Next Generation Two Factor Authentication

1
Next GenerationTwo Factor Authentication
2

21st Century Remote Access

• Laptop
• Home / Other Business PC
• Hotel / Cyber Café / Airport
• Smart Phone / Blackberry

3

Who is using your VPN
Problems With Passwords

• Social engineering
• Finding written password
• Post-It Notes
• Guessing password / pin
• Dog/Kids name/ Birthday
• Shoulder surfing
• Keystroke logging
• Can be resolved with mouse based entry
• Screen scraping (with Keystroke logging)
• Brute force password crackers
• L0phtcrack

4
Two Factor Authentication

• Something you know
• Pin
• Password
• Mothers Maiden Name
• Something you own
• Keys
• Credit Card
• Token
• Phone
• Something you are
• Fingerprint
• DNA
• Two Factor Authentication is Two of the above
• Example ATM Cash Machine
• Something you Know Pin

5
Existing Form Factors

• Smartcards / USB Tokens
• End user must remember to carry the card!
• Smartcards need readers
• Both need software drivers
• Remote Users cant use other PCs or Cybercafés
• Smart phones, Blackberrys, PocketPC etc are
  limited by size
• Requires certificate enrolment and replacement
• Deployment - Remote users must be sent a
  hardware device
• Support Pin Management Failed token must be
  managed

6
Existing Form Factors

• Hardware Tokens
• End user must remember to carry the token!
• Deployment - Remote users must be sent a hardware
  device
• Token may require resynchronisation
• Support Pin Management Failed token must be
  managed
• Short Term Contractors - Dont always return the
  token
• B2B One to many companies requires many
  identical tokens

7
The Next Generation

• Mobile Phone based Authentication
• Mobile Phones solve all the previous issues
  however
•  Adding Software to a range of Phones is
  difficult to support
•  SMS at peak times sometimes cause delay of
  several minutes

8
Pre-Load vs. On demand SMS
9
The SecurEnvoy Approach
The first 6 digit passcode is sent at enrolment

• One Time Code
• Each authentication (good or bad) sends the next
  required code
• Each Code can only be used once

Passcode 573921
Passcode 347865
Passcode 347865
Passcode 198462
Day Code Each day (or set number of days) a new
code is sent if used If the current day code
hasnt been used, its still secret and will not
require updating Each day code can be reused for
the current and following day

Tmp Code A pre-agreed static code that
automatically switches back to One Time or Day
Code after a set number of days
10 failed attempts in a row disables account and
SMS messages (all modes)
10
PIN Management
Traditional Approach

• UserID fred
• PIN 3687
• Passcode435891
• Microsoft Password P0stcode

Two Factor Authentication requires something you
know something you own Why authenticate with
two things you know?
The SecurEnvoy Approach
UserID fred Microsoft Password
P0stcode Passcode 435891
Reuse The Microsoft or other LDAP Password as the
PIN Easier end user authentication experience No
PIN Administration required Can also support a
PIN if required
11
Ease Of Use (Cost) Vs Risk
Cost Vs Risk
Expensive / Hard
Tokens / Smartcards
Cost / Use
30 Day Password
Fixed Password
Cheap Easy
Risk
High Risk
Low Risk
12
The SecurEnvoy Approach

• Standard Authentication Solutions

SecurEnvoy Solution
Use AD or other LDAP as the database
Active Directory
No schema change required Data Encrypted with 128
bit AES
13
SecurAccess Authentication
SecurAccess Authentication
Andyk
Passcode 573921
P0stcode
234836
14
Summary
The Next Generation is Mobile Phone Based
AuthenticationUp to 60 cheaper that Hardware
Tokens No Software on the phoneMust Allow for
SMS Delays Loss of SignalMust Be Easy To Use
(6 Digit Display On Phone)Should Re-Use
Existing Passwords (Windows) as the PINShould
Use LDAP as the Database www.SecurEnvoy.co
m