desirable to have the same mechanism to protect all channels, but not all strong authentication mechanisms can be used across all interaction channels. The following matrix provides an analysis of commonly used strong authentication mechanisms and how applicable they are for each channel: Figure 4: Strong authentication mechanisms applicability by interaction channel
9 OTP and Challenge/Response Algorithms for Financial and e-government Identity Assurance P 9 As one can see OTP still is one of the most applicable strong authentication mechanisms across all potential interaction channels Advantages of OTP Can be used on existing non PKI enabled network access devices (VPN) Can be implemented in a tamper evident non hackable device (e.g. Token or smart card) No client install needed Often does not require change of access interface Username/Password - > Username/OTP Simple to use (user interaction) Long life devices (up to 6-9 years) Tried and tested Modest infrastructure requirements Truly multi-channel Can be used over phone/ivr Algorithm comparison This section will go into the technical detail of the algorithms and give the audience the information to compare them from an application and security angle. The type defines the type of algorithm: OTP One time Password C/R Challenge Response MAC Symmetric Signature of more then one parameter
10 OTP and Challenge/Response Algorithms for Financial and e-government Identity Assurance P 10 ActivIdentity algorithm family Type Characteristics Analysis OTP C/R MAC Algorithm 3DES Time AND Event Based or Event only based Auto-synchronisation digits within OTP (almost no synchronisation issues) Algorithm ANSI X9.8 Fixed response for any give challenge 3DES Time AND Event Based Up to 10 parameters Table 1: Analysis of the ActivIdentity algorithm family. the OTP has a time to live (e.g. can be used within next 2 minutes) the OTP can be requested at any time (no need to wait for time interval to pass) the OTP is harder to phish because it must be used within the time to live Replay protection is simply based on forward moving counter only Auto sync mitigates the issue of resync (2 moving factors instead of 1 that could go out of sync) The response has no time to live. The validation server needs to provide a timing mechanism between the issuance of a challenge and return of the response The response is the same for the same challenge, susceptible to attacks where a previous challenge/response pair is known, on the other hand a fixed response for a specific challenge aids in non repudiation cases the MAC has a time to live (e.g. can be used within next 2 minutes) the MAC can be requested at any time (no need to wait for time interval to pass) the MAC is harder to phish because it must be used within the time to live Replay protection is simply based on forward moving counter only Auto sync mitigates the issue of resync (2 moving factors instead of 1 that could go out of sync) Form factors: Tokens and Smart Card Applet Industry: Enterprise Business to Employees (B2E), Financial Services Business to Employees and Business to Consumer (B2C)
11 OTP and Challenge/Response Algorithms for Financial and e-government Identity Assurance P 11 EMV CAP algorithm family Type Characteristics Analysis OTP C/R MAC Algorithm 3DES specified in CAP functional spec Only Event Based Auto-synchronisation digits within OTP (less synchronisation issues) Algorithm 3DES Event based (different response for same challenge) 3DES Event Based Challenge, Amount and Currency or up to 10 parameters the OTP can be requested at any time (no need to wait for time interval to pass) the OTP can be used at any time after being produced = no time to live easier to phish since phisher does not need to use the OTP within a time to live but can harvest the passwords and use them later Replay protection is simply based on forward moving counter only Auto sync mitigates the issue of resync (2 moving factors instead of 1 that could go out of sync) The response has no time to live. It is the validation server that needs to provide a timing mechanism between the issuance of a challenge and when the response returns The response changes even with the same challenge which prevents previous known challenge/response pair attacks but could create issues during non-repudiation the MAC has a time to live (e.g. can be used within next 2 minutes) the MAC can be requested at any time (no need to wait for time interval to pass) the MAC is harder to phish because it must be used within the time to live Replay protection is simply based on forward moving counter only Auto sync mitigates the issue of resync (2 moving factors instead of 1 that could go out of sync) Table 2: Analysis of the EMV CAP algorithm family. Form factor: Smart card applet with unconnected reader, mobile applet coming Industry: Financial Services (B2C Business to Consumer), Emerging in Government for G2E and G2C
12 OTP and Challenge/Response Algorithms for Financial and e-government Identity Assurance P 12 OATH algorithm family Type Characteristics Analysis OTP OTP C/R MAC HOTP RFC 4226 Algorithm HMAC-SHA1 Event only No synchronisation digits within OTP Time based HOTP Algorithm HMAC-SHA1 Time only No synchronisation digits within OTP OATH Challenge Response algorithm (OCRA) Algorithm HMAC- SHA1, HMAC-SHA256, HMACSHA512 Event OR Time Handled by OCRA (see above) the OTP can be requested at any time (no need to wait for time interval to pass) the OTP can be used at any time after being produced = no time to live easier to phish since phisher does not need to use the OTP within a time to live but can harvest the passwords and use them later Replay protection is simply based on forward moving counter only the OTP changes based on time-interval (e.g. every 30 seconds) the OTP has a time to live (e.g. can be used within next 2 minutes) the OTP is harder to phish because it must be used within the time to live it is not possible to generate a new OTP within the same time interval (e.g. user needs to wait for next interval -> up to 30 seconds) needs replay protection on the server since a simple algorithm would successfully validate attempts with the same OTP within the same time interval The response changes even with the same challenge which prevents previous known challenge/response pair attacks but could create issues during non-repudiation The response has a time to live when time is used Very flexible via algorithm suite and optional input like time or event Same as OCRA (see above) Table 3: Analysis of the OATH algorithm family. Form factors: Tokens, Smart Card Applet, Display Card, Soft Tokens (mobile) Industry: Financial Services B2C (Business to Consumer), Enterprise B2E, (Business to Employee)
