White