Title: Next Generation Two Factor Authentication Are Fagerheim Trygg Data AS
1Next GenerationTwo Factor AuthenticationAre
Fagerheim Trygg Data AS
2Problems With Passwords
- Social engineering
- Finding written password
- Post-It Notes
- Guessing password / pin
- Dog/Kids name/ Birthday
- Shoulder surfing
- Keystroke logging
- Can be resolved with mouse based entry
- Screen scraping (with Keystroke logging)
- Brute force password crackers
- L0phtcrack
3Two Factor Authentication
- Something you know
- Pin
- Password
- Mothers Maiden Name
- Something you own
- Keys
- Credit Card
- Token
- Phone
- Something you are
- Fingerprint
- DNA
- Two Factor Authentication is Two of the above
- Example Chip Pin
- Something you Know Pin
4Existing Form Factors
- Smartcards
- End user must remember to carry the card!
-
- Smartcards need a reader and software drivers
- Remote Users cant use home PCs or Cybercafés
- Smart phones, Blackberrys, PocketPC etc are
limited by size - Requires certificate enrolment and replacement
- Deployment - Remote users must be sent a
hardware device - Support Pin Management Failed token must be
managed
5Existing Form Factors
- USB Tokens
- End user must remember to carry the token!
- USB socket was not designed for constant
insertion / removal and causes USB socket failure - Requires USB driver software to be Installed and
Supported - Home PC not supported!
- Hotel / Cybercafés No Software Install allowed!
- Smart Phones havent got a USB Port!!!
- Deployment - Remote users must be sent a
hardware device - Support Pin management failed token must be
managed
6Existing Form Factors
- Tokens
- End user must remember to carry the token!
- Deployment - Remote users must be sent a hardware
device - Token may require resynchronisation
- Support Pin Management Failed token must be
managed - Short Term Contractors - Dont always return the
token - B2B One to many companies requires many
identical tokens
7The Next Generation
- Mobile Phone based Authentications
- Mobile Phones solve all the previous issues
however - Adding Software to a range of Phones is
difficult to support - SMS at peak times sometimes cause delay of
several minutes
8The SecurEnvoy Approach
- Pre-loading the next required SMS message after
each authentication attempt - Re-usable day or week codes sent at fixed times
- Temporary agreed static code for XX days with
self help
9Ease Of Use (Cost) Vs Risk
Ease Of Use (Cost) Vs Risk
Hard
Tokens or Smartcards
Ease Of Use
30 Day Password
Fixed Password
Easy
Risk
High Risk
Low Risk
10Cost Of Sending SMS
- Typical 700 User Example
- Users set to 7 day codes, 1 SMS per week
- Requires 3000 SMS messages
- Total Cost 20 per month - 1.5 pence per SMS
11Solution Overview -Radius
Mobile Network
No software required on phone
Next Required Passcode is Sent
Passcode 289621
Passcode 659142
Passcode sent after last authentication.
Eliminates any SMS delay problems
PIN can be Windows Password
Fortinet Checkpoint Juniper Nortel Cisco
Internet
IIS Web Server
Citrix nFuse OutLook Web Access Aventail SSL VPN
12Solution Overview -Web
Mobile Network
No software required on phone
Next Required Passcode is Sent
Passcode 289621
Passcode 659142
Passcode sent after last authentication.
Eliminates any SMS delay problems
PIN can be Windows Password
Fortinet Checkpoint Juniper Nortel Cisco
Internet
IIS Web Server
Citrix nFuse OutLook Web Access Aventail SSL VPN
13Microsoft Logon Authentication
- Desktop / Laptop Users with Screen Lock
- Need To Authenticate many times a day!
- PDA Mobile Phone Users Syncing E-mail
- Need To Authenticate many times a day
- Long term remote users with 30 day passwords
- Support issues with locked User Accounts
- End Users will not accept the burden of
authenticating many times a day with two-factors!
The Key Issues
14Solution OverviewMicrosoft Logon Authentication
PIN PASSCODE WINDOWS PASSWORD
Passcode sent when Windows password updated
Mobile Network
Passcode 234836
Passcode 517834
SecurEnvoy Security Server
Passcode sent at intervals, typically 1-30 days.
Windows password updated, typically 1-30 days.
User authenticates With PIN and passcode .
Windows password updated
Internal Network
Domain Controller Microsoft Active Directory
15Summary
The Next Generation is Mobile Phone Based
AuthenticationMust Be Supportable (No software
on the phone)Must Allow for SMS Delays Loss
of SignalMust Be Easy To Use (6 Digit Display
On Phone)Should Re-Use Existing Passwords
(Windows) as the PINShould Directly Integrate
With Microsoft AD