13 OTP and Challenge/Response Algorithms for Financial and e-government Identity Assurance P 13 Algorithm comparison matrix OATH HOTP RFC4226 OATH Challenge Repsonse OCRA OATH Time based TOTP EMV CAP/ DPA AI Vasco RSA Algorithim HMAC- SHA1 HMAC- SHA1 HMAC- SHA256 HMAC- SHA512 HMAC- SHA1 3DES 3DES 3DES AES Moving Factors Truncation Counter Dynamic based on last digit of cryptogram Counter (optional) Time (optional) Dynamic based on last digit of cryptogram Time Counter Counter & Time Dynamic based on last digit of cryptogram Based on mask on the card Fixed Counter & Time Fixed Auto-Sync N N N Y Y Y N OTP Y Y Y Y Y Y Y C/R N Y N Y Y Y Y Sign (MAC) N Y N Y Y Y Y Time Figure 5: Algorithm comparison matrix Trends Currently it is possible to observe the following trends in the use of OTP: OTP authentication being rolled out by financial institutions to retail customer base is prevalently tokens, with EMV CAP cards gaining market presence. Economies of scale are starting to make a difference for EMV CAP Government looking at EMV CAP as means for large scale B2E and G2C authentication to ride on issuance of card readers from financial institutions Government looking at online EMV CAP authentication to provide proof of consent for access to centralised government database repositories OATH tokens starting to become a viable alternative especially now that time based algorithm has been published Proprietary algorithms such as ActivIdentity and Vasco still have a slight edge in security and usability (e.g. Time AND Event based and sophisticated re-sync digits within OTP)
14 OTP and Challenge/Response Algorithms for Financial and e-government Identity Assurance P 14 Mobile tokens re-gaining market interest but still not breaking into mass mainstream deployment New application and form factors such as DisplayCard and client less USB make use of this technology easier and more economical to deploy Emergence of managed service offerings in the OTP authentication (BT, VeriSign) Conclusion OTP authentication has come a long way from the proprietary offerings of its infancy. Especially the OATH algorithms have made implementation easier, more cost effective and in more form factors as before. Although other forms of stronger authentication have gathered pace and the era of functionally working PKI authentication without complex client install is upon us, there is still a strong argument for OTP especially where access to resources over non internet channels is required (e.g. retail banking). As demonstrated above there are some differences both in security and usability between the different algorithm offerings. Although proprietary offerings have still an advantage, the OATH time based algorithm brings a royalty free option with levels of security previously reserved to the proprietary ones. More vertical markets are leveraging the technology experience of other verticals, such as the emergence of OTP in the Government to Citizen market, leveraging the financial services Business to Consumer experience. Additionally new form factors such as the DisplayCard are finally bringing the usability difference that made a pure token offering undesirable in certain deployments. This makes OTP, far from an old technology, one of the best choices to strengthen the authentication beyond the password, especially in a multichannel environment.
15 References [OATH] OATH, Initiative for Open Authentication, [RFC4226] IETF, HOTP: An HMAC-Based One-Time Password Algorithm, [OCRA] IETF, OCRA: OATH Challenge-Response Algorithms, [TOTP] IETF, TOTP: Time-based One-time Password Algorithm, [Mas04] MasterCard International Incorporated, Chip Authentication Program - Functional Architecture, September 2004 About ActivIdentity Americas US Federal Europe +33 (0) Asia Pacific +61 (0) info@actividentity.com Web ActivIdentity Corporation is a global leader in intelligent identity assurance, providing solutions to confidently establish a person s identity when interacting digitally. For more than two decades the company s experience has been leveraged by security-minded organizations in large-scale deployments such as the U.S. Department of Defense, Nissan, and Saudi Aramco. The company s customers have issued more than 100 million credentials, securing the holder s digital identity. ActivIdentity is headquartered in Silicon Valley, California. ActivIdentity is part of HID Global, an ASSA ABLOY Group brand. For more information, visit Copyright 2010 ActivIdentity. All rights reserved. ActivIdentity, ActivID, ActivIdentity SecureLogin, ActivClient, and 4TRESS are trademarks of ActivIdentity. All other trademarks, trade names, service marks, service names, and images mentioned and / or used herein belong to their respective owners. DS0611V01
Smart Cards and Authentication. Jose Diaz Director, Technical and Strategic Business Development Thales Information Systems Security
Smart Cards and Authentication Jose Diaz Director, Technical and Strategic Business Development Thales Information Systems Security Payment Landscape Contactless payment technology being deployed Speeds
More informationOnline Banking Security
Online Banking Security Fabian Alenius Uwe Bauknecht May 17, 2009 Contents 1 Introduction 2 2 Secure Communication 2 2.1 Password authentication..................... 2 2.2 One-time Passwords.......................
