SlideShare a Scribd company logo
1 of 22
Download to read offline
PistolStar, Inc. dba PortalGuard
PO Box 1226
Amherst, NH 03031 USA
Phone: 603.547.1200
Fax: 617.674.2727
E-mail: sales@portalguard.com
Website: www.portalguard.com
© 2012, PistolStar, Inc. dba PortalGuard All Rights Reserved.
Two-factor Authentication:
A Tokenless Approach
v.3.2-014
Multi-factor Authentication Layer
© 2012, PistolStar, Inc. dba PortalGuard All rights reserved. Page 1
Tech Brief — Two-factor Authentication
PortalGuard Two-factor Authentication:
A Tokenless Approach
Table of Contents
Summary................................................................................................. 2
The Basics............................................................................................... 2
One-time Passwords - PortalGuard Options ............................................ 2
OTP Delivery Methods...................................................................................... 3
Benefits ................................................................................................... 3
Beyond Two-factor Authentication ........................................................... 4
Why PortalGuard?................................................................................... 4
How it Works ........................................................................................... 4
User Enrollment ............................................................................................... 4
Two-factor Authentication Process .................................................................. 5
Login Directly to a Cloud/Web-based Application ................................... 5
Login via a SSL VPN Using RADIUS ....................................................... 8
OTP Configuration................................................................................. 11
Deployment ........................................................................................... 12
IIS Installation........................................................................................ 12
System Requirements ........................................................................... 13
Platform Layers ..................................................................................... 13
Appendix ............................................................................................... 15
A: SMS OTP Delivery Method ........................................................................ 15
B: Voice OTP Delivery Methods ..................................................................... 16
C: Hardware Token OTP Delivery Method..................................................... 18
D: Transparent Tokenless Toolbar for TOTP Delivery Method...................... 19
E: Printed OTP Delivery Method .................................................................... 21
© 2012, PistolStar, Inc. dba PortalGuard All rights reserved. Page 2
Tech Brief — Two-factor Authentication
Summary
PortalGuard is a software solution designed as a strong authentication platform, consisting
of five layers including two-factor authentication, single sign-on, self-service password
management, contextual authentication, and password synchronization, used for protect-
ing browser-based applications which are hosted within an Intranet and/or outside the fire-
wall, now commonly known as the Cloud.
These applications contain functionality to read, edit and search data at all levels of sensi-
tivity, across multiple industries. The access point for browser-based applications is the
login screen where you are typically required to prove your identity by providing a
username and password. This is normally sufficient to prove you are authorized and there-
fore granted access to company applications and data.
Although still used as an integral part of authentication, passwords alone are inadequate
for today’s browser-based applications. They are easily exploited by unauthorized users
who find new methods of stealing passwords and impersonating authorized users. With
that said, the true purpose of this document is to describe alternatives to using passwords.
Many choices in the market strengthen your authentication, to prevent unauthorized ac-
cess, by providing two-factor authentication. Two-factor is an acceptable way to increase
security; however, inflexibility and low usability have proven to be barriers for many organi-
zations with the primary barrier being high total cost of ownership in today’s economic cli-
mate. Token-based approaches are expensive and problematic when hardware is forgot-
ten, needs repair or replacement. PortalGuard avoids these barriers by providing a flexible
and cost-effective approach which is easily accepted by users.
The Basics
Two-factor authentication is used to increase security by requiring you to provide
“something you know” (a password) and leverage “something you have” (laptop, mobile
phone). The use of two distinct authentication factors helps eliminate an organization’s
security concerns around granting access based on a single, knowledge-based factor.
One-time Passwords - PortalGuard Options
Increasing in popularity, a one-time password (OTP) is a password that is valid for only
one login session or transaction. OTPs avoid a number of shortcomings with static pass-
words, including being unsusceptible to replay attacks. If a potential intruder manages to
record an OTP that was already used to log into a server, he or she will not be able to re-
use it since it will no longer be valid.
The traditional method of delivering an OTP via a hard token or key fob has fallen out of
favor due to cost and usability issues. Use of “soft tokens”, like mobile phones, has sup-
planted it.
PortalGuard can enforce two-factor authentication and deliver an OTP when the user is
trying to access the web/cloud application directly, through an VPN connection using RA-
DIUS, or when performing a self-service password reset, recovery, or account unlock.
PortalGuard not only leverages the user’s mobile device, but with its unique offering of
transparent tokens, leverages the user’s laptop as well. A transparent token can be made
up of several different types of parameters, including a random number, device serial num-
bers and/or Active Directory identifiers.
© 2012, PistolStar, Inc. dba PortalGuard All rights reserved. Page 3
Tech Brief — Two-factor Authentication
Together these will make up the OTP which is then encrypted and passed from the client
machine to the PortalGuard server.
OTP Delivery Methods:
With PortalGuard you can deliver an OTP via SMS, hosted text-to-speech, SIP, email,
printer or transparent token to achieve two-factor authentication. Please view appendices
A-E for information on the individual delivery methods.
Benefits
 Increased security - add an extra layer of authentication to application access, VPN ac-
cess, or during a self-service password reset
 Reduce Risk - prevent attacks by leveraging credentials which expire after one use
 Usability - leverage hardware a user already has for increased user adoption
 Eliminate forgotten passwords - leverage a username and OTP only as credentials
 Configurable - to the user, group or application levels
 Flexible - multiple OTP delivery methods available
 MITM - Man-in-the-Middle
Attack
 Passive Attack - the hacker
is eavesdropping and/or
monitoring all transactions,
such as emails being ex-
changed
 Active Attack - the hacker is
between the server and
client, attempting to inter-
cept information when
passed between the two
entities
 Printer - refers to sending a
form letter to a specified
printer with one or more
OTPs printed - users can
then use each OTP one
time to login
© 2012, PistolStar, Inc. dba PortalGuard All rights reserved. Page 4
Tech Brief — Two-factor Authentication
Beyond Two-factor Authentication
PortalGuard’s flexibility allows you to choose the appropriate authentication method for
each user, group or application, by leveraging Contextual Authentication. Varying access
scenarios in every organization drive the need for this type of authentication. For instance,
users within your company’s four walls may only need to provide strong passwords where-
as a traveling salesperson or roaming user is presented with two-factor authentication.
However, a traveling salesperson now in the office only needs to provide a password to
prove his identity due to his new situation when requesting access. Contextual Authentica-
tion is a solution with the flexibility to match your individual users’ needs and organization-
al goals.
Why PortalGuard?
 Flexible authentication platform which expands with you and your requirements
 Low total cost of ownership
 Configurable – apply the appropriate authentication method to the user, group or appli-
cation
 Gain usage Insight – optionally collect location, time, device, network and application
details for each access request
 No additional hardware – leverage devices users already use daily
 Easy installation and deployment
 Seamless integration with existing environment
 Developed/supported by authentication experts
How it Works
User Enrollment
Once two-factor authentication becomes a requirement, the user will be prompted to enroll
their mobile phone. PortalGuard provides flexibility around this process by allowing you to
configure whether the enrollment will be forced or able to be postponed “x” number of
times by the user. This increases the usability for users, giving them options around a pro-
cess many find intrusive and blocking.
Phone enrollment can also be automated by importing the data from any current corporate
data source.
© 2012, PistolStar, Inc. dba PortalGuard All rights reserved. Page 5
Tech Brief — Two-factor Authentication
Two-factor Authentication Process - Login Directly to a Cloud/Web-based
Application
The following process shows the two-factor authentication process when a user is logging
in directly to a cloud/web-based application.
Step 1: PortalGuard’s login screen is presented when a user visits the web-application.
This login screen can be fully customized to match your organization’s branding, creating
a seamless experience for the user.
Step 2: The user enters their username and clicks “Continue”
© 2012, PistolStar, Inc. dba PortalGuard All rights reserved. Page 6
Tech Brief — Two-factor Authentication
Step 3: The PortalGuard server sends the OTP to the user’s mobile phone within 5-10
seconds, in the form of an SMS. NOTE: PortalGuard can send the OTP via SMS, email,
printer or transparent token.
Step 4: The user is prompted for a password and OTP.
© 2012, PistolStar, Inc. dba PortalGuard All rights reserved. Page 7
Tech Brief — Two-factor Authentication
Step 5: The user enters in the OTP they received and clicks “Log On”
Step 6: The user gains access to the web-application and data.
Step 7: This is an example of a user attempting to use an expired OTP that was never
used. Once the expired OTP is entered, the user is denied access and prompted to cancel
the process or request a valid OTP. However if the user attempts to reuse a used OTP or
an unauthorized user is attempting to perform a replay attack, PortalGuard will display a
dialog showing “Incorrect OTP Provided” if strikeouts are disabled.
© 2012, PistolStar, Inc. dba PortalGuard All rights reserved. Page 8
Tech Brief — Two-factor Authentication
Two-factor Authentication Process - Login via a SSL VPN Using RADIUS:
The following steps show the two-factor authentication process when a user is logging into
a cloud/web-based application via a SSL VPN connection using the RADIUS protocol.
RADIUS Support
RADIUS is a well-established, vendor-neutral network protocol which is an internet stand-
ard that was primarily designed to authenticate remote users for dial-up services and it is
widely implemented by numerous network security vendors such as Cisco, Juniper, Citrix
and Checkpoint.
Due to the widespread support for the RADIUS protocol by network security vendors, RA-
DIUS is an optimal choice for enabling two-factor authentication for remote access users.
In the standard case, a network security appliance, firewall or Network Access Server
(NAS) is the “RADIUS client” or “NAS client” and the PortalGuard server acts as the
“RADIUS server”. The end-user only communicates directly with the NAS client to provide
the login information.
Because the NAS client communicates directly with the PortalGuard RADIUS server, au-
thentication decisions made by PortalGuard are strictly enforced. This ensures a high lev-
el of security and consistency.
Most network security appliances allow VPN users to be authenticated using different
mechanisms. A few common options are:
 User accounts defined locally on the appliance
 LDAP authentication
 X.509 certificates
 RADIUS
Enabling multi-factor authentication can be as straightforward as enabling RADIUS au-
thentication on your network security appliance, pointing it to the PortalGuard server and
adding a RADIUS client configuration in PortalGuard.
The same RADIUS setup can often be used to authenticate remote users looking for a
