8/2/2019 55752538 Two Factor Authentication
http://slidepdf.com/reader/full/55752538-two-factor-authentication 1/18
Visolve – Open Source Solutions
8/2/2019 55752538 Two Factor Authentication
http://slidepdf.com/reader/full/55752538-two-factor-authentication 2/18
Visolve – Securing Digital Assets
ContentsSecurity Overview
Security ConcernsSecurity Needs
Technical OverviewTwo – Factor Authentication System
OTP – One Time Password SolutionsOATH – Open Standards for OTP
8/2/2019 55752538 Two Factor Authentication
http://slidepdf.com/reader/full/55752538-two-factor-authentication 3/18
Security Layers - Challenges
AuthenticationAbility to ValidateProving Identity
AuthorizationAccess to NetworkAllowing toTransact
AccountingManagementAuditing
UsersProfiling
Security PolicyUser RightsAccess Levels
Security PlatformApplicationsInterface
Security Device
8/2/2019 55752538 Two Factor Authentication
http://slidepdf.com/reader/full/55752538-two-factor-authentication 4/18
Security Threats & Business Needs
VulnerabilitiesCyber Crime – Identity theft and FraudPhishing & Pharming attacks becoming more
sophisticated and maliciousBusiness needs
Enhanced Security: Stronger user authentication– Two Factor authentication System
Cost effective Password & Identity ManagementDelivery Mechanism – Convenience of carryingsecurity devices and ease of use
8/2/2019 55752538 Two Factor Authentication
http://slidepdf.com/reader/full/55752538-two-factor-authentication 5/18
Power of One-Time Password (OTP)
OTP deployment makes full life-cyclemanagement easy & cost effectiveFlexibility and availability of various OTP
methods – time synchronized, eventsynchronized or challenge responsePassword generated valid for single useEnhanced security environment for users to
authenticate and transact on webCentralized repository of User profiles andcredentials
8/2/2019 55752538 Two Factor Authentication
http://slidepdf.com/reader/full/55752538-two-factor-authentication 6/18
Visolve – Open Standards for OTP
Today, with the exception of RADIUS,integration of OTPs can be achieved onlythrough costly proprietary interfaces & protocolsCan leverage on existing VPN/Wireless LANinfrastructureLow cost/no vendor lock alternative toproprietary solutions
Easily added to existing web serverpassword validation infrastructureToken based solution now inexpensive forwider B2C deployments
8/2/2019 55752538 Two Factor Authentication
http://slidepdf.com/reader/full/55752538-two-factor-authentication 7/18
Technology Overview
HP – UX AAA Server and OATH:Standard Based Two – Factor
Authentication
8/2/2019 55752538 Two Factor Authentication
http://slidepdf.com/reader/full/55752538-two-factor-authentication 8/18
Technology - FrameworkTwo – Factor Authentication
Authentication using two independent method – typicallysomething you have (device) and something you know(password)
One – Time PasswordPassword valid for single use
Two-Party Model: Client and Server use OTP software orhardware to generate and validate passwordTwo-Channel Model: High value transaction can beauthenticated by requiring an OTP being delivered throughsecondary channel vis email or SMS
OATHOpen standards for OTP generationhttp://openauthentication.or g sequence based algorithmSupported by all of the token device vendors
8/2/2019 55752538 Two Factor Authentication
http://slidepdf.com/reader/full/55752538-two-factor-authentication 9/18
Advantages of OATH vs. Proprietary OTP
Low CostSequence based algorithm allows lowmanufacturing cost for token deviceNo Royalty ProgramsLeverage in both price-points and form-factors
Wide variety of user deployment modelsStandalone token device can be built intoconsumer electronicsSecondary channel solutions –SMS
No Vendor LockClient, Server, user managementcomponents can be purchased separatelyMultiple OTP clients can be concurrentlysupported from the same authenticationserver
Easy onCost
Easy toImplement
Easy toEnd Users
Easy toManage
8/2/2019 55752538 Two Factor Authentication
http://slidepdf.com/reader/full/55752538-two-factor-authentication 10/18
OATH/OTP Authentication Opportunities
User TokensLow priced tokens from multiple vendorsSoft-tokens that can run on java enabled device-mobile phonesSMS delivery of OTP for non java enabled devices
Mobile makes ideal OTP deviceUbiquitousLeverage applications provisioning to manageOTP soft-tokenAddressing Consumer issue of handling multiplehard tokens
Opportunity for OTP authentication as
telecom serviceConsumer authenticates to bank/retailerRetailer authenticates password locallyForward OTP to Service Provider
User – Base
Enterprise
Government
Medical
Finance
Web-Merchants
8/2/2019 55752538 Two Factor Authentication
http://slidepdf.com/reader/full/55752538-two-factor-authentication 11/18
OATH/OTP Vs. Other Major AuthenticationTechnologies
Method Password OTP + Password Digital Certificates/PKI
Advantages Widely used and supported bythe largest number of applicationsTechnology easily understoodby users
Two-factor authenticationcompatible with passwordbased infrastructure: zeroclient footprint option
Bi-directional authenticationCan provide two-factor.Non-repudiation
Disadvantages Relies on human protectionand management of the secret.
Requires possession of OTP generationsoftware/hardware oraccess to a secondarychannel for OTPtransmission
Certificate management cost can beprohibitive for large user base.Heavy footprint to manage on client.
Not compatible with small devices.Requires distribution of certificate/smart card to client.
