SECURING CORPORATE ASSETS WITH TWO FACTOR AUTHENTICATION

Similar documents
Paystar Remittance Suite Tokenless Two-Factor Authentication

Whitepaper on AuthShield Two Factor Authentication with SAP

SECURE DATA EXCHANGE

Meeting FFIEC Meeting Regulations for Online and Mobile Banking

Integrated Access Management Solutions. Access Televentures

Login Procedures. Access Treasury Gateway by entering the site address in your web browser navigation box:

RSA Solution Brief. Providing Secure Access to Corporate Resources from BlackBerry. Devices. Leveraging Two-factor Authentication. RSA Solution Brief

Using Biometric Authentication to Elevate Enterprise Security

EBOOK 4 TIPS FOR STRENGTHENING THE SECURITY OF YOUR VPN ACCESS

Adaptive Authentication Adapter for Citrix XenApp. Adaptive Authentication in Citrix XenApp Environments. Solution Brief

Five Reasons It s Time For Secure Single Sign-On

Keep the Door Open for Users and Closed to Hackers

LinQ2FA. Helping You. Network. Direct Communication. Stay Fraud Free!

FIVE REASONS IT S TIME FOR FEDERATED SINGLE SIGN-ON

Modern two-factor authentication: Easy. Affordable. Secure.

6 Vulnerabilities of the Retail Payment Ecosystem

SecureDoc: Making BitLocker simple, smart and secure for you. Your guide to encryption success

Next Generation Authentication

Smart Cards and Authentication. Jose Diaz Director, Technical and Strategic Business Development Thales Information Systems Security

RSA Solution Brief. The RSA Solution for VMware. Key Manager RSA. RSA Solution Brief

Welcome Guide for KT Series Token

Securing Wireless Mobile Devices. Lamaris Davis. East Carolina University 11/15/2013

1.1. HOW TO START? 1.2. ACCESS THE APP

Disk Encryption Buyers Guide

white paper SMS Authentication: 10 Things to Know Before You Buy

RSA Authentication Manager 7.1 Help Desk Administrator s Guide

10 Hidden IT Risks That Might Threaten Your Business

Welcome Guide for MP-1 Token for Microsoft Windows

Authentication Methods

Two-Factor Authentication over Mobile: Simplifying Security and Authentication

Securing today s identity and transaction systems:! What you need to know! about two-factor authentication!

How to Build a Culture of Security

The Future of Authentication

ADAPTIVE AUTHENTICATION ADAPTER FOR IBM TIVOLI. Adaptive Authentication in IBM Tivoli Environments. Solution Brief

Establishing two-factor authentication with Juniper SSL VPN and HOTPin authentication server from Celestix Networks

Authentication and Fraud Detection Buyer s Guide

Mobile Security / Mobile Payments

Mastering The Endpoint

Security Solutions for Mobile Users in the Workplace

Protect Yourself Against VPN-Based Attacks: Five Do s and Don ts

CSCE 548 Building Secure Software Entity Authentication. Professor Lisa Luo Spring 2018

IDENTITY AND THE NEW AGE OF ENTERPRISE SECURITY BEN SMITH CISSP CRISC CIPT RSA FIELD CTO

Microsoft DirectAccess

FACTS WHAT DOES FARMERS STATE BANK DO WITH YOUR PERSONAL INFORMATION? WHY? WHAT? HOW? L QUESTIONS?

MCB Lite FAQs What is MCB Lite? How do I apply for MCB Lite? Can I apply for MCB Lite without a valid CNIC?

PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS)

KT-4 Keychain Token Welcome Guide

PSN compliant remote access. Whitepaper

Are You Flirting with Risk?

SOLUTION BRIEF RSA SECURID SUITE ACCELERATE BUSINESS WHILE MANAGING IDENTITY RISK

Authentication Technology for a Smart eid Infrastructure.