SSL VPN via web browser -AND- remote users with VPN software installed locally on their
workstation. This helps offer a high degree of consistency reducing the need for user
training and education.
How it Works
Step 1: The user attempts to connect to the NAS/firewall using either a browser or VPN
client software and is prompted for username and password.
© 2012, PistolStar, Inc. dba PortalGuard All rights reserved. Page 9
Tech Brief — Two-factor Authentication
Steps 2-5 happen transparently to the user:
Step 2: The NAS communicates the credentials to the PortalGuard server using the RADI-
US protocol.
Step 3: The PortalGuard server validates the user’s credentials against its configured user
repository (e.g. Active Directory).
Step 4: The user repository returns a success or failure code indicating the fidelity of the
username and password.
Step 5: PortalGuard replies to the RADIUS request with an Access-Challenge response
that includes a custom message that should be displayed to the user and a random identi-
fier (the “state”) that the NAS will send back to PortalGuard to identify the same user ses-
sion.
Step 6: The NAS displays the custom message requesting the user to enter the OTP that
was sent to their mobile device.
© 2012, PistolStar, Inc. dba PortalGuard All rights reserved. Page 10
Tech Brief — Two-factor Authentication
Step 7: The user enters the OTP from their mobile device and submits it to the NAS.
© 2012, PistolStar, Inc. dba PortalGuard All rights reserved. Page 11
Tech Brief — Two-factor Authentication
Steps 8 and 9 happen transparently to the user:
Step 8: The NAS sends the OTP and state identifier to PortalGuard using RADIUS.
Step 9: The PortalGuard server replies to the RADIUS 2nd request with an Access-Accept
response.
Step 10: The NAS accepts the user’s authentication and the VPN tunnel/session is estab-
lished. The user is then able to access internal resources (e.g. “crm.acme.com”).
OTP Configuration
NOTE: All the following settings are policy specific, so you can have different values for
different users/groups/hierarchies.
Configurable through the PortalGuard Configuration Utility:
 Expiration, aka “time-to-live” (TTL)
 Length
 Format
 Numeric characters only
 Upper/lowercase characters
 Upper/lowercase & numeric characters
 Upper/lowercase, numeric and symbol characters
© 2012, PistolStar, Inc. dba PortalGuard All rights reserved. Page 12
Tech Brief — Two-factor Authentication
 Delivery format, including From, Subject and Body Fields:
Deployment
Implementation of the PortalGuard platform is seamless and requires no changes to Active
Directory/LDAP schema. A server-side software installation is required on each IIS server
for which PortalGuard’s authentication functionality is desired. Additional client-side soft-
ware is required for use of contextual authentication and/or transparent tokens.
IIS Installation
A MSI is used to install PortalGuard on IIS 6 or 7.x. If installing PortalGuard on IIS 7.x/
Windows Server 2008, make sure to have installed the following feature roles prior to
launching the MSI:
1. All the Web Server Management Tools role services
2. All the Application Development role services
3. All IIS 6 Management Compatibility role services
The MSI is a wizard-based install which will quickly guide you through the installation.
© 2012, PistolStar, Inc. dba PortalGuard All rights reserved. Page 13
Tech Brief — Two-factor Authentication
System Requirements
PortalGuard can be installed directly on the following web servers:
 IBM WebSphere/WebSphere Portal v5.1 or higher
 Microsoft IIS 6.0 or higher
 Microsoft Windows SharePoint Services 3.0 or higher
 Microsoft Office SharePoint Server 2007 or later
To support two-factor authentication to a VPN using RADIUS the following is required:
 The network appliance must support RADIUS as an authentication option.
 The network appliance must support the Access-Challenge response type as
well as the State and Reply-Message attributes.
 PortalGuard must be licensed for RADIUS support.
 End-user enrollment of mobile devices or challenge answers must be performed
external to the RADIUS protocol.
The PortalGuard Web server also has the following requirements on Windows operating
systems:
 .NET 2.0 framework or later must be installed
 (64-bit OS only) Microsoft Visual C++ 2005 SP1 Redistributable Package (x64)
PortalGuard is fully supported for installation on virtual machines. Furthermore, Portal-
Guard can currently be installed on the following platforms:
 Microsoft Windows Server 2000
 Microsoft Windows Server 2003 (32 or 64-bit)
 Microsoft Windows Server 2008 (32 or 64-bit)
 Microsoft Windows Server 2008 R2
If you have a platform not listed here, please contact us at sales@portalguard.com to see
if we have recently added support for your platform.
Platform Layers
Beyond two-factor authentication, PortalGuard is a flexible authentication platform with
multiple layers of available functionality to help you achieve your authentication goals:
 Contextual Authentication
 Self-service Password Reset
 Real-time Reports / Alerts
 Knowledge-based
 Password Management
 Single Sign-on
© 2012, PistolStar, Inc. dba PortalGuard All rights reserved. Page 14
Tech Brief — Two-factor Authentication
###
© 2012, PistolStar, Inc. dba PortalGuard All rights reserved. Page 15
Tech Brief — Two-factor Authentication
Appendix A: SMS OTP Delivery Method
For SMS delivery, PortalGuard leverages telephone companies’ SMTP-to- SMS gateways.
This is why PortalGuard asks for both the phone number and the provider. An SMTP-to-
SMS gateway is a free service maintained by the telephone companies to allow an email
sent via SMTP to be delivered to a user's phone as a SMS/text message. The provider is
needed to determine the gateway (e.g. "@txt.att.com" for AT&T) and can then build the full
email address (phonenum@gateway). Leveraging these services allows PortalGuard to be
deployed quickly (it only needs a SMTP relay for sending outbound emails as opposed to
a modem and dedicated POTS line for full-blown SMS) and more cheaply (there is no cost
incurred by the sender for each OTP sent nor does a phone line need to be maintained).
© 2012, PistolStar, Inc. dba PortalGuard All rights reserved. Page 16
Tech Brief — Two-factor Authentication
Appendix B: Voice OTP Delivery Methods
PortalGuard can deliver a voice OTP, a text-to-speech WAV file, to a user’s landline phone
using two methods, a hosted text-to-speech service or by leveraging the SIP protocol.
Hosted Text-To-Speech
A text-based template is configured by the customer in PortalGuard. An account is creat-
ed by the customer directly with a third-party service provider (PortalGuard does not pro-
vide this service). PortalGuard connects to the third-party hosted service which converts
the template with the user’s one-time passcode into a WAV file and places a phone call to
the end-user’s enrolled phone (land line or mobile) and plays the WAV file. The service
typically offers the user the option of pressing a key to repeat the voice message. Each
call placed through the third-party service deducts credits from the customer’s ac-
count. Credits can typically be added at any time. The user types the OTP from the voice
message into the PortalGuard browser interface to continue the authentication.
© 2012, PistolStar, Inc. dba PortalGuard All rights reserved. Page 17
Tech Brief — Two-factor Authentication
SIP
Session Initiation Protocol (SIP) is a standards-based, widely implemented protocol used
for controlling communication sessions such as voice calls over Internet Protocol (IP). The
SIP integration available through PortalGuard allows customers to leverage their own ex-
isting phone infrastructure to place the phone calls when delivering an OTP. This is typi-
cally a more cost-effective option than using a third-party hosted service provider. Similar
to the Hosted text-to-speech option, a text-based template is configured by the customer
in PortalGuard and the OTP is substituted into it at runtime. PortalGuard then converts the
text to a WAV file using a text-to-speech API. The PortalGuard server then uses SIP to
connect to the customer’s SIP gateway using an extension from a pool of extensions des-
ignated for exclusive use by PortalGuard. SIP is used to dial the end-user’s phone num-
ber and play the WAV file once they answer the call. The user then types the OTP from
the voice message into the PortalGuard browser interface to continue the authentication.
© 2012, PistolStar, Inc. dba PortalGuard All rights reserved. Page 18
Tech Brief — Two-factor Authentication
Appendix C: Hardware Token OTP Delivery Method
Although hardware or proprietary tokens have started to fall out of favor due to high cost
and maintenance, they have still proven themselves as a viable option holding the largest
market share and installed base in the two-factor authentication market. PortalGuard pro-
vides a hardware delivery method by supporting YubiKey integration.
YubiKey
This small USB-key is inserted into the user’s machine. By touching the hardware button
YubiKey creates and sends a time-variant OTP by simulating keystrokes on the keyboard.
The computer receives the code as though it was manually typed in by the user and Por-
talGuard verifies the authentication request. YubiKey avoids many issues and costs asso-
ciated with other hardware tokens because the user does not have to type in the OTP,
batteries are not required, and it does not rely on an absolute time generated by an accu-
rate time source which avoids the need for synchronization.
© 2012, PistolStar, Inc. dba PortalGuard All rights reserved. Page 19
Tech Brief — Two-factor Authentication
Appendix D: Transparent Tokenless Toolbar for
TOTP Delivery Method
PortalGuard’s Transparent Tokenless Toolbar (TTT) offers a way to perform multi-factor
authentication by both validating the user -AND- the device they’re using. It is transparent
because it has no user interface and does not impose additional processes or steps on
end-users. It is tokenless because it can offer multi-factor authentication without requiring
the user to possess a separate hardware-based OTP generating token/device. The work-
station itself acts as the “token” or rather “something the user has” when unlocked by the
user’s successful login to it. Lastly, it is implemented as a toolbar within the users’ web
browsers.
After installation and a one-time, automated enrollment, the TTT automatically generates a
Time-based One-time Password (TOTP) on a configurable interval and sets the value as a
session-based cookie. This cookie is created for only specific websites and is encrypted
using public-key cryptography to ensure only the PortalGuard server can decrypt it. The
one-time enrollment data is created independently for each user and is securely stored in
the user’s workstation profile. This ensures the data follows the user as they log into dif-
ferent workstations and allows multiple users to share the same workstation provided they
have separate login accounts.
The user’s PortalGuard security policy determines what level of authentication is re-
quired. If a valid TOTP is sufficient, then the TTT can be used to effectively enable web-
based SSO. For multi-factor authentication, the user is prompted for their username/
password and the TOTP is used as the second factor since only workstations they have
logged into will be able to generate it. The TTT is available for both 32 and 64-bit versions
of Windows XP and later. It is packaged as a standard MSI so it can be silently deployed
to workstations in your environment or a web page link is presented to the user upon them
logging in that installs the toolbar.
Using PortalGuard’s TTT defeats man-in-the-middle attacks, which intercept messages in
a public key exchange and resends them, substituting their public key for the requested
key, leaving both parties with the appearance that they are still communicating with each
other. PortalGuard defeats this by using an encrypted cookie designated for the valid web-
site. The cookie is encrypted using PKI. Phishing attacks are also successfully defeated by
the TTT.
- See Visio on Next Page -
© 2012, PistolStar, Inc. dba PortalGuard All rights reserved. Page 20
Tech Brief — Two-factor Authentication
© 2012, PistolStar, Inc. dba PortalGuard All rights reserved. Page 21
Tech Brief — Two-factor Authentication
Appendix E: Printed OTP Delivery Method
For cases where the user is unable to receive an OTP via traditional SMS or phone call,
they have the option of generating and printing a batch of OTPs they can put someplace
safe like their wallet. When the user is prompted for an OTP but hasn’t received it, they
can enter the next OTP from the printed sheet. These values are still OTPs in that they
can only be used for a single authentication. The user simply enters the next OTP and
crosses each one out as it’s used. The printed OTPs do not expire on a set interval like
standard OTPs but the user can choose to clear them or generate and print a new batch at
any time from their PortalGuard Account Management page.

