Philip Underwood - The New Wave of Tokenless Two-factor Authentication - Interop Mumbai 2009
-
Upload
interop-mumbai-2009 -
Category
Technology
-
view
109 -
download
1
description
Transcript of Philip Underwood - The New Wave of Tokenless Two-factor Authentication - Interop Mumbai 2009
© 2009 Copyright SecurEnvoy Ltd. All rights reserved
Interop Mumbai 2009
The New Wave of Tokenless Two –Factor Authentication
The process of identifying an individual, usually based on a username and password.
Source www.webopedia.com
Authentication (from Greek: αυθεντικός ; real or genuine, from authentes; author) is the act of establishing or confirming something (or someone) as authentic,
Source www.wikipedia.com
Authenticate
verb prove or show to be authentic.
DERIVATIVES authentication noun authenticator noun
Source Oxford English Dictionary www.askoxford.com
© 2009 Copyright SecurEnvoy Ltd. All rights reserved
- What is authentication
Provides your digital identity
Good - easy to use/remember – cheap – prolific
e.g. Password = child’s name, zip code etc
Bad – hard to remember – compromised
e.g. Password = Q1asw&u$42
• Social engineering
• Guessing password / pin
• Shoulder surfing
• Keystroke logging
• Screen scraping (with Keystroke logging)
• Brute force password crackers
© 2009 Copyright SecurEnvoy Ltd. All rights reserved
- Strength of the Password
© 2009 Copyright SecurEnvoy Ltd. All rights reserved
- Compromising the PasswordPassword Utility - Cain and Abel www.oxid.it
© 2009 Copyright SecurEnvoy Ltd. All rights reserved
- Compromising the Password
Password Utility – L0pht Crack
www.l0phtcrack.com
© 2009 Copyright SecurEnvoy Ltd. All rights reserved
- Compromising the Password
Hardware keystroke logger - Key Ghost www.keyghost.com
• End user must remember to carry the token!
• Deployment - Remote users must be sent a hardware device
• Token may require resynchronisation
• Support - Failed token must be managed
• Smartcards need a reader and software drivers
• Short Term Contractors - Don’t always return the token
• B2B – One to many companies requires many identical tokens
© 2009 Copyright SecurEnvoy Ltd. All rights reserved
- Two Factor Authentication
Quote I got my today, it took just 2 weeks to deliver here
to Finland.
Its so small! Gotta keep an eye for it, losing it would suck
Source http://forumserver.twoplustwo.com/28/internet-
poker/i-got-my-pokerstars-rsa-secureid-token-today-pic-
367093/index33.html
© 2009 Copyright SecurEnvoy Ltd. All rights reserved
- Two Factor Authentication
A phone in every pocket?
3.8 billion GSM connections
(source www.gsmworld.com)
End users protect their phones
A recent poll asked “what’s the worst thing you could lose?”
Your phone 92%
20 Euro’s 7%
Your token 1%
Lost phones are reported missing much faster
2nd factor must be reported missing to be disabled
© 2009 Copyright SecurEnvoy Ltd. All rights reserved
- Two Factor AuthenticationHow can a phone become an authenticator?
Option 1 Adding software on a phone?
Many different phone interfacesMassive QA issuesMajor support issuesLimited supported phone typesSoftware deployment problems
Option 2 On-Demand SMS
What about SMS delaysWhat if I'm in a building with no signalI’m using my phone to connect to the internet
Option 3 Pre-load SMS
Each authentication sends the next passcode
Passcode 651273
© 2009 Copyright SecurEnvoy Ltd. All rights reserved
- On demand v Pre Load SMS
© 2009 Copyright SecurEnvoy Ltd. All rights reserved
- End User Experience
UserID: fredPIN: 3687 Passcode:435891Microsoft Password: P0stcode
Traditional Approach
UserID: fredMicrosoft Password: P0stcodePasscode: 435891
Easiest Approach
Reuse The Microsoft or other LDAP Password as the PINEasier end user authentication experienceNo PIN Administration required
© 2009 Copyright SecurEnvoy Ltd. All rights reserved
- Two Factor Authentication
6 Digit Number from Mobile Phone
Something You Know
Something You Own
PhilU
P0stcode
234836
© 2009 Copyright SecurEnvoy Ltd. All rights reserved
- Two Factor Authentication
Use AD or other LDAP as the database
Active Directory
LDAP SyncSQLDatabase
SQLDatabase
Replication
No changes to the schemaMust be encrypted (128 bit AES)
Re-enter user information
Standard Authentication SolutionsSecurEnvoy Solution
- Resilience
My Domain
AD Domain
Controller
AD Domain
Controller
AD Domain
Controller
AD Domain
Controller
SecurEnvoy
SecurAccessSSL VPN
SecurEnvoy
SecurAccess
SSL VPNSecurEnvoy
SecurAccess
SecurEnvoy
SecurAccess
Site 1 Site 2
Authentication
data
Replicated by
Active
Directory
Leverage existing replication of AD or other LDAP
© 2009 Copyright SecurEnvoy Ltd. All rights reserved
- Supporting Multiple Domains
Mobile
Network
Radius & 2FA Server
VPN Server A
Microsoft AD
Domain A
VPN Server B
eDirectory
Domain B
IIS Web Server
CustomersInternet
End User A
End User B
Customer
ADAM
Central Server
Passcode
971563
Passcode
347219
Customer ADAM
Instance
Passcode
347219
© 2009 Copyright SecurEnvoy Ltd. All rights reserved
© 2009 Copyright SecurEnvoy Ltd. All rights reserved
- Deployment
1. Locate existing users in AD (LDAP)• Search base (OU=Amsterdam)
• Search filter (memberof=vpngroup)
2. Check for known mobile numbers
3. Self enrol via email unknown mobile numbers
Deploy around 300 users per minute• 5000 users in around 16 minutes
© 2009 Copyright SecurEnvoy Ltd. All rights reserved
- Summary
Easy to useNo additional pin
No tokenNext SMS overwrites previous one
Easy to administer and deployNo database, reuse existing central LDAP
Automate DeploymentSelf enrol unknown mobile numbers
ResilientPre-load Passcode’s
Leverage LDAP servers replicationSupport multiple heterogeneous domains
www.SecurEnvoy.com
© 2009 Copyright SecurEnvoy Ltd. All rights reserved
© 2009 Copyright SecurEnvoy Ltd. All rights reserved