More informationAPG8202 PINhandy 2 OTP Generator
APG8202 PINhandy 2 OTP Generator Technical Specifications Subject to change without prior notice Table of Contents 1.0. Introduction... 3 2.0. Features... 4 3.0. Typical Applications... 5 4.0. Technical
More informationAPG8201 PINhandy 1. Technical Specifications. Subject to change without prior notice
APG8201 PINhandy 1 Technical Specifications Subject to change without prior notice Table of Contents 1.0. Introduction... 3 2.0. Features... 4 3.0. Typical Applications... 5 4.0. Technical Specifications...
More informationSxS Authentication solution. - SXS
SxS Authentication solution. - SXS www.asseco.com/see SxS Single Point of Authentication Solution Asseco Authentication Server (SxS) is a two-factor authentication solution specifically designed to meet
More informationThe Next Generation of Credential Technology
The Next Generation of Credential Technology Seos Credential Technology from HID Global The Next Generation of Credential Technology Seos provides the ideal mix of security and flexibility for any organization.
More informationSystem-Level Failures in Security
System-Level Failures in Security Non linear offset component (ms) 0.0 0.5 1.0 1.5 2.0 Variable skew De noised Non linear offset Temperature 26.4 26.3 26.2 26.1 26.0 25.9 25.8 Temperature ( C) Fri 11:00
More informationSingle Secure Credential to Access Facilities and IT Resources
Single Secure Credential to Access Facilities and IT Resources HID PIV Solutions Securing access to premises, applications and networks Organizational Challenges Organizations that want to secure access
More informationIDCore. Flexible, Trusted Open Platform. financial services & retail. Government. telecommunications. transport. Alexandra Miller
IDCore Flexible, Trusted Open Platform financial services & retail enterprise > SOLUTION Government telecommunications transport Trusted Open Platform Java Card Alexandra Miller >network identity >smart
More informationSECURING CORPORATE ASSETS WITH TWO FACTOR AUTHENTICATION
SECURING CORPORATE ASSETS WITH TWO FACTOR AUTHENTICATION Introduction Why static passwords are insufficient Introducing two-factor Authentication Form Factors for OTP delivery Contact information OTP generating
More informationhidglobal.com Still Going Strong SECURITY TOKENS FROM HID GLOBAL
Still Going Strong SECURITY TOKENS FROM HID GLOBAL Contents Protecting Identities and sensitive data 03 Defining the Right Approach 05 HID Global Authentication Devices 06 HID Global Authentication Ecosystem
More informationBuilding on existing security
Building on existing security infrastructures Chris Mitchell Royal Holloway, University of London http://www.isg.rhul.ac.uk/~cjm 1 Acknowledgements This is joint work with Chunhua Chen and Shaohua Tang
More informationDissecting NIST Digital Identity Guidelines
Dissecting NIST 800-63 Digital Identity Guidelines KEY CONSIDERATIONS FOR SELECTING THE RIGHT MULTIFACTOR AUTHENTICATION Embracing Compliance More and more business is being conducted digitally whether
More informationhidglobal.com HID ActivOne USER FRIENDLY STRONG AUTHENTICATION
HID ActivOne USER FRIENDLY STRONG AUTHENTICATION We understand IT security is one of the TOUGHEST business challenges today. HID Global is your trusted partner in the fight against data breach due to misused
More informationActivIdentity 4TRESS AAA Web Tokens and F5 BIG-IP Access Policy Manager. Integration Handbook
ActivIdentity 4TRESS AAA Web Tokens and F5 BIG-IP Access Policy Manager Integration Handbook Document Version 1.1 Released July 11, 2012 ActivIdentity 4TRESS AAA Web Tokens and F5 APM Integration Handbook
More informationAchieving online trust through Mutual Authentication
Achieving online trust through Mutual Authentication Agenda Where do we need trust online? who are the affected parties? Authenticating the site to a consumer V by V and SecureCode, next generation browsers
More informationOptimised to Fail: Card Readers for Online Banking
Optimised to Fail: Card Readers for Online Banking Saar Drimer Steven J. Murdoch Ross Anderson www.cl.cam.ac.uk/users/{sd410,sjm217,rja14} Computer Laboratory www.torproject.org Financial Cryptography
More informationThe Benefits of Strong Authentication for the Centers for Medicare and Medicaid Services
The Benefits of Strong Authentication for the Centers for Medicare and Medicaid Services This document was developed by the Smart Card Alliance Health and Human Services Council in response to the GAO
More informationAuthlogics for Azure and Office 365
Authlogics for Azure and Office 365 Single Sign-On and Flexible MFA for the Microsoft Cloud Whitepaper Authlogics, 12 th Floor, Ocean House, The Ring, Bracknell, Berkshire, RG12 1AX, United Kingdom UK
More information4TRESS FT2011 Out-of-Band Authentication and Juniper Secure Access
4TRESS FT2011 Out-of-Band Authentication and Juniper Secure Access RADIUS Channel Integration Handbook Document Version 2.2 Released May 2013 hidglobal.com Table of Contents List of Figures... 3 1.0 Introduction...