More Related Content

What's hot

Two factor authentication
Two factor authenticationTwo factor authentication
Two factor authenticationHai Nguyen
 
Mobile authentication
Mobile authenticationMobile authentication
Mobile authenticationHai Nguyen
 
IDENTITY PLATFORMS: How central, flexible, deployment of multiple authenticat...
IDENTITY PLATFORMS: How central, flexible, deployment of multiple authenticat...IDENTITY PLATFORMS: How central, flexible, deployment of multiple authenticat...
IDENTITY PLATFORMS: How central, flexible, deployment of multiple authenticat...Entrust Datacard
 
Why Two-Factor Authentication?
Why Two-Factor Authentication?Why Two-Factor Authentication?
Why Two-Factor Authentication?Fortytwo
 
Switch to SHA-2 SSL - A Step-by-Step Migration Guide
Switch to SHA-2 SSL - A Step-by-Step Migration GuideSwitch to SHA-2 SSL - A Step-by-Step Migration Guide
Switch to SHA-2 SSL - A Step-by-Step Migration GuideEntrust Datacard
 
Combat the Latest Two-Factor Authentication Evasion Techniques
Combat the Latest Two-Factor Authentication Evasion TechniquesCombat the Latest Two-Factor Authentication Evasion Techniques
Combat the Latest Two-Factor Authentication Evasion TechniquesIBM Security
 
Arx brochure - Intellect Design
Arx brochure - Intellect DesignArx brochure - Intellect Design
Arx brochure - Intellect DesignRajat Jain
 
From Password Reset to Authentication Management
From Password Reset to Authentication ManagementFrom Password Reset to Authentication Management
From Password Reset to Authentication ManagementHitachi ID Systems, Inc.
 
Avoiding Two-factor Authentication? You're Not Alone
Avoiding Two-factor Authentication? You're Not AloneAvoiding Two-factor Authentication? You're Not Alone
Avoiding Two-factor Authentication? You're Not AlonePortalGuard
 
76 s201923
76 s20192376 s201923
76 s201923IJRAT
 
IRJET-An Economical and Secured Approach for Continuous and Transparent User ...
IRJET-An Economical and Secured Approach for Continuous and Transparent User ...IRJET-An Economical and Secured Approach for Continuous and Transparent User ...
IRJET-An Economical and Secured Approach for Continuous and Transparent User ...IRJET Journal
 

What's hot (17)

Two factor authentication
Two factor authenticationTwo factor authentication
Two factor authentication
 
Mobile authentication
Mobile authenticationMobile authentication
Mobile authentication
 
IDENTITY PLATFORMS: How central, flexible, deployment of multiple authenticat...
IDENTITY PLATFORMS: How central, flexible, deployment of multiple authenticat...IDENTITY PLATFORMS: How central, flexible, deployment of multiple authenticat...
IDENTITY PLATFORMS: How central, flexible, deployment of multiple authenticat...
 
Why Two-Factor Authentication?
Why Two-Factor Authentication?Why Two-Factor Authentication?
Why Two-Factor Authentication?
 
Switch to SHA-2 SSL - A Step-by-Step Migration Guide
Switch to SHA-2 SSL - A Step-by-Step Migration GuideSwitch to SHA-2 SSL - A Step-by-Step Migration Guide
Switch to SHA-2 SSL - A Step-by-Step Migration Guide
 
International Journal of Engineering Inventions (IJEI)
International Journal of Engineering Inventions (IJEI)International Journal of Engineering Inventions (IJEI)
International Journal of Engineering Inventions (IJEI)
 
Combat the Latest Two-Factor Authentication Evasion Techniques
Combat the Latest Two-Factor Authentication Evasion TechniquesCombat the Latest Two-Factor Authentication Evasion Techniques
Combat the Latest Two-Factor Authentication Evasion Techniques
 
Arx brochure - Intellect Design
Arx brochure - Intellect DesignArx brochure - Intellect Design
Arx brochure - Intellect Design
 
From Password Reset to Authentication Management
From Password Reset to Authentication ManagementFrom Password Reset to Authentication Management
From Password Reset to Authentication Management
 
Avoiding Two-factor Authentication? You're Not Alone
Avoiding Two-factor Authentication? You're Not AloneAvoiding Two-factor Authentication? You're Not Alone
Avoiding Two-factor Authentication? You're Not Alone
 
Auth-Shield
Auth-ShieldAuth-Shield
Auth-Shield
 
Hitachi ID Password Manager Brochure
Hitachi ID Password Manager BrochureHitachi ID Password Manager Brochure
Hitachi ID Password Manager Brochure
 
76 s201923
76 s20192376 s201923
76 s201923
 
test
testtest
test
 
IRJET-An Economical and Secured Approach for Continuous and Transparent User ...
IRJET-An Economical and Secured Approach for Continuous and Transparent User ...IRJET-An Economical and Secured Approach for Continuous and Transparent User ...
IRJET-An Economical and Secured Approach for Continuous and Transparent User ...
 
Contextual Authentication
Contextual AuthenticationContextual Authentication
Contextual Authentication
 
Identity Management
Identity ManagementIdentity Management
Identity Management
 

Viewers also liked

WHO seminar by the CfWI 12 December 2014
WHO seminar by the CfWI 12 December 2014WHO seminar by the CfWI 12 December 2014
WHO seminar by the CfWI 12 December 2014C4WI
 
Novelltips .. eller så kanske inte
Novelltips .. eller så kanske inteNovelltips .. eller så kanske inte
Novelltips .. eller så kanske inteAnnika Abrahamsson
 
Using system dynamics to inform future pharmacist student intake in England u...
Using system dynamics to inform future pharmacist student intake in England u...Using system dynamics to inform future pharmacist student intake in England u...
Using system dynamics to inform future pharmacist student intake in England u...C4WI
 
Two factor authentication
Two factor authenticationTwo factor authentication
Two factor authenticationHai Nguyen
 

Viewers also liked (7)

WHO seminar by the CfWI 12 December 2014
WHO seminar by the CfWI 12 December 2014WHO seminar by the CfWI 12 December 2014
WHO seminar by the CfWI 12 December 2014
 
Novelltips .. eller så kanske inte
Novelltips .. eller så kanske inteNovelltips .. eller så kanske inte
Novelltips .. eller så kanske inte
 
Indian market (3)
Indian market (3)Indian market (3)
Indian market (3)
 
Helpdesk
HelpdeskHelpdesk
Helpdesk
 
Tt 4 testi
Tt 4 testiTt 4 testi
Tt 4 testi
 
Using system dynamics to inform future pharmacist student intake in England u...
Using system dynamics to inform future pharmacist student intake in England u...Using system dynamics to inform future pharmacist student intake in England u...
Using system dynamics to inform future pharmacist student intake in England u...
 
Two factor authentication
Two factor authenticationTwo factor authentication
Two factor authentication
 

Similar to Pg 2 fa_tech_brief

Contextual Authentication: A Multi-factor Approach
Contextual Authentication: A Multi-factor ApproachContextual Authentication: A Multi-factor Approach
Contextual Authentication: A Multi-factor ApproachPortalGuard
 
IRJET- Password Management Kit for Secure Authentication
IRJET-  	  Password Management Kit for Secure AuthenticationIRJET-  	  Password Management Kit for Secure Authentication
IRJET- Password Management Kit for Secure AuthenticationIRJET Journal
 
Multi Factor Authentication Whitepaper Arx - Intellect Design
Multi Factor Authentication Whitepaper Arx - Intellect DesignMulti Factor Authentication Whitepaper Arx - Intellect Design
Multi Factor Authentication Whitepaper Arx - Intellect DesignRajat Jain
 
A secure communication in smart phones using two factor authentication
A secure communication in smart phones using two factor authenticationA secure communication in smart phones using two factor authentication
A secure communication in smart phones using two factor authenticationeSAT Journals
 
A secure communication in smart phones using two factor authentications
A secure communication in smart phones using two factor authenticationsA secure communication in smart phones using two factor authentications
A secure communication in smart phones using two factor authenticationseSAT Publishing House
 
IRJET- Data Security with Multifactor Authentication
IRJET- Data Security with Multifactor AuthenticationIRJET- Data Security with Multifactor Authentication
IRJET- Data Security with Multifactor AuthenticationIRJET Journal
 
Three Step Multifactor Authentication Systems for Modern Security
Three Step Multifactor Authentication Systems for Modern SecurityThree Step Multifactor Authentication Systems for Modern Security
Three Step Multifactor Authentication Systems for Modern Securityijtsrd
 
An Overview on Authentication Approaches and Their Usability in Conjunction w...
An Overview on Authentication Approaches and Their Usability in Conjunction w...An Overview on Authentication Approaches and Their Usability in Conjunction w...
An Overview on Authentication Approaches and Their Usability in Conjunction w...IJERA Editor
 
Centralized Self-service Password Reset: From the Web and Windows Desktop
Centralized Self-service Password Reset: From the Web and Windows DesktopCentralized Self-service Password Reset: From the Web and Windows Desktop
Centralized Self-service Password Reset: From the Web and Windows DesktopPortalGuard
 
Survey Paper on Frodo: Fraud Resilient Device for Off-Line Micro-Payments
Survey Paper on Frodo: Fraud Resilient Device for Off-Line Micro-PaymentsSurvey Paper on Frodo: Fraud Resilient Device for Off-Line Micro-Payments
Survey Paper on Frodo: Fraud Resilient Device for Off-Line Micro-PaymentsIRJET Journal
 
Online applications using strong authentication with OTP grid cards
Online applications using strong authentication with OTP grid cardsOnline applications using strong authentication with OTP grid cards
Online applications using strong authentication with OTP grid cardsBayalagmaa Davaanyam
 
IRJET- Technical Review of different Methods for Multi Factor Authentication
IRJET-  	  Technical Review of different Methods for Multi Factor AuthenticationIRJET-  	  Technical Review of different Methods for Multi Factor Authentication
IRJET- Technical Review of different Methods for Multi Factor AuthenticationIRJET Journal
 
