AUTHENTICATION USING ONE-TIME PASSWORD TOKEN AND SMART … · AUTHENTICATION USING ONE-TIME...

16
AUTHENTICATION USING ONE-TIME PASSWORD TOKEN AND SMART CARD AN EASY WAY TO PREVENT IDENTITY THEFT THIERRY BORDAZ - FLORENCE RENAUD Senior Software Engineers - Identity Management

Transcript of AUTHENTICATION USING ONE-TIME PASSWORD TOKEN AND SMART … · AUTHENTICATION USING ONE-TIME...

Page 1: AUTHENTICATION USING ONE-TIME PASSWORD TOKEN AND SMART … · AUTHENTICATION USING ONE-TIME PASSWORD TOKEN AND SMART CARD AN EASY WAY TO PREVENT IDENTITY THEFT THIERRY BORDAZ - FLORENCE

AUTHENTICATION USING ONE-TIMEPASSWORD TOKEN AND SMART CARDAN EASY WAY TO PREVENT IDENTITY THEFT

THIERRY BORDAZ - FLORENCE RENAUD

Senior Software Engineers - Identity Management

Page 2: AUTHENTICATION USING ONE-TIME PASSWORD TOKEN AND SMART … · AUTHENTICATION USING ONE-TIME PASSWORD TOKEN AND SMART CARD AN EASY WAY TO PREVENT IDENTITY THEFT THIERRY BORDAZ - FLORENCE

PASSWORD THEFT

Page 3: AUTHENTICATION USING ONE-TIME PASSWORD TOKEN AND SMART … · AUTHENTICATION USING ONE-TIME PASSWORD TOKEN AND SMART CARD AN EASY WAY TO PREVENT IDENTITY THEFT THIERRY BORDAZ - FLORENCE

CNIL RECOMMENDATION

Page 4: AUTHENTICATION USING ONE-TIME PASSWORD TOKEN AND SMART … · AUTHENTICATION USING ONE-TIME PASSWORD TOKEN AND SMART CARD AN EASY WAY TO PREVENT IDENTITY THEFT THIERRY BORDAZ - FLORENCE

PHISHING

Page 5: AUTHENTICATION USING ONE-TIME PASSWORD TOKEN AND SMART … · AUTHENTICATION USING ONE-TIME PASSWORD TOKEN AND SMART CARD AN EASY WAY TO PREVENT IDENTITY THEFT THIERRY BORDAZ - FLORENCE

PASSWORDS ARE NOTSECURE.WHAT SHOULD I DO, THEN?TWO FACTOR AUTHENTICATION

OTP (TOTP/HOTP TOKENS, SOFT TOKENS, MOBILE PHONE...)

PKCS#11 (SMART CARD READER + SMART CARD, USB KEYS...)

Page 6: AUTHENTICATION USING ONE-TIME PASSWORD TOKEN AND SMART … · AUTHENTICATION USING ONE-TIME PASSWORD TOKEN AND SMART CARD AN EASY WAY TO PREVENT IDENTITY THEFT THIERRY BORDAZ - FLORENCE

IDENTITY MANAGEMENTMAIN FEATURES

CENTRALIZED AUTHENTICATION

Source: IDM or Active DirectoryCredentials: passwords, certificates, Smart Cards, OTP tokensSingle Sign-On: Kerberos, SAML, OpenID

CENTRALIZED AUTHORIZATION

Resources: systems, services, applicationsHBAC, sudo rules, privileges

CENTRALIZED MANAGEMENT

PolicyCertificates and Keys

DNS

BASED ON A COLLECTION OF OPEN SOURCE COMPONENTS:KDC, LDAP, PKI, DNS, FREEIPA

Page 7: AUTHENTICATION USING ONE-TIME PASSWORD TOKEN AND SMART … · AUTHENTICATION USING ONE-TIME PASSWORD TOKEN AND SMART CARD AN EASY WAY TO PREVENT IDENTITY THEFT THIERRY BORDAZ - FLORENCE

DEMO #1:

OTPAUTHENTICATIONWITH FREEIPA

Page 8: AUTHENTICATION USING ONE-TIME PASSWORD TOKEN AND SMART … · AUTHENTICATION USING ONE-TIME PASSWORD TOKEN AND SMART CARD AN EASY WAY TO PREVENT IDENTITY THEFT THIERRY BORDAZ - FLORENCE

Secret

Serial number XXX

Secret / SR

Soft token(freeOTP)

Hardware token(gemalto)

Programmable Hardware

token (yubikey)

Write secret

Phase 1: Sharing a secret

user 1

user 2

user 3XXX

Page 9: AUTHENTICATION USING ONE-TIME PASSWORD TOKEN AND SMART … · AUTHENTICATION USING ONE-TIME PASSWORD TOKEN AND SMART CARD AN EASY WAY TO PREVENT IDENTITY THEFT THIERRY BORDAZ - FLORENCE

Write secret

Soft token(freeOTP)

Phase 2: Synchronize counter

code(counter) =

TRUNCATE(HMAC(sha1, , counter)) / (10^digit)

rfc 4226/6238

user 1

code(counter_N)

code(counter_N+1)

Phase 3: use it at login

Soft token(freeOTP)

user 1 - 2FAFirst factor password

Second factor: code

Page 10: AUTHENTICATION USING ONE-TIME PASSWORD TOKEN AND SMART … · AUTHENTICATION USING ONE-TIME PASSWORD TOKEN AND SMART CARD AN EASY WAY TO PREVENT IDENTITY THEFT THIERRY BORDAZ - FLORENCE

Second factor: code

DEMO #2:

SMART CARDAUTHENTICATIONWITH FREEIPA

Page 11: AUTHENTICATION USING ONE-TIME PASSWORD TOKEN AND SMART … · AUTHENTICATION USING ONE-TIME PASSWORD TOKEN AND SMART CARD AN EASY WAY TO PREVENT IDENTITY THEFT THIERRY BORDAZ - FLORENCE

FREEIPA SERVER FREEIPA CLIENT

Users and groups

Username:

PIN:

SMART CARDAUTHENTICATION

Page 12: AUTHENTICATION USING ONE-TIME PASSWORD TOKEN AND SMART … · AUTHENTICATION USING ONE-TIME PASSWORD TOKEN AND SMART CARD AN EASY WAY TO PREVENT IDENTITY THEFT THIERRY BORDAZ - FLORENCE

FREEIPA SERVER FREEIPA CLIENT

Users and groups

Username:

PIN:

SMART CARDAUTHENTICATION

SSL certificate

Page 13: AUTHENTICATION USING ONE-TIME PASSWORD TOKEN AND SMART … · AUTHENTICATION USING ONE-TIME PASSWORD TOKEN AND SMART CARD AN EASY WAY TO PREVENT IDENTITY THEFT THIERRY BORDAZ - FLORENCE

FREEIPA SERVER FREEIPA CLIENT

Users and groups

Username:

PIN:

SMART CARDAUTHENTICATION

Look formatching user

Page 14: AUTHENTICATION USING ONE-TIME PASSWORD TOKEN AND SMART … · AUTHENTICATION USING ONE-TIME PASSWORD TOKEN AND SMART CARD AN EASY WAY TO PREVENT IDENTITY THEFT THIERRY BORDAZ - FLORENCE

FREEIPA SERVER FREEIPA CLIENT

Users and groups

Username:

PIN:

SMART CARDAUTHENTICATION

authenticated

Page 15: AUTHENTICATION USING ONE-TIME PASSWORD TOKEN AND SMART … · AUTHENTICATION USING ONE-TIME PASSWORD TOKEN AND SMART CARD AN EASY WAY TO PREVENT IDENTITY THEFT THIERRY BORDAZ - FLORENCE

RESOURCESFREEIPA

Project wiki: Project trac: Code: Blog aggregation: FreeIPA demo instance in the cloud: Mailing lists:

[email protected]@[email protected]

http://www.freeipa.orghttps://fedorahosted.org/freeipa/

https://git.fedorahosted.org/cgit/freeipa.git/http://planet.freeipa.org/

http://www.freeipa.org/page/Demo

http://www.freeipa.org/
https://fedorahosted.org/freeipa/
https://git.fedorahosted.org/cgit/freeipa.git/
http://planet.freeipa.org/
http://www.freeipa.org/page/Demo
Page 16: AUTHENTICATION USING ONE-TIME PASSWORD TOKEN AND SMART … · AUTHENTICATION USING ONE-TIME PASSWORD TOKEN AND SMART CARD AN EASY WAY TO PREVENT IDENTITY THEFT THIERRY BORDAZ - FLORENCE

twitter.com/RedHatNews

youtube.com/redhat

facebook.com/redhatinc

THANK YOU!

plus.google.com/+RedHat

linkedin.com/company/red-hat

http://twitter.com/RedHatNews
http://youtube.com/redhat
http://facebook.com/redhatinc
http://plus.google.com/+RedHat
http://linkedin.com/company/red-hat

Auth shield mobile token authentication solutions

Auth shield mobile token authentication solutions

Authentication Devices - hidglobal.com · ActivID OTP Token ActivID USB Token Pocket Token Desktop Token BlueTrust Token ActivKey SIM Product Description Small, durable token with

Authentication Devices - hidglobal.com · ActivID OTP Token ActivID USB Token Pocket Token Desktop Token BlueTrust Token ActivKey SIM Product Description Small, durable token with

Using a Personal Device to Strengthen Password ...FC’06), and two-factor authentication such as a password and a passcode generator token (e.g. SecurID). MP-Auth protects against

Using a Personal Device to Strengthen Password ...FC’06), and two-factor authentication such as a password and a passcode generator token (e.g. SecurID). MP-Auth protects against

Usable Security – Password Fallback Authentication

Usable Security – Password Fallback Authentication

Token Authentication in ASP.NET Core

Token Authentication in ASP.NET Core

Password Authentication

Password Authentication

206622186 29423055 Graphical Password Authentication

206622186 29423055 Graphical Password Authentication

Securing Single Page Applications with Token Based Authentication

Securing Single Page Applications with Token Based Authentication

Password Based Authentication Scheme: Safety … of Authentication Passwordbased Authentication Existing Techniques Conclusions References Password Based Authentication Scheme: Safety

Password Based Authentication Scheme: Safety … of Authentication Passwordbased Authentication Existing Techniques Conclusions References Password Based Authentication Scheme: Safety

SafeNet Authentication Service Configuration Guide...5. If a software token is detected, the SafeNet login page will display Token, PIN, Microsoft Password, and Microsoft Domain fields.

SafeNet Authentication Service Configuration Guide...5. If a software token is detected, the SafeNet login page will display Token, PIN, Microsoft Password, and Microsoft Domain fields.

Graphical password authentication system ppts

Graphical password authentication system ppts

Password Less Authentication - Srikar Sagi

Password Less Authentication - Srikar Sagi

User Authentication and Identity Management · 2 FortiAuthenticator Overview ... • Web based login widget ... Two-factor Authentication Username Password Token LDAP/ Active

User Authentication and Identity Management · 2 FortiAuthenticator Overview ... • Web based login widget ... Two-factor Authentication Username Password Token LDAP/ Active

SafeNet Authentication Client Administrator’s · PDF fileToken settings configuration Token Password quality configuration

SafeNet Authentication Client Administrator’s · PDF fileToken settings configuration Token Password quality configuration

Graphical Password authentication using Hmac

Graphical Password authentication using Hmac

Outline User authentication –Password authentication, salt –Challenge-response authentication protocols –Biometrics –Token-based authentication Authentication.

Outline User authentication –Password authentication, salt –Challenge-response authentication protocols –Biometrics –Token-based authentication Authentication.

Password Authentication Today

Password Authentication Today

Token Authentication for Java Applications

Token Authentication for Java Applications

Graphical Password Authentication

Graphical Password Authentication

SafeNet Authentication Service Token Validator … Authentication Service Token Validator Proxy Agent: ... SafeNet Authentication Service Token Validator Proxy Agent: ... the SAS Connectivity

SafeNet Authentication Service Token Validator … Authentication Service Token Validator Proxy Agent: ... SafeNet Authentication Service Token Validator Proxy Agent: ... the SAS Connectivity