More informationActivIdentity ActivID Card Management System and Juniper Secure Access. Integration Handbook
ActivIdentity ActivID Card Management System and Juniper Secure Access Integration Handbook Document Version 2.0 Released May 2, 2012 ActivIdentity ActivID Card Management System and Juniper Secure Access
More informationSecure Card Reader Authenticators
Secure Card Reader Authenticators When it comes to card reading security and reliability Merchants, retailers and financial institutions rely on MagTek. Secure card reader authenticators (SCRAs) capture
More informationOATH-HOTP. Yubico Best Practices Guide. OATH-HOTP: Yubico Best Practices Guide Yubico 2016 Page 1 of 11
OATH-HOTP Yubico Best Practices Guide OATH-HOTP: Yubico Best Practices Guide Yubico 2016 Page 1 of 11 Copyright 2016 Yubico Inc. All rights reserved. Trademarks Disclaimer Yubico and YubiKey are trademarks
More informationDisplay Cards for Securing E Commerce
Display Cards for Securing E Commerce Don Malloy Business Development Manager 10th February 2012 Salt Lake City Nagra Kudelski Group Activity Lines Group Revenue 2010 : USD 1.1B Physical access solutions
More informationEchidna Concepts Guide
Salt Group Concepts Guide Version 15.1 May 2015 2015 Salt Group Proprietary Limited. All rights reserved. Information in this document is subject to change without notice. The software described in this
More informationUsing existing security infrastructures
Using existing security infrastructures Chris Mitchell Royal Holloway, University of London http://www.isg.rhul.ac.uk/~cjm 1 Acknowledgements This is joint work with Chunhua Chen and Shaohua Tang (South
More informationIdentity & security CLOUDCARD+ When security meets convenience
Identity & security CLOUDCARD+ When security meets convenience CLOUDCARD+ When security meets convenience We live in an ever connected world. Digital technology is leading the way to greater mobility and
More information4TRESS AAA. Out-of-Band Authentication (SMS) and Juniper Secure Access Integration Handbook. Document Version 2.3 Released May hidglobal.
4TRESS AAA Out-of-Band Authentication (SMS) and Juniper Secure Access Integration Handbook Document Version 2.3 Released May 2013 hidglobal.com Table of Contents List of Figures... 3 1.0 Introduction...
More informationYubico with Centrify for Mac - Deployment Guide
CENTRIFY DEPLOYMENT GUIDE Yubico with Centrify for Mac - Deployment Guide Abstract Centrify provides mobile device management and single sign-on services that you can trust and count on as a critical component
More informationSecure Government Computing Initiatives & SecureZIP
Secure Government Computing Initiatives & SecureZIP T E C H N I C A L W H I T E P A P E R WP 700.xxxx Table of Contents Introduction FIPS 140 and SecureZIP Ensuring Software is FIPS 140 Compliant FIPS
More informationDynaPro Go. Secure PIN Entry Device PCI PTS POI Security Policy. September Document Number: D REGISTERED TO ISO 9001:2008
DynaPro Go Secure PIN Entry Device PCI PTS POI Security Policy September 2017 Document Number: D998200217-11 REGISTERED TO ISO 9001:2008 MagTek I 1710 Apollo Court I Seal Beach, CA 90740 I Phone: (562)
More informationDigital Identity Trends in Banking
i-sprint Innovations Identity and Security Management Solution Provider Digital Identity Trends in Banking Banking Vietnam 2017 Proven Bank Grade Identity and Security Management Solution Designed, Architected
More informationFAMILY BROCHURE. Gemalto SafeNet Authenticators. Diverse Form Factors for Convenient Strong Authentication
FAMILY BROCHURE Gemalto Authenticators Diverse Form Factors for Convenient Strong Diverse Form Factors for Convenient Strong. Offering the broadest range of authentication methods and form factors supported
More informationCOMPGA12 1 TURN OVER
Applied Cryptography, COMPGA12, 2009-10 Answer ALL questions. 2 hours. Marks for each part of each question are indicated in square brackets Calculators are NOT permitted 1. Multiple Choice Questions.