The US Contact Center Decision-Makers Guide Contact Center Performance. sponsored by

Mobile Field Worker Security Advocate Series: Customer Conversation Guide. Research by IDC, 2015

Virtual Machine Encryption Security & Compliance in the Cloud

A Layered Approach to Fraud Mitigation. Nick White Product Manager, FIS Payments Integrated Financial Services

Online Banking Security

Make security part of your client systems refresh

Adobe Security Survey

INDIA The Changing Face of the Workplace: Going Light and Mobile

Streamline IT with Secure Remote Connection and Password Management

Vulnerabilities in online banking applications

Establishing two-factor authentication with Cisco and HOTPin authentication server from Celestix Networks

WHITE PAPER AUTHENTICATION YOUR WAY SECURING ACCESS IN A CHANGING WORLD

Are You Flirting with Risk?

Vulnerability Management Trends In APAC

Integrating Password Management with Enterprise Single Sign-On

TECHNOLOGY LEADER IN GLOBAL REAL-TIME TWO-FACTOR AUTHENTICATION

A comprehensive security solution for enhanced mobility and productivity

PKI is Alive and Well: The Symantec Managed PKI Service

Establishing two-factor authentication with Barracuda SSL VPN and HOTPin authentication server from Celestix Networks

Adaptive Authentication Adapter for Juniper SSL VPNs. Adaptive Authentication in Juniper SSL VPN Environments. Solution Brief

How Next Generation Trusted Identities Can Help Transform Your Business

HIPAA Regulatory Compliance

2015 VORMETRIC INSIDER THREAT REPORT

GLBA. The Gramm-Leach-Bliley Act

INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.1 SUCCESS AKAMAI SOLUTIONS BRIEF INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.

Quick recap on ing Security Recap on where to find things on Belvidere website & a look at the Belvidere Facebook page

Identity Theft, Fraud & You. PrePare. Protect. Prevent.

The Cyber War on Small Business

ForeScout CounterACT. Continuous Monitoring and Mitigation. Real-time Visibility. Network Access Control. Endpoint Compliance.

Key Authentication Considerations for Your Mobile Strategy

Using biometrics for password reset.

MobilePASS. Security Features SOFTWARE AUTHENTICATION SOLUTIONS. Contents

Two-Factor Authentication User FAQ s

THE CLOUD SECURITY CHALLENGE:

Computer Security Policy

A Practical Step-by-Step Guide to Managing Cloud Access in your Organization

BRING SPEAR PHISHING PROTECTION TO THE MASSES

Survey Guide: Businesses Should Begin Preparing for the Death of the Password

Challenges and. Opportunities. MSPs are Facing in Security

The Lord of the Keys How two-part seed records solve all safety concerns regarding two-factor authentication

CIS 4360 Secure Computer Systems Biometrics (Something You Are)

SD-WAN. Enabling the Enterprise to Overcome Barriers to Digital Transformation. An IDC InfoBrief Sponsored by Comcast

SDR Guide to Complete the SDR

Safelayer's Adaptive Authentication: Increased security through context information

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

PCI Compliance. What is it? Who uses it? Why is it important?

Phishing is Yesterday s News Get Ready for Pharming

CISO View: Top 4 Major Imperatives for Enterprise Defense

Two-factor Authentication: A Tokenless Approach

Transcription:

SECURING CORPORATE ASSETS WITH TWO FACTOR AUTHENTICATION

Introduction Why static passwords are insufficient Introducing two-factor Authentication Form Factors for OTP delivery Contact information OTP generating mechanisms Integrating Two-factor Authentication About Celestix HOTPin Organizations require users to enter their username and passwords in order to validate their identity. However, with the proliferation of applications, websites and services that require authentication, users are under increasing pressure to maintain their passwords and it has become clear that the simple password scheme is no longer sufficient. In fact there are multiple, high profile cases where passwords have failed both the users and the organizations that provide services, leading to identity theft and data loss. The impact of such breaches is more costly than ever with financial penalties associated to breach of regulatory compliance and the impact of lost business and loss of confidence. This white paper will explore how two-factor authentication can be considered as an alternative to provide secure authentication in order to resolve the risks of unauthorized access to corporate resources. Passwords have long been used as a way to authenticate users and provide them services. They rely on the simple fact that only the users know the password and no one else does. This was initially perceived as an effective solution but with the proliferation of systems and resources that require password entry prior to access, the model breaks down in a number of ways. Human memory is known to fail. If a user forgets their password, they typically have to call the IT helpdesk, or reset the password before access is granted again. Since this disrupts a users workflow, many users write down passwords, and often leave it next to their place of work, in their laptop bag, or on their laptop! This is a clear security risk as anyone with physical access to the office cube or laptop has complete and unauthorized, access. A recent survey carried out amongst IT professionals confirmed that 29% of respondents knew a colleague s password details. The risk presented by written down passwords is even greater when considered in context of the volume of connected devices that are lost every day. Surveys suggest that as many as 15,000 laptops are misplaced at airports in Europe and the USA every

week. If any of these have an accompanying post-it note with a password attached then no amount of security can protect the organization from loss. Since users have to remember so many passwords, they tend to create a standard password and re-use it in multiple places. This means that if the password is compromised in one place the hacker has access to multiple sites and services. Even if the user is extremely careful with their passwords, static passwords are vulnerable to Replay Attacks. After the user enters the password on a site or application, it has to be sent to an authentication server for validation. An intruder can intercept this session or transmission and replay it later on to gain Unauthorized access Criminals have used deception for millennia in order to extract confidential information from others. Deception can include face to face diversion tactics and behavioral manipulation but in the computing age, it can also be carried out without the need for in person interaction. Phishing attacks are extremely common and are a source of significant data theft. In a phishing attack, the phisher will send an email that appears to come from a legitimate source such as a bank, requesting the recipient to log in to their account or to verify their account details. The email directs the user to a fraudulent website where account details are captured and can be used to commit fraud. With the evolving complexity and intelligence of fraudulent attacks, the increase in the number of systems requiring password access, and the fact that users will address this by standardizing their passwords and will then write them down, how can organizations protect themselves against such a broad range of issues that can result in attacks on their systems? Authentication based on passwords is based on what a user knows. It is reasonable to augment security by enhancing it with what a user has. This simple concept is the basis of two-factor authentication. What you know a password or Personal Identification Number (PIN)

What you have a unique physical characteristic, or device, that only the user has access to With such a scheme, even if a users password or PIN is compromised, the attacker will not be able to gain access to the site or service since they don t possess the second factor required in order to gain access. Conversely, if the attacker gains access to the device that provides the second factor authentication, they won t know the users password or PIN. ATM, or debit cards are the most common example of two-factor authentication. If the card is ever lost or stolen, it still can t be used without the PIN. Even if an unauthorized user knows the PIN of the bank account, they will still not be able to withdraw money since they don t have the actual ATM card. One is rendered useless without the other. ATM cards provide two-factor authentication in the tightly controlled environment of ATM machines, where each machine is equipped with a special card reader. It is not feasible to equip every laptop, desktop or tablet with a special device to read a card. That would be cost-prohibitive, time-consuming and extremely impractical. To provide two-factor authentication for computer services and sites, users rely on a One Time Password that is generated on a device that is uniquely assigned to a user. One Time Passwords (OTP) provides security in a number of ways. The OTP changes after a fixed interval of time, commonly every 60 seconds. Even if an unauthorized user noted the OTP, they won t be able to use it since it would have changed for the next session. OTPs are generated using a seed that is uniquely associated with a device. Thus, every user s OTP will be different. Since the device is assigned to a user, the OTP uniquely authenticates a user and a PC desktop client. By leveraging smart devices or text messaging, the OTP is delivered on demand to the user. And, of course, HOTPin easily integrates with AD.