M-Pass: Web Authentication Protocol
M-Pass: Web Authentication ProtocolM-Pass: Web Authentication Protocol
M-Pass: Web Authentication ProtocolIJERD Editor
 
Multi Factor Authentication
Multi Factor AuthenticationMulti Factor Authentication
Multi Factor AuthenticationPing Identity
 
IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...
IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...
IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...IJERD Editor
 

Similar to Pg 2 fa_tech_brief (20)

Contextual Authentication: A Multi-factor Approach
Contextual Authentication: A Multi-factor ApproachContextual Authentication: A Multi-factor Approach
Contextual Authentication: A Multi-factor Approach
 
IRJET- Password Management Kit for Secure Authentication
IRJET-  	  Password Management Kit for Secure AuthenticationIRJET-  	  Password Management Kit for Secure Authentication
IRJET- Password Management Kit for Secure Authentication
 
Multi Factor Authentication Whitepaper Arx - Intellect Design
Multi Factor Authentication Whitepaper Arx - Intellect DesignMulti Factor Authentication Whitepaper Arx - Intellect Design
Multi Factor Authentication Whitepaper Arx - Intellect Design
 
A secure communication in smart phones using two factor authentication
A secure communication in smart phones using two factor authenticationA secure communication in smart phones using two factor authentication
A secure communication in smart phones using two factor authentication
 
A secure communication in smart phones using two factor authentications
A secure communication in smart phones using two factor authenticationsA secure communication in smart phones using two factor authentications
A secure communication in smart phones using two factor authentications
 
IRJET- Data Security with Multifactor Authentication
IRJET- Data Security with Multifactor AuthenticationIRJET- Data Security with Multifactor Authentication
IRJET- Data Security with Multifactor Authentication
 
status
statusstatus
status
 
status
statusstatus
status
 
ffv
ffvffv
ffv
 
Three Step Multifactor Authentication Systems for Modern Security
Three Step Multifactor Authentication Systems for Modern SecurityThree Step Multifactor Authentication Systems for Modern Security
Three Step Multifactor Authentication Systems for Modern Security
 
An Overview on Authentication Approaches and Their Usability in Conjunction w...
An Overview on Authentication Approaches and Their Usability in Conjunction w...An Overview on Authentication Approaches and Their Usability in Conjunction w...
An Overview on Authentication Approaches and Their Usability in Conjunction w...
 
Centralized Self-service Password Reset: From the Web and Windows Desktop
Centralized Self-service Password Reset: From the Web and Windows DesktopCentralized Self-service Password Reset: From the Web and Windows Desktop
Centralized Self-service Password Reset: From the Web and Windows Desktop
 
Survey Paper on Frodo: Fraud Resilient Device for Off-Line Micro-Payments
Survey Paper on Frodo: Fraud Resilient Device for Off-Line Micro-PaymentsSurvey Paper on Frodo: Fraud Resilient Device for Off-Line Micro-Payments
Survey Paper on Frodo: Fraud Resilient Device for Off-Line Micro-Payments
 
Online applications using strong authentication with OTP grid cards
Online applications using strong authentication with OTP grid cardsOnline applications using strong authentication with OTP grid cards
Online applications using strong authentication with OTP grid cards
 
IRJET- Technical Review of different Methods for Multi Factor Authentication
IRJET-  	  Technical Review of different Methods for Multi Factor AuthenticationIRJET-  	  Technical Review of different Methods for Multi Factor Authentication
IRJET- Technical Review of different Methods for Multi Factor Authentication
 
87559489 auth
87559489 auth87559489 auth
87559489 auth
 
M-Pass: Web Authentication Protocol
M-Pass: Web Authentication ProtocolM-Pass: Web Authentication Protocol
M-Pass: Web Authentication Protocol
 
Multi Factor Authentication
Multi Factor AuthenticationMulti Factor Authentication
Multi Factor Authentication
 
Internet Banking
Internet BankingInternet Banking
Internet Banking
 
IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...
IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...
IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...
 

More from Hai Nguyen

Scc soft token datasheet
Scc soft token datasheetScc soft token datasheet
Scc soft token datasheetHai Nguyen
 
Rsa two factorauthentication
Rsa two factorauthenticationRsa two factorauthentication
Rsa two factorauthenticationHai Nguyen
 
Quest defender provides_secure__affordable_two-factor_authentication_for_okla...
Quest defender provides_secure__affordable_two-factor_authentication_for_okla...Quest defender provides_secure__affordable_two-factor_authentication_for_okla...
Quest defender provides_secure__affordable_two-factor_authentication_for_okla...Hai Nguyen
 
Ouch 201211 en
Ouch 201211 enOuch 201211 en
Ouch 201211 enHai Nguyen
 
N ye c-rfp-two-factor-authentication
N ye c-rfp-two-factor-authenticationN ye c-rfp-two-factor-authentication
N ye c-rfp-two-factor-authenticationHai Nguyen
 
Multiple credentials-in-the-enterprise
Multiple credentials-in-the-enterpriseMultiple credentials-in-the-enterprise
Multiple credentials-in-the-enterpriseHai Nguyen
 
Ijcsi 9-4-2-457-462
Ijcsi 9-4-2-457-462Ijcsi 9-4-2-457-462
Ijcsi 9-4-2-457-462Hai Nguyen
 
Identity cues two factor data sheet
Identity cues two factor data sheetIdentity cues two factor data sheet
Identity cues two factor data sheetHai Nguyen
 
Hotpin datasheet
Hotpin datasheetHotpin datasheet
Hotpin datasheetHai Nguyen
 
Ds netsuite-two-factor-authentication
Ds netsuite-two-factor-authenticationDs netsuite-two-factor-authentication
Ds netsuite-two-factor-authenticationHai Nguyen
 
Datasheet two factor-authenticationx
Datasheet two factor-authenticationxDatasheet two factor-authenticationx
Datasheet two factor-authenticationxHai Nguyen
 
Cryptomathic white paper 2fa for banking
Cryptomathic white paper 2fa for bankingCryptomathic white paper 2fa for banking
Cryptomathic white paper 2fa for bankingHai Nguyen
 
Citrix sb 0707-lowres
Citrix sb 0707-lowresCitrix sb 0707-lowres
Citrix sb 0707-lowresHai Nguyen
 
Attachment 1 – mitigation measures for two factor authentication compromise
Attachment 1 – mitigation measures for two factor authentication compromiseAttachment 1 – mitigation measures for two factor authentication compromise
Attachment 1 – mitigation measures for two factor authentication compromiseHai Nguyen
 
Ams 2 fa april 2013
Ams 2 fa april 2013Ams 2 fa april 2013
Ams 2 fa april 2013Hai Nguyen
 
10695 sidtfa sb_0210
10695 sidtfa sb_021010695 sidtfa sb_0210
10695 sidtfa sb_0210Hai Nguyen
 
9697 aatf sb_0808
9697 aatf sb_08089697 aatf sb_0808
9697 aatf sb_0808Hai Nguyen
 

More from Hai Nguyen (20)

Scc soft token datasheet
Scc soft token datasheetScc soft token datasheet
Scc soft token datasheet
 
Rsa two factorauthentication
Rsa two factorauthenticationRsa two factorauthentication
Rsa two factorauthentication
 
Quest defender provides_secure__affordable_two-factor_authentication_for_okla...
Quest defender provides_secure__affordable_two-factor_authentication_for_okla...Quest defender provides_secure__affordable_two-factor_authentication_for_okla...
Quest defender provides_secure__affordable_two-factor_authentication_for_okla...
 
Ouch 201211 en
Ouch 201211 enOuch 201211 en
Ouch 201211 en
 
N ye c-rfp-two-factor-authentication
N ye c-rfp-two-factor-authenticationN ye c-rfp-two-factor-authentication
N ye c-rfp-two-factor-authentication
 
Multiple credentials-in-the-enterprise
Multiple credentials-in-the-enterpriseMultiple credentials-in-the-enterprise
Multiple credentials-in-the-enterprise
 
Ijcsi 9-4-2-457-462
Ijcsi 9-4-2-457-462Ijcsi 9-4-2-457-462
Ijcsi 9-4-2-457-462
 
Identity cues two factor data sheet
Identity cues two factor data sheetIdentity cues two factor data sheet
Identity cues two factor data sheet
 
Hotpin datasheet
Hotpin datasheetHotpin datasheet
Hotpin datasheet
 
Gambling
GamblingGambling
Gambling
 
Ds netsuite-two-factor-authentication
Ds netsuite-two-factor-authenticationDs netsuite-two-factor-authentication
Ds netsuite-two-factor-authentication
 
Datasheet two factor-authenticationx
Datasheet two factor-authenticationxDatasheet two factor-authenticationx
Datasheet two factor-authenticationx
 
Csd6059
Csd6059Csd6059
Csd6059
 
Cryptomathic white paper 2fa for banking
Cryptomathic white paper 2fa for bankingCryptomathic white paper 2fa for banking
Cryptomathic white paper 2fa for banking
 
Citrix sb 0707-lowres
Citrix sb 0707-lowresCitrix sb 0707-lowres
Citrix sb 0707-lowres
 
Bi guardotp
Bi guardotpBi guardotp
Bi guardotp
 
Attachment 1 – mitigation measures for two factor authentication compromise
Attachment 1 – mitigation measures for two factor authentication compromiseAttachment 1 – mitigation measures for two factor authentication compromise
Attachment 1 – mitigation measures for two factor authentication compromise
 
Ams 2 fa april 2013
Ams 2 fa april 2013Ams 2 fa april 2013
Ams 2 fa april 2013
 
10695 sidtfa sb_0210
10695 sidtfa sb_021010695 sidtfa sb_0210
10695 sidtfa sb_0210
 
9697 aatf sb_0808
9697 aatf sb_08089697 aatf sb_0808
9697 aatf sb_0808
 

Recently uploaded

Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-pyJamie (Taka) Wang
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding TeamAdam Moalla
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostMatt Ray
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.YounusS2
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesMd Hossain Ali
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...DianaGray10
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemAsko Soukka
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfDaniel Santiago Silva Capera
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Brian Pichman
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?IES VE
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 

Recently uploaded (20)

Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-py
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystem
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?
 
20150722 - AGV
20150722 - AGV20150722 - AGV
20150722 - AGV
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 

Pg 2 fa_tech_brief

  • 1. PistolStar, Inc. dba PortalGuard PO Box 1226 Amherst, NH 03031 USA Phone: 603.547.1200 Fax: 617.674.2727 E-mail: sales@portalguard.com Website: www.portalguard.com © 2012, PistolStar, Inc. dba PortalGuard All Rights Reserved. Two-factor Authentication: A Tokenless Approach v.3.2-014 Multi-factor Authentication Layer
  • 2. © 2012, PistolStar, Inc. dba PortalGuard All rights reserved. Page 1 Tech Brief — Two-factor Authentication PortalGuard Two-factor Authentication: A Tokenless Approach Table of Contents Summary................................................................................................. 2 The Basics............................................................................................... 2 One-time Passwords - PortalGuard Options ............................................ 2 OTP Delivery Methods...................................................................................... 3 Benefits ................................................................................................... 3 Beyond Two-factor Authentication ........................................................... 4 Why PortalGuard?................................................................................... 4 How it Works ........................................................................................... 4 User Enrollment ............................................................................................... 4 Two-factor Authentication Process .................................................................. 5 Login Directly to a Cloud/Web-based Application ................................... 5 Login via a SSL VPN Using RADIUS ....................................................... 8 OTP Configuration................................................................................. 11 Deployment ........................................................................................... 12 IIS Installation........................................................................................ 12 System Requirements ........................................................................... 13 Platform Layers ..................................................................................... 13 Appendix ............................................................................................... 15 A: SMS OTP Delivery Method ........................................................................ 15 B: Voice OTP Delivery Methods ..................................................................... 16 C: Hardware Token OTP Delivery Method..................................................... 18 D: Transparent Tokenless Toolbar for TOTP Delivery Method...................... 19 E: Printed OTP Delivery Method .................................................................... 21
  • 3. © 2012, PistolStar, Inc. dba PortalGuard All rights reserved. Page 2 Tech Brief — Two-factor Authentication Summary PortalGuard is a software solution designed as a strong authentication platform, consisting of five layers including two-factor authentication, single sign-on, self-service password management, contextual authentication, and password synchronization, used for protect- ing browser-based applications which are hosted within an Intranet and/or outside the fire- wall, now commonly known as the Cloud. These applications contain functionality to read, edit and search data at all levels of sensi- tivity, across multiple industries. The access point for browser-based applications is the login screen where you are typically required to prove your identity by providing a username and password. This is normally sufficient to prove you are authorized and there- fore granted access to company applications and data. Although still used as an integral part of authentication, passwords alone are inadequate for today’s browser-based applications. They are easily exploited by unauthorized users who find new methods of stealing passwords and impersonating authorized users. With that said, the true purpose of this document is to describe alternatives to using passwords. Many choices in the market strengthen your authentication, to prevent unauthorized ac- cess, by providing two-factor authentication. Two-factor is an acceptable way to increase security; however, inflexibility and low usability have proven to be barriers for many organi- zations with the primary barrier being high total cost of ownership in today’s economic cli- mate. Token-based approaches are expensive and problematic when hardware is forgot- ten, needs repair or replacement. PortalGuard avoids these barriers by providing a flexible and cost-effective approach which is easily accepted by users. The Basics Two-factor authentication is used to increase security by requiring you to provide “something you know” (a password) and leverage “something you have” (laptop, mobile phone). The use of two distinct authentication factors helps eliminate an organization’s security concerns around granting access based on a single, knowledge-based factor. One-time Passwords - PortalGuard Options Increasing in popularity, a one-time password (OTP) is a password that is valid for only one login session or transaction. OTPs avoid a number of shortcomings with static pass- words, including being unsusceptible to replay attacks. If a potential intruder manages to record an OTP that was already used to log into a server, he or she will not be able to re- use it since it will no longer be valid. The traditional method of delivering an OTP via a hard token or key fob has fallen out of favor due to cost and usability issues. Use of “soft tokens”, like mobile phones, has sup- planted it. PortalGuard can enforce two-factor authentication and deliver an OTP when the user is trying to access the web/cloud application directly, through an VPN connection using RA- DIUS, or when performing a self-service password reset, recovery, or account unlock. PortalGuard not only leverages the user’s mobile device, but with its unique offering of transparent tokens, leverages the user’s laptop as well. A transparent token can be made up of several different types of parameters, including a random number, device serial num- bers and/or Active Directory identifiers.
  • 4. © 2012, PistolStar, Inc. dba PortalGuard All rights reserved. Page 3 Tech Brief — Two-factor Authentication Together these will make up the OTP which is then encrypted and passed from the client machine to the PortalGuard server. OTP Delivery Methods: With PortalGuard you can deliver an OTP via SMS, hosted text-to-speech, SIP, email, printer or transparent token to achieve two-factor authentication. Please view appendices A-E for information on the individual delivery methods. Benefits  Increased security - add an extra layer of authentication to application access, VPN ac- cess, or during a self-service password reset  Reduce Risk - prevent attacks by leveraging credentials which expire after one use  Usability - leverage hardware a user already has for increased user adoption  Eliminate forgotten passwords - leverage a username and OTP only as credentials  Configurable - to the user, group or application levels  Flexible - multiple OTP delivery methods available  MITM - Man-in-the-Middle Attack  Passive Attack - the hacker is eavesdropping and/or monitoring all transactions, such as emails being ex- changed  Active Attack - the hacker is between the server and client, attempting to inter- cept information when passed between the two entities  Printer - refers to sending a form letter to a specified printer with one or more OTPs printed - users can then use each OTP one time to login
  • 5. © 2012, PistolStar, Inc. dba PortalGuard All rights reserved. Page 4 Tech Brief — Two-factor Authentication Beyond Two-factor Authentication PortalGuard’s flexibility allows you to choose the appropriate authentication method for each user, group or application, by leveraging Contextual Authentication. Varying access scenarios in every organization drive the need for this type of authentication. For instance, users within your company’s four walls may only need to provide strong passwords where- as a traveling salesperson or roaming user is presented with two-factor authentication. However, a traveling salesperson now in the office only needs to provide a password to prove his identity due to his new situation when requesting access. Contextual Authentica- tion is a solution with the flexibility to match your individual users’ needs and organization- al goals. Why PortalGuard?  Flexible authentication platform which expands with you and your requirements  Low total cost of ownership  Configurable – apply the appropriate authentication method to the user, group or appli- cation  Gain usage Insight – optionally collect location, time, device, network and application details for each access request  No additional hardware – leverage devices users already use daily  Easy installation and deployment  Seamless integration with existing environment  Developed/supported by authentication experts How it Works User Enrollment Once two-factor authentication becomes a requirement, the user will be prompted to enroll their mobile phone. PortalGuard provides flexibility around this process by allowing you to configure whether the enrollment will be forced or able to be postponed “x” number of times by the user. This increases the usability for users, giving them options around a pro- cess many find intrusive and blocking. Phone enrollment can also be automated by importing the data from any current corporate data source.
  • 6. © 2012, PistolStar, Inc. dba PortalGuard All rights reserved. Page 5 Tech Brief — Two-factor Authentication Two-factor Authentication Process - Login Directly to a Cloud/Web-based Application The following process shows the two-factor authentication process when a user is logging in directly to a cloud/web-based application. Step 1: PortalGuard’s login screen is presented when a user visits the web-application. This login screen can be fully customized to match your organization’s branding, creating a seamless experience for the user. Step 2: The user enters their username and clicks “Continue”
  • 7. © 2012, PistolStar, Inc. dba PortalGuard All rights reserved. Page 6 Tech Brief — Two-factor Authentication Step 3: The PortalGuard server sends the OTP to the user’s mobile phone within 5-10 seconds, in the form of an SMS. NOTE: PortalGuard can send the OTP via SMS, email, printer or transparent token. Step 4: The user is prompted for a password and OTP.
  • 8. © 2012, PistolStar, Inc. dba PortalGuard All rights reserved. Page 7 Tech Brief — Two-factor Authentication Step 5: The user enters in the OTP they received and clicks “Log On” Step 6: The user gains access to the web-application and data. Step 7: This is an example of a user attempting to use an expired OTP that was never used. Once the expired OTP is entered, the user is denied access and prompted to cancel the process or request a valid OTP. However if the user attempts to reuse a used OTP or an unauthorized user is attempting to perform a replay attack, PortalGuard will display a dialog showing “Incorrect OTP Provided” if strikeouts are disabled.
  • 9. © 2012, PistolStar, Inc. dba PortalGuard All rights reserved. Page 8 Tech Brief — Two-factor Authentication Two-factor Authentication Process - Login via a SSL VPN Using RADIUS: The following steps show the two-factor authentication process when a user is logging into a cloud/web-based application via a SSL VPN connection using the RADIUS protocol. RADIUS Support RADIUS is a well-established, vendor-neutral network protocol which is an internet stand- ard that was primarily designed to authenticate remote users for dial-up services and it is widely implemented by numerous network security vendors such as Cisco, Juniper, Citrix and Checkpoint. Due to the widespread support for the RADIUS protocol by network security vendors, RA- DIUS is an optimal choice for enabling two-factor authentication for remote access users. In the standard case, a network security appliance, firewall or Network Access Server (NAS) is the “RADIUS client” or “NAS client” and the PortalGuard server acts as the “RADIUS server”. The end-user only communicates directly with the NAS client to provide the login information. Because the NAS client communicates directly with the PortalGuard RADIUS server, au- thentication decisions made by PortalGuard are strictly enforced. This ensures a high lev- el of security and consistency. Most network security appliances allow VPN users to be authenticated using different mechanisms. A few common options are:  User accounts defined locally on the appliance  LDAP authentication  X.509 certificates  RADIUS Enabling multi-factor authentication can be as straightforward as enabling RADIUS au- thentication on your network security appliance, pointing it to the PortalGuard server and adding a RADIUS client configuration in PortalGuard. The same RADIUS setup can often be used to authenticate remote users looking for a SSL VPN via web browser -AND- remote users with VPN software installed locally on their workstation. This helps offer a high degree of consistency reducing the need for user training and education. How it Works Step 1: The user attempts to connect to the NAS/firewall using either a browser or VPN client software and is prompted for username and password.
