Post on 06-Jan-2016
description
transcript
• Laptop
• Home / Other Business PC
• Hotel / Cyber Café / Airport
• Smart Phone / Blackberry
21st Century Remote Access
• “Social engineering”• Finding written password
– Post-It Notes• Guessing password / pin
– Dog/Kid’s name/ Birthday• Shoulder surfing• Keystroke logging
– Can be resolved with mouse based entry• Screen scraping (with Keystroke logging)• Brute force password crackers
– L0phtcrack
Who is using your VPNProblems With Passwords
Two Factor Authentication
• Something you know• Pin• Password• Mothers Maiden Name
• Something you own• Keys• Credit Card• Token• Phone
• Something you are• Fingerprint• DNA
• Two Factor Authentication is Two of the above
• Example: ATM Cash Machine• Something you Know – Pin• Something you Own - Cash Card (Chip)
Smartcards / USB Tokens• End user must remember to carry the card! • Smartcards need readers
• Both need software drivers
• Remote Users can’t use other PC’s or Cybercafés
• Smart phones, Blackberry’s, PocketPC etc are limited by size
• Requires certificate enrolment and replacement
• Deployment - Remote users must be sent a hardware device
• Support – Pin Management & Failed token must be managed
Existing Form Factors
Hardware Tokens
• End user must remember to carry the token!
• Deployment - Remote users must be sent a hardware device
• Token may require resynchronisation
• Support – Pin Management & Failed token must be managed
• Short Term Contractors - Don’t always return the token
• B2B – One to many companies requires many identical tokens
Existing Form Factors
Mobile Phone based Authentication
Mobile Phones solve all the previous issues however
• Adding Software to a range of Phones is difficult to support
• SMS at peak times sometimes cause delay of several minutes
The Next Generation
One Time CodeEach authentication (good or bad) send’s the next required code Each Code can only be used once
The SecurEnvoy Approach
10 failed attempts in a row disables account and SMS messages (all modes)
Passcode
573921
Day CodeEach day (or set number of days) a new code is sent if
usedIf the current day code hasn’t been used, it’s still secret
and willnot require updatingEach day code can be reused for the current and
following day
The first 6 digit passcode is sent at enrolment
Tmp CodeA pre-agreed static code that automatically switches back to One Time or Day Code after a set number of days
Passcode
347865
Passcode
347865
Passcode
198462
UserID: fredPIN: 3687 Passcode:435891Microsoft Password: P0stcode
PIN Management
Two Factor Authentication requires something you know & something you ownWhy authenticate with two things you know?
Traditional Approach
The SecurEnvoy Approach UserID: fredMicrosoft Password: P0stcodePasscode: 435891
Reuse The Microsoft or other LDAP Password as the PINEasier end user authentication experienceNo PIN Administration required
Can also support a PIN if required
Cost Vs Risk
High Risk
Cost
/ U
se
Low Risk
Expensive / Hard
Ease Of Use (Cost) Vs Risk
CheapEasy
Risk
Fixed
Password
30 Day
Password
Tokens / Smartcards
SecurEnvoy
7 Day Code
SecurEnvoy
1 Day Code
SecurEnvoy
One Time Code
Use AD or other LDAP as the
database
Standard Authentication Solutions
The SecurEnvoy Approach
Active Directory
LDAP SyncSQLDatabase
SQLDatabase
Replication
SecurEnvoy Solution
No schema change requiredData Encrypted with 128 bit AES
Re-enter user information
SecurAccess Authentication
SecurAccess Authentication
Enter 6 Digit Number from Mobile Phone
Something You Know
Something You Own
Andyk
P0stcode
234836
Passcode
573921
The Next Generation is Mobile Phone Based Authentication
Up to 60% cheaper that Hardware Tokens
No Software on the phone
Must Allow for SMS Delays & Loss of Signal
Must Be Easy To Use (6 Digit Display On Phone)
Should Re-Use Existing Passwords (Windows) as the PIN
Should Use LDAP as the Database
www.SecurEnvoy.com
Summary