DirectAccess with HOTPin is actually a security tool masquerading as a user convenience tool, a functional duality that, in other solutions, usually results in a trade-off. One Time Passwords can be delivered to end-users via a variety of methods, each with their own pros and cons. Hardware tokens, also commonly referred to as authentication tokens, are pocket sized, battery operated devices which are dedicated to generate OTPs. This is the oldest method of generating OTPs. However, they come with their own set of problems. For remote users, the devices need to be shipped to their site, increasing costs. The battery life of these devices is approximately three years. After that, the devices have to be replaced. Larger organizations usually have to maintain stock for devices that need to be replaced or are lost. A subtle, but important problem is that if these devices are lost or stolen, the user might not notice for a few days. That gives an attacker a window of opportunity. With the increasing popularity of smart phones, users expect not to carry a dedicated device for generating OTPs. Fortunately, smart phones can be leveraged to generate the OTP. Software tokens, or soft tokens, vastly increase the convenience for end users. If the smart phone is ever lost, the end user will most likely notice that much quicker than hardware token. Some software token apps, such as those from Celestix, can be configured to require a PIN before displaying the OTP further enhancing security. One Time Passwords can also be delivered through a text message. This method is convenient for users who might not have smart phones, but still don t want to carry a dedicated device. Receiving the OTP through text messaging means it is completely separated from regular authentication channels, or Out of Band (OOB), increasing security. OTPs can also be sent via emails. So if users have access to emails on their phones, they can opt to receive OTPs via email.

There are various proprietary mechanisms for generating One Time Passwords. The Internet Engineering Task Force (IETF), an international body that develops and promotes internet standards, has adopted an algorithm known as HOTP for generating One Time Passwords. HOTP is not the only mechanism for generating One Time Passwords. Alternative proprietary solutions exist for generating one time passwords. However, closed and proprietary solutions have always presented enterprises with multiple challenges. RSA, a division of EMC, provides RSA SecurID, as a two-factor authentication solution. In March 2011, RSA announced that they were subject to an attack which allegedly compromised the security of the One Time Password generation. Customers had to replace the tokens and employ security monitoring services to ensure that their information was not breached. While complementary, these required significant investment in time and posed tactical challenges for customers. Once an enterprise adopts a proprietary system, they often find themselves beholden to the vendor of the solution. Migrating to another solution often becomes impossible. Since there is no open interoperability, customers are locked-in to higher prices and typically, older technologies. Proprietary algorithms, by definition, are not vetted by security analysts or academic researchers. Relying on open standards ensures that security is not compromised by vulnerabilities in proprietary software or algorithms. Mature two-factor solutions, like Celestix HOTPin, provide an embedded RADIUS server. This can be used to integrate Celestix HOTPin with any remote access gateway solution (e.g. Juniper SA series, Citrix XenApp). For Microsoft UAG specifically, Celestix provides a custom agent that ensures users credentials are properly passed on to applications, providing true Single Sign-On. After integration, users have to enter their username, PIN and OTP to authenticate. OTPs are generated on smart phones, hardware tokens (like Celestix Touch) or received through text messages.

USA +1 (510) 668-0700 UK +44 (0) 1189 596198 Singapore +65 6781 0700 Japan +81 (0) 3-5210-2991 www.celestix.com info@celestix.com Celestix HOTPin enables organizations to provide market-leading levels of authentication to remote users, while lowering the ongoing cost of provisioning, management and ownership. Celestix HOTPin is a tokenless two-factor authentication solution that enables organizations to empower their mobile workforce while ensuring industry leading protection of digital identities and protecting against unsolicited access to corporate resources, a primary reason for the loss of data. Celestix HOTPin enables organizations not only to mobilize their workforce but allows them also to leverage the remote workers smart device, PC or tablet to act as a token capable of generating an event based one-time password (OTP). celestix.com/hotpin

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback