Next GenerationTwo Factor Authentication

• Laptop

• Home / Other Business PC

• Hotel / Cyber Café / Airport

• Smart Phone / Blackberry

21st Century Remote Access

• “Social engineering”• Finding written password

– Post-It Notes• Guessing password / pin

– Dog/Kid’s name/ Birthday• Shoulder surfing• Keystroke logging

– Can be resolved with mouse based entry• Screen scraping (with Keystroke logging)• Brute force password crackers

– L0phtcrack

Who is using your VPNProblems With Passwords

Two Factor Authentication

• Something you know• Pin• Password• Mothers Maiden Name

• Something you own• Keys• Credit Card• Token• Phone

• Something you are• Fingerprint• DNA

• Two Factor Authentication is Two of the above

• Example: ATM Cash Machine• Something you Know – Pin• Something you Own - Cash Card (Chip)

Smartcards / USB Tokens• End user must remember to carry the card! • Smartcards need readers

• Both need software drivers

• Remote Users can’t use other PC’s or Cybercafés

• Smart phones, Blackberry’s, PocketPC etc are limited by size

• Requires certificate enrolment and replacement

• Deployment - Remote users must be sent a hardware device

• Support – Pin Management & Failed token must be managed

Existing Form Factors

Hardware Tokens

• End user must remember to carry the token!

• Deployment - Remote users must be sent a hardware device

• Token may require resynchronisation

• Support – Pin Management & Failed token must be managed

• Short Term Contractors - Don’t always return the token

• B2B – One to many companies requires many identical tokens

Existing Form Factors

Mobile Phone based Authentication

Mobile Phones solve all the previous issues however

•  Adding Software to a range of Phones is difficult to support

•  SMS at peak times sometimes cause delay of several minutes

The Next Generation

8

Pre-Load vs. On demand SMS

One Time CodeEach authentication (good or bad) send’s the next required code Each Code can only be used once

The SecurEnvoy Approach

10 failed attempts in a row disables account and SMS messages (all modes)

Passcode

573921

Day CodeEach day (or set number of days) a new code is sent if

usedIf the current day code hasn’t been used, it’s still secret

and willnot require updatingEach day code can be reused for the current and

following day

The first 6 digit passcode is sent at enrolment

Tmp CodeA pre-agreed static code that automatically switches back to One Time or Day Code after a set number of days

Passcode

347865

Passcode

347865

Passcode

198462

UserID: fredPIN: 3687 Passcode:435891Microsoft Password: P0stcode

PIN Management

Two Factor Authentication requires something you know & something you ownWhy authenticate with two things you know?

Traditional Approach

The SecurEnvoy Approach UserID: fredMicrosoft Password: P0stcodePasscode: 435891

Reuse The Microsoft or other LDAP Password as the PINEasier end user authentication experienceNo PIN Administration required

Can also support a PIN if required

Cost Vs Risk

High Risk

Cost

/ U

se

Low Risk

Expensive / Hard

Ease Of Use (Cost) Vs Risk

CheapEasy

Risk

Fixed

Password

30 Day

Password

Tokens / Smartcards

SecurEnvoy

7 Day Code

SecurEnvoy

1 Day Code

SecurEnvoy

One Time Code

Use AD or other LDAP as the

database

Standard Authentication Solutions

The SecurEnvoy Approach

Active Directory

LDAP SyncSQLDatabase

SQLDatabase

Replication

SecurEnvoy Solution

No schema change requiredData Encrypted with 128 bit AES

Re-enter user information

SecurAccess Authentication

SecurAccess Authentication

Enter 6 Digit Number from Mobile Phone

Something You Know

Something You Own

Andyk

P0stcode

234836

Passcode

573921

The Next Generation is Mobile Phone Based Authentication

Up to 60% cheaper that Hardware Tokens

No Software on the phone

Must Allow for SMS Delays & Loss of Signal

Must Be Easy To Use (6 Digit Display On Phone)

Should Re-Use Existing Passwords (Windows) as the PIN

Should Use LDAP as the Database

www.SecurEnvoy.com

Summary