More informationJava Card Technology-based Corporate Card Solutions
Java Card Technology-based Corporate Card Solutions Jack C. Pan, Leader and Sr. Architect Hervé Garcia, Tech. Project Manager econsumer Emerging Technologies, Citibank Overall Presentation Goal The objectives
More informationAuthentication Technology for a Smart eid Infrastructure.
Authentication Technology for a Smart eid Infrastructure. www.aducid.com One app to access all public and private sector online services. One registration allows users to access all their online accounts
More informationMeeting the requirements of PCI DSS 3.2 standard to user authentication
Meeting the requirements of PCI DSS 3.2 standard to user authentication Using the Indeed Identity products for authentication In April 2016, the new PCI DSS 3.2 version was adopted. Some of this version
More informationwhite paper SMS Authentication: 10 Things to Know Before You Buy
white paper SMS Authentication: 10 Things to Know Before You Buy SMS Authentication white paper Introduction Delivering instant remote access is no longer just about remote employees. It s about enabling
More informationBetter Mutual Authentication Project
Better Mutual Authentication Project Recommendations & Requirements for Improving Web Authentication for Retail Financial Services Presented to W3C Workshop on: Transparency & Usability of Web Authentication
More informationHow Next Generation Trusted Identities Can Help Transform Your Business
SESSION ID: SPO-W09B How Next Generation Trusted Identities Can Help Transform Your Business Chris Taylor Senior Product Manager Entrust Datacard @Ctaylor_Entrust Identity underpins our PERSONAL life 2
More informationSecure Card Reader Authenticators
Secure Card Reader Authenticators The Evolution of Card Reading Technology: MagneSafe technology has evolved exponentially from its inception in 2006 when it delivered the industry s first secure card
More informationAPG8201 PINHandy
APG8201 PINHandy Units 2010-2013, 20th Floor Chevalier Commercial Centre 8 Wang Hoi Road, Kowloon Bay, HK Tel: +852-27967873 Fax: +852-27961286 info@acs.com.hk www.acs.com.hk Outline 1. Product Overview
More informationAPG8205 OTP Generator
APG8205 OTP Generator User Manual V1.00 Subject to change without prior notice Table of Contents 1.0. Introduction... 3 1.1. Supported Card Type... 3 1.2. Supported Language... 3 2.0. APG8205 Illustration...
More informationCard Issuance/Encoding & PIN Pads
Card Issuance/Encoding & PIN Pads From Card Issuance to Card Security Card Issuance/Encoding & PIN Pads Card issuers know they can put their trust in Mag- Tek. Whether meeting the growing need for instant,
More informationRSA Solution Brief. Providing Secure Access to Corporate Resources from BlackBerry. Devices. Leveraging Two-factor Authentication. RSA Solution Brief
Providing Secure Access to Corporate Resources from BlackBerry Devices Leveraging Two-factor Authentication Augmenting the BlackBerry Enterprise Solution BlackBerry devices are becoming ubiquitous throughout
More informationTHE ROLE OF ADVANCED AUTHENTICATION IN CYBERSECURITY FOR CREDIT UNIONS AND BANKS
THE ROLE OF ADVANCED AUTHENTICATION IN CYBERSECURITY FOR CREDIT UNIONS AND BANKS Crossmatch s Michel Nerrant on Improving Security Without Adding Friction Michel Nerrant Nerrant is responsible for business
More informationA HOLISTIC APPROACH TO IDENTITY AND AUTHENTICATION. Establish Create Use Manage
A HOLISTIC APPROACH TO IDENTITY AND AUTHENTICATION Establish Create Use Manage SIMPLE. SECURE. SMART. ALL FROM A SINGLE SOURCE. As the ways to access your organization and its sensitive data increase,
More informationCA ArcotID OTP. Authentication Developer's Guide. r2.0.2
CA ArcotID OTP Authentication Developer's Guide r2.0.2 This Documentation, which includes embedded help systems and electronically distributed materials (hereinafter referred to as the Documentation ),
More informationVersion 2.3 March 2, WisePad 2 Security Policy
Version 2.3 March 2, 2016 WisePad 2 Security Policy Table of Content 1 Introduction...3 1.1 Purpose and Scope...3 1.2 Audience...3 1.3 Reference...3 1.4 Glossary of Terms and Abbreviations...4 2 General
More informationLinQ2FA. Helping You. Network. Direct Communication. Stay Fraud Free!
LinQ2FA Stay Fraud Free! Helping You Direct Communication Secure to your Your customers Network LINQ2FA Stay Fraud Free! Enhance your security against cyber fraud with Two Factor Authentication Suitable
More informationPut Identity at the Heart of Security
Put Identity at the Heart of Security Strong Authentication via Hitachi Biometric Technology Tadeusz Woszczyński Country Manager Poland, Hitachi Europe Ltd. 20 September 2017 Financial security in the
More informationThe Password Authentication Paradigm In today s business world, security in general - and user authentication in particular - are critical components
YOUR ULTIMATE AUTHENTICATION SOLUTION A l a d d i n. c o m / e T o k e n The Password Authentication Paradigm In today s business world, security in general - and user authentication in particular - are
More informationPKI Credentialing Handbook
PKI Credentialing Handbook Contents Introduction...3 Dissecting PKI...4 Components of PKI...6 Digital certificates... 6 Public and private keys... 7 Smart cards... 8 Certificate Authority (CA)... 10 Key
More informationInitiative for Open Authentication OATH Interoperability without Sacrificing Security
Initiative for Open Authentication OATH Interoperability without Sacrificing Security Donald E. Malloy, Jr. NagraID Security XCL@B September 7 th 2010 The Open Authentication Reference Architecture (OATH)
More informationSecuring today s identity and transaction systems:! What you need to know! about two-factor authentication!
Securing today s identity and transaction systems:! What you need to know! about two-factor authentication! 1 Today s Speakers! Alex Doll! CEO OneID Jim Fenton! Chief Security Officer OneID 2 Contents!
More informationPublic Key Infrastructure PKI. National Digital Certification Center Information Technology Authority Sultanate of Oman
Public Key Infrastructure PKI National Digital Certification Center Information Technology Authority Sultanate of Oman Agenda Objectives PKI Features etrust Components Government eservices Oman National
More informationAbout MagTek. PIN Entry & Management
About MagTek Since 1972, MagTek has been a leading manufacturer of electronic devices and systems for the reliable issuance, reading, transmission and security of cards, checks, PINs and other identification
More informationAsseco SEE Authentication Solutions. ASEBA SxS, ASEBA Mobile Token
Asseco SEE Authentication Solutions ASEBA SxS, ASEBA Mobile Token Robert Mihaljek Sales Professional September, 2012. Sofia, Bulgaria Agenda About Asseco Threaths User authentication options Our Solution
More informationOpen Source Authentication: Security without High Cost. Donald E. Malloy LSExperts May 18 th, 2016
Open Source Authentication: Security without High Cost Donald E. Malloy LSExperts May 18 th, 2016 Why the need for Strong Authentication? Fraud continues to skyrocket 10 Million Americans were victims
More informatione-security Task Group Hong Kong Post e-cert: Enabling Secure Electronic Transactions
E Hong Kong Post e-cert: Enabling Secure Electronic Transactions Doc no: telwg29/ ESTG/09 Agenda item: 7 e-security Task Group Submitted by: Hong Kong, China Hong Kong Post e-cert: Enabling Secure Electronic
More informationBlackBerry 2FA. Datasheet. BlackBerry 2FA
Datasheet BlackBerry 2FA BlackBerry 2FA The Challenge: Critical enterprise systems especially cloud services are more exposed than ever before because of the growing threat of cybercrime. Passwords alone
More informationVACMAN Controller. Integration Guide. White Paper
VACMAN Controller Integration Guide 2006 VASCO Data Security. All rights reserved. Page 1 of 26 White Paper Disclaimer Disclaimer of Warranties and Limitations of Liabilities This Report is provided on
More informationNew Paradigms of Digital Identity:
A Telefonica White Paper New Paradigms of Digital Identity: Authentication and Authorization as a Service (AuthaaS) February 2016 1. Introduction The concept of identity has always been the key factor
More informationEXPERIENCE SIMPLER, STRONGER AUTHENTICATION
1 EXPERIENCE SIMPLER, STRONGER AUTHENTICATION 2 Data Breaches are out of control 3 IN 2014... 783 data breaches >1 billion records stolen since 2012 $3.5 million average cost per breach 4 We have a PASSWORD
More informationSecurity Policy for Schlumberger Cyberflex Access 32K Smart Card with ActivCard Applets
Security Policy for Schlumberger Cyberflex Access 32K Smart Card with ActivCard Applets TABLE OF CONTENTS 1 SCOPE OF DOCUMENT... 1 2 INTRODUCTION... 1 3 SECURITY LEVELS... 1 3.1 CRYPTOGRAPHIC MODULE SPECIFICATION...