  • 10. © 2012, PistolStar, Inc. dba PortalGuard All rights reserved. Page 9 Tech Brief — Two-factor Authentication Steps 2-5 happen transparently to the user: Step 2: The NAS communicates the credentials to the PortalGuard server using the RADI- US protocol. Step 3: The PortalGuard server validates the user’s credentials against its configured user repository (e.g. Active Directory). Step 4: The user repository returns a success or failure code indicating the fidelity of the username and password. Step 5: PortalGuard replies to the RADIUS request with an Access-Challenge response that includes a custom message that should be displayed to the user and a random identi- fier (the “state”) that the NAS will send back to PortalGuard to identify the same user ses- sion. Step 6: The NAS displays the custom message requesting the user to enter the OTP that was sent to their mobile device.
  • 11. © 2012, PistolStar, Inc. dba PortalGuard All rights reserved. Page 10 Tech Brief — Two-factor Authentication Step 7: The user enters the OTP from their mobile device and submits it to the NAS.
  • 12. © 2012, PistolStar, Inc. dba PortalGuard All rights reserved. Page 11 Tech Brief — Two-factor Authentication Steps 8 and 9 happen transparently to the user: Step 8: The NAS sends the OTP and state identifier to PortalGuard using RADIUS. Step 9: The PortalGuard server replies to the RADIUS 2nd request with an Access-Accept response. Step 10: The NAS accepts the user’s authentication and the VPN tunnel/session is estab- lished. The user is then able to access internal resources (e.g. “crm.acme.com”). OTP Configuration NOTE: All the following settings are policy specific, so you can have different values for different users/groups/hierarchies. Configurable through the PortalGuard Configuration Utility:  Expiration, aka “time-to-live” (TTL)  Length  Format  Numeric characters only  Upper/lowercase characters  Upper/lowercase & numeric characters  Upper/lowercase, numeric and symbol characters
  • 13. © 2012, PistolStar, Inc. dba PortalGuard All rights reserved. Page 12 Tech Brief — Two-factor Authentication  Delivery format, including From, Subject and Body Fields: Deployment Implementation of the PortalGuard platform is seamless and requires no changes to Active Directory/LDAP schema. A server-side software installation is required on each IIS server for which PortalGuard’s authentication functionality is desired. Additional client-side soft- ware is required for use of contextual authentication and/or transparent tokens. IIS Installation A MSI is used to install PortalGuard on IIS 6 or 7.x. If installing PortalGuard on IIS 7.x/ Windows Server 2008, make sure to have installed the following feature roles prior to launching the MSI: 1. All the Web Server Management Tools role services 2. All the Application Development role services 3. All IIS 6 Management Compatibility role services The MSI is a wizard-based install which will quickly guide you through the installation.
  • 14. © 2012, PistolStar, Inc. dba PortalGuard All rights reserved. Page 13 Tech Brief — Two-factor Authentication System Requirements PortalGuard can be installed directly on the following web servers:  IBM WebSphere/WebSphere Portal v5.1 or higher  Microsoft IIS 6.0 or higher  Microsoft Windows SharePoint Services 3.0 or higher  Microsoft Office SharePoint Server 2007 or later To support two-factor authentication to a VPN using RADIUS the following is required:  The network appliance must support RADIUS as an authentication option.  The network appliance must support the Access-Challenge response type as well as the State and Reply-Message attributes.  PortalGuard must be licensed for RADIUS support.  End-user enrollment of mobile devices or challenge answers must be performed external to the RADIUS protocol. The PortalGuard Web server also has the following requirements on Windows operating systems:  .NET 2.0 framework or later must be installed  (64-bit OS only) Microsoft Visual C++ 2005 SP1 Redistributable Package (x64) PortalGuard is fully supported for installation on virtual machines. Furthermore, Portal- Guard can currently be installed on the following platforms:  Microsoft Windows Server 2000  Microsoft Windows Server 2003 (32 or 64-bit)  Microsoft Windows Server 2008 (32 or 64-bit)  Microsoft Windows Server 2008 R2 If you have a platform not listed here, please contact us at sales@portalguard.com to see if we have recently added support for your platform. Platform Layers Beyond two-factor authentication, PortalGuard is a flexible authentication platform with multiple layers of available functionality to help you achieve your authentication goals:  Contextual Authentication  Self-service Password Reset  Real-time Reports / Alerts  Knowledge-based  Password Management  Single Sign-on
  • 15. © 2012, PistolStar, Inc. dba PortalGuard All rights reserved. Page 14 Tech Brief — Two-factor Authentication ###
  • 16. © 2012, PistolStar, Inc. dba PortalGuard All rights reserved. Page 15 Tech Brief — Two-factor Authentication Appendix A: SMS OTP Delivery Method For SMS delivery, PortalGuard leverages telephone companies’ SMTP-to- SMS gateways. This is why PortalGuard asks for both the phone number and the provider. An SMTP-to- SMS gateway is a free service maintained by the telephone companies to allow an email sent via SMTP to be delivered to a user's phone as a SMS/text message. The provider is needed to determine the gateway (e.g. "@txt.att.com" for AT&T) and can then build the full email address (phonenum@gateway). Leveraging these services allows PortalGuard to be deployed quickly (it only needs a SMTP relay for sending outbound emails as opposed to a modem and dedicated POTS line for full-blown SMS) and more cheaply (there is no cost incurred by the sender for each OTP sent nor does a phone line need to be maintained).
  • 17. © 2012, PistolStar, Inc. dba PortalGuard All rights reserved. Page 16 Tech Brief — Two-factor Authentication Appendix B: Voice OTP Delivery Methods PortalGuard can deliver a voice OTP, a text-to-speech WAV file, to a user’s landline phone using two methods, a hosted text-to-speech service or by leveraging the SIP protocol. Hosted Text-To-Speech A text-based template is configured by the customer in PortalGuard. An account is creat- ed by the customer directly with a third-party service provider (PortalGuard does not pro- vide this service). PortalGuard connects to the third-party hosted service which converts the template with the user’s one-time passcode into a WAV file and places a phone call to the end-user’s enrolled phone (land line or mobile) and plays the WAV file. The service typically offers the user the option of pressing a key to repeat the voice message. Each call placed through the third-party service deducts credits from the customer’s ac- count. Credits can typically be added at any time. The user types the OTP from the voice message into the PortalGuard browser interface to continue the authentication.
  • 18. © 2012, PistolStar, Inc. dba PortalGuard All rights reserved. Page 17 Tech Brief — Two-factor Authentication SIP Session Initiation Protocol (SIP) is a standards-based, widely implemented protocol used for controlling communication sessions such as voice calls over Internet Protocol (IP). The SIP integration available through PortalGuard allows customers to leverage their own ex- isting phone infrastructure to place the phone calls when delivering an OTP. This is typi- cally a more cost-effective option than using a third-party hosted service provider. Similar to the Hosted text-to-speech option, a text-based template is configured by the customer in PortalGuard and the OTP is substituted into it at runtime. PortalGuard then converts the text to a WAV file using a text-to-speech API. The PortalGuard server then uses SIP to connect to the customer’s SIP gateway using an extension from a pool of extensions des- ignated for exclusive use by PortalGuard. SIP is used to dial the end-user’s phone num- ber and play the WAV file once they answer the call. The user then types the OTP from the voice message into the PortalGuard browser interface to continue the authentication.
  • 19. © 2012, PistolStar, Inc. dba PortalGuard All rights reserved. Page 18 Tech Brief — Two-factor Authentication Appendix C: Hardware Token OTP Delivery Method Although hardware or proprietary tokens have started to fall out of favor due to high cost and maintenance, they have still proven themselves as a viable option holding the largest market share and installed base in the two-factor authentication market. PortalGuard pro- vides a hardware delivery method by supporting YubiKey integration. YubiKey This small USB-key is inserted into the user’s machine. By touching the hardware button YubiKey creates and sends a time-variant OTP by simulating keystrokes on the keyboard. The computer receives the code as though it was manually typed in by the user and Por- talGuard verifies the authentication request. YubiKey avoids many issues and costs asso- ciated with other hardware tokens because the user does not have to type in the OTP, batteries are not required, and it does not rely on an absolute time generated by an accu- rate time source which avoids the need for synchronization.
  • 20. © 2012, PistolStar, Inc. dba PortalGuard All rights reserved. Page 19 Tech Brief — Two-factor Authentication Appendix D: Transparent Tokenless Toolbar for TOTP Delivery Method PortalGuard’s Transparent Tokenless Toolbar (TTT) offers a way to perform multi-factor authentication by both validating the user -AND- the device they’re using. It is transparent because it has no user interface and does not impose additional processes or steps on end-users. It is tokenless because it can offer multi-factor authentication without requiring the user to possess a separate hardware-based OTP generating token/device. The work- station itself acts as the “token” or rather “something the user has” when unlocked by the user’s successful login to it. Lastly, it is implemented as a toolbar within the users’ web browsers. After installation and a one-time, automated enrollment, the TTT automatically generates a Time-based One-time Password (TOTP) on a configurable interval and sets the value as a session-based cookie. This cookie is created for only specific websites and is encrypted using public-key cryptography to ensure only the PortalGuard server can decrypt it. The one-time enrollment data is created independently for each user and is securely stored in the user’s workstation profile. This ensures the data follows the user as they log into dif- ferent workstations and allows multiple users to share the same workstation provided they have separate login accounts. The user’s PortalGuard security policy determines what level of authentication is re- quired. If a valid TOTP is sufficient, then the TTT can be used to effectively enable web- based SSO. For multi-factor authentication, the user is prompted for their username/ password and the TOTP is used as the second factor since only workstations they have logged into will be able to generate it. The TTT is available for both 32 and 64-bit versions of Windows XP and later. It is packaged as a standard MSI so it can be silently deployed to workstations in your environment or a web page link is presented to the user upon them logging in that installs the toolbar. Using PortalGuard’s TTT defeats man-in-the-middle attacks, which intercept messages in a public key exchange and resends them, substituting their public key for the requested key, leaving both parties with the appearance that they are still communicating with each other. PortalGuard defeats this by using an encrypted cookie designated for the valid web- site. The cookie is encrypted using PKI. Phishing attacks are also successfully defeated by the TTT. - See Visio on Next Page -
  • 21. © 2012, PistolStar, Inc. dba PortalGuard All rights reserved. Page 20 Tech Brief — Two-factor Authentication
  • 22. © 2012, PistolStar, Inc. dba PortalGuard All rights reserved. Page 21 Tech Brief — Two-factor Authentication Appendix E: Printed OTP Delivery Method For cases where the user is unable to receive an OTP via traditional SMS or phone call, they have the option of generating and printing a batch of OTPs they can put someplace safe like their wallet. When the user is prompted for an OTP but hasn’t received it, they can enter the next OTP from the printed sheet. These values are still OTPs in that they can only be used for a single authentication. The user simply enters the next OTP and crosses each one out as it’s used. The printed OTPs do not expire on a set interval like standard OTPs but the user can choose to clear them or generate and print a new batch at any time from their PortalGuard Account Management page.