Key Vulnerabilities Brute forceMan-in-the-middle/clientinsertionPhishingOver the shoulderKeystroke loggers
Man-in-the-middle/clientinsertionPhishing (reduced to onetime action)
User override of warningsClient insertion (reduced)
Applicability Lower risk environmentsLegacy environmentsNo network usage or protectednetwork usage
B2C CommerceEnterprise Security (VPN)Environments not suitedfor PKI (e.g. passwordbased applicationinfrastructure)
Highly secure environmentsMonetary or legal transactions wherenon-repudiation is a required featureEnvironments where mutualauthentication is required.
Cost/Complexity/Protection
HIGHERLOWER
Customer slide presentation
8/2/2019 55752538 Two Factor Authentication
http://slidepdf.com/reader/full/55752538-two-factor-authentication 12/18
OATH Soft Tokens: Three Tier- ServiceProvider Model
1. Provisioning
3. OTPAuthentication
User Key and sequencenumber are generated byservice provider
Key and OATH Applet aredelivered to user device byclient provisioning service.
Webbased
Mgt
2. Local
Authentication
User connects to webretail presence viabrowser. Passwordverified locally
User provides OTPfrom cell phone.Passed to Serviceprovider for
verification
RADIUS
HTTPS
HTTPS
Multiple retailers share thesame OTP service, whilelocally maintaining passwordauthentication
HTTPS
Databa
se
SMS
HP UXAAAHP UXAAA
Databa
se
4. MultipleRetailers
Database
Database
Customer slide presentation
8/2/2019 55752538 Two Factor Authentication
http://slidepdf.com/reader/full/55752538-two-factor-authentication 13/18
OATH: Provisioning Life Cycle: Token Cards2. New User
Seri al# Key_______
A123 34334343
A124 34555555
Supplier delivers tokens and key file.Admin tool imports serial number/key pairsinto secure storage
1. New Installation
Serial number key and sequence number 0are assigned to user entry. Token device isdelivered to user.
KeysKeys User
User entry can be resynchronized withuser’s token device if needed.
User
User entry locked. Token device may beassigned to another user
User
3. Help Desk 4. Deactivate User
Web basedMgt Web based
Mgt
Web basedMgt Web based
Mgt
Databas
e
Database
Database Databas
e
Customer slide presentation
8/2/2019 55752538 Two Factor Authentication
http://slidepdf.com/reader/full/55752538-two-factor-authentication 14/18
Basic Password Authentication Sequence
Adding Two Factor Authentication
123456
SupplicantAuthenticators
1. Username/password entered onclient device
3. Web Server,VPN Gateway,Firewall, WLANAcess Point,Unix(login/SSH,…)etc
Authenticate
passwordlocally orforward to AAA
5. AAA Server
Authenticatespassword
Tracks and logs usersession
2.Protocol
VPN:L2TP/IPSec
LAN:802.1x
Web:HTTPS
…Etc.
4.Protocol
RADIUSOTPappended topasswordfield
(separateprompt orcombinedwith existingpasswordinput)
OTPvalidated,
tokensequencenumberupdated inDatabase)
Two factor authentication can be added with minimal disruption.Zero client software changes possible.
sting password based single factor authentication infrastructure.
Database
HP UXAAA
Customer slide presentation
8/2/2019 55752538 Two Factor Authentication
http://slidepdf.com/reader/full/55752538-two-factor-authentication 15/18
HP-UX AAA Server Overview
Purpose: Centralized service to provideauthentication and recording of useraccess to network resourcesControl access to wireless LANs, VPNgateways, http servers, and otherRADIUS enabled devices orapplicationsProvides access and accountingcontrol for greater security andcompliance
Advantages:Based on widely supported RADIUSand Extensible AuthenticationProtocol standardsHigh performance/high availabilityfeatures for enterprise and serviceprovide deploymentsSupports a wide variety of authentication methods includingpassword, token cards and digitalcertificatesHighly customizable, supports ODBCcompliant databases and LDAPcompliant directoriesIncluded with HP-UX11i
User…
1.Access Points2.VPN Switches3.Firewalls
hpprocurve 10/100Tswitch408 J4097B
HP UXAAA
Database
Webserver
Customer slide presentation
8/2/2019 55752538 Two Factor Authentication
http://slidepdf.com/reader/full/55752538-two-factor-authentication 16/18
OATH: Higher level HMAC-based OneTime Password Algorithm (HOTP)
Shared Secret(20 bytes)
SequenceCounter (8
bytes)
Run HMAC Algorithm and Truncate
HMAC -SHA1 Truncate
Generate OTP
OTP (6 or 8Digits)
Validate OTP
Shared Secret
SequenceCounter
Authenticator
Password + OTP Password + OTPShared Secret
SequenceCounter +1
AAAServer
Customer slide presentation
8/2/2019 55752538 Two Factor Authentication
http://slidepdf.com/reader/full/55752538-two-factor-authentication 17/18
Visolve – Fortune 100 Clients
SMB’s
DTS - Largest ISP in MadagascarSeveral K-12 School DistrictsISPs in US and CanadaCity of St.Paul, MNBlueprint Data, FLFanshawe College, LondonGenesis Technology, Taiwan
Axseed – Japan
8/2/2019 55752538 Two Factor Authentication
http://slidepdf.com/reader/full/55752538-two-factor-authentication 18/18
THANK YOU