More informationActivCard Strong Authentication product line. Jerome Becquart, Senior Product Manager
ActivCard Strong Authentication product line Jerome Becquart, Senior Product Manager A little history Strong Authentication products since 1994 Over 2.5 Millions devices, 1 Million in 2000 alone More than
More informationipad in Business Security Overview
ipad in Business Security Overview ipad can securely access corporate services and protect data on the device. It provides strong encryption for data in transmission, proven authentication methods for
More informationPKI Knowledge Dissemination Program. PKI Standards. Dr. Balaji Rajendran Centre for Development of Advanced Computing (C-DAC) Bangalore
PKI Standards Dr. Balaji Rajendran Centre for Development of Advanced Computing (C-DAC) Bangalore Under the Aegis of Controller of Certifying Authorities (CCA) Government of India 1 PKCS Why PKCS? Even
More informationCharter Pacific Biometrics Acquisition
Charter Pacific Biometrics Acquisition Charter Pacific Biometrics Acquisition Charter Pacific has executed a Share Purchase Agreement to acquire 100% of Microlatch. Charter Pacific/Microlatch has a patent
More informationNIST Cryptographic Toolkit
Cryptographic Toolkit Elaine Barker ebarker@nist.gov National InformationSystem Security Conference October 16, 2000 Toolkit Purpose The Cryptographic Toolkit will provide Federal agencies, and others
More informationCOMPLETING THE PAYMENT SECURITY PUZZLE
COMPLETING THE PAYMENT SECURITY PUZZLE An NCR white paper INTRODUCTION With the threat of credit card breaches and the overwhelming options of new payment technology, finding the right payment gateway
More informationSymmetric Key Services Markup Language Use Cases
Symmetric Key Services Markup Language Use Cases Document Version 1.1 - February 28, 2007 The OASIS Symmetric Key Services Markup Language (SKSML) is the proposed language/protocol that defines how a client
More informationIs Your Online Bank Really Secure?
Is Your Online Bank Really Secure? Zoltan Szalai / ebanking Solution Manager April 25, 2013 2 Gemalto for You ONE THIRD OF THE WORLD S POPULATION USE OUR SOLUTIONS EVERYDAY BANKS & RETAIL TELECOM TRANSPORT
More informationTrusted Identities. Foundational to Cloud Services LILA KEE CHIEF PRODUCT OFFICER GLOBALSIGN
Trusted Identities Foundational to Cloud Services LILA KEE CHIEF PRODUCT OFFICER GLOBALSIGN WHAT YOU WILL LEARN TODAY Strong identity verification as a security measure and business enabler Authentication
More informationMobilePASS. Security Features SOFTWARE AUTHENTICATION SOLUTIONS. Contents
MobilePASS SOFTWARE AUTHENTICATION SOLUTIONS Security Features Contents Introduction... 2 Technical Features... 2 Security Features... 3 PIN Protection... 3 Seed Protection... 3 Security Mechanisms per
More informationSecuring Personal Mobile Device Access to Enterprise IT and Cloud Assets with Strong Authentication
Securing Personal Mobile Device Access to Enterprise IT and Cloud Assets with Strong Authentication Strong Authentication is the Foundation for Securing Mobile Access Executive Summary The consumerization
More informationFIDO Alliance: Standards-based Solutions for Simpler, Strong Authentication
FIDO Alliance: Standards-based Solutions for Simpler, Strong Authentication Jeremy Grant Managing Director, Technology Business Strategy Venable LLP jeremy.grant@venable.com @jgrantindc Digital: The Opportunity
More informationDIGIPASS Authentication for F5 BIG-IP
DIGIPASS Authentication for F5 BIG-IP With VASCO VACMAN Middleware 3.0 2008 VASCO Data Security. All rights reserved. Page 1 of 37 Integration Guideline Disclaimer Disclaimer of Warranties and Limitations
More informationIntroduction of the Identity Assurance Framework. Defining the framework and its goals
Introduction of the Identity Assurance Framework Defining the framework and its goals 1 IAEG Charter Formed in August of 07 to develop a global standard framework and necessary support programs for validating
More informationThe new standard for user authentication
+ + The new standard for user authentication the convenient authentication 03 Summary 04 How does it work? 05 Benefits of convenient authentication for end users 06 Use cases 07 Click & Mortar 08 Natural
More informationCerticom Security for Government Suppliers developing products to meet the US Government FIPS security requirement
certicom application notes Certicom Security for Government Suppliers developing products to meet the US Government FIPS 140-2 security requirement THE PROBLEM How can vendors take advantage of the lucrative
More informationDataTraveler 5000 (DT5000) and DataTraveler 6000 (DT6000) Ultimate Security in a USB Flash Drive. Submitted by SPYRUS, Inc.
Submitted by SPYRUS, Inc. Contents DT5000 and DT6000 Technology Overview...2 Why DT5000 and DT6000 Encryption Is Different...3 Why DT5000 and DT6000 Encryption Is Different - Summary...4 XTS-AES Sector-Based
More informationStrategies for the Implementation of PIV I Secure Identity Credentials
Strategies for the Implementation of PIV I Secure Identity Credentials A Smart Card Alliance Educational Institute Workshop PIV Technology and Policy Requirements Steve Rogers President & CEO 9 th Annual
More informationCoSign Hardware version 7.0 Firmware version 5.2
CoSign Hardware version 7.0 Firmware version 5.2 FIPS 140-2 Non-Proprietary Security Policy Level 3 Validation July 2010 Copyright 2009 AR This document may be freely reproduced and distributed whole and
More informationSecurity Requirements for Crypto Devices
Security Requirements for Crypto Devices Version 1.0 02 May 2018 Controller of Certifying Authorities Ministry of Electronics and Information Technology 1 Document Control Document Name Security Requirements
More informationClover Flex Security Policy
Clover Flex Security Policy Clover Flex Security Policy 1 Table of Contents Introduction General description Installation Guidance Visual Shielding Device Security Decommissioning Key Management System
More informationCSCE 548 Building Secure Software Entity Authentication. Professor Lisa Luo Spring 2018
CSCE 548 Building Secure Software Entity Authentication Professor Lisa Luo Spring 2018 Previous Class Important Applications of Crypto User Authentication verify the identity based on something you know
More informationImplementation Guide VMWare View 5.1. DualShield. for. VMWare View 5.1. Implementation Guide
DualShield for VMWare View 5.1 Implementation Guide Copyright 2012 Deepnet Security Limited Copyright 2012, Deepnet Security. All Rights Reserved. Page 1 Trademarks Deepnet Unified Authentication, MobileID,
More informationMicrosoft DirectAccess
Microsoft DirectAccess The New Choice of Enterprises Over Traditional VPN Whitepaper August 2017 Microsoft DirectAccess The New Choice of Enterprises Over Traditional VPN Microsoft DirectAccess is a unique
More informationADAPTIVE AUTHENTICATION ADAPTER FOR IBM TIVOLI. Adaptive Authentication in IBM Tivoli Environments. Solution Brief
ADAPTIVE AUTHENTICATION ADAPTER FOR IBM TIVOLI Adaptive Authentication in IBM Tivoli Environments Solution Brief RSA Adaptive Authentication is a comprehensive authentication platform providing costeffective
More informationVisa paywave Implementation Overview and European Pilot Operating Principles Member Letter: VE 08/08 Type: General 16 April 2008
Principal and Group Members Centre Manager Senior Visa Officer Marketing Staff Visa paywave Implementation Overview and European Pilot Operating Principles Member Letter: VE 08/08 Type: General 16 April
More informationExploring the potential of Mobile Connect: From authentication to identity and attribute sharing. Janne Jutila, Head of Business Development, GSMA
Exploring the potential of Mobile Connect: From authentication to identity and attribute sharing Janne Jutila, Head of Business Development, GSMA Fragility of passwords No matter what you tell them, users
More informationSoftware Token. Installation and User Guide. 22 September 2017
Software Token Installation and User Guide 22 September 2017 Notices Following are policies pertaining to proprietary rights and trademarks. Proprietary Rights The information contained in this document
More informationUsing InterSystems IRIS Data Platform for Securely Storing Credit Card Data. Solution Guide
Using InterSystems IRIS Data Platform for Securely Storing Credit Card Data Solution Guide Introduction An ever-increasing number of purchases and payments are being made by credit card. Although merchants
More informationSecureDoc Disk Encryption Cryptographic Engine
SecureDoc Disk Encryption Cryptographic Engine Security Policy Abstract: This document specifies Security Policy enforced by the SecureDoc Cryptographic Engine compliant with the requirements of FIPS 140-2
More informationMTAT Applied Cryptography
MTAT.07.017 Applied Cryptography Smart Cards 2 University of Tartu Spring 2015 1 / 19 Security Model Parties involved in smart card based system: Cardholder Data owner Terminal Card issuer Card manufacturer
More informationMobile Identity Management
Mobile Identity Management Outline Ideas Motivation Architecture Implementation notes Discussion Motivation 1 The mobile phone has become a highly personal device: Phonebook E-mail Music, videos Landmarks
More informationArcot Universal Client SAFE-Compliant Digital Signatures
Arcot Universal Client SAFE-Compliant Digital Signatures Scott Kern Solutions Architect Arcot, Inc. Company logo here Arcot Overview Authentication & Digital Signing Company Authentication 2-party and
More informationiclass SE Platform Solutions The New Standard in Access Control
iclass SE Platform Solutions The New Standard in Access Control iclass SE Platform iclass SE SOLUTIONS Next generation access control solutions for increased security, adaptability, and enhanced performance.
More informationFederated Authentication for E-Infrastructures
Federated Authentication for E-Infrastructures A growing challenge for on-line e-infrastructures is to manage an increasing number of user accounts, ensuring that accounts are only used by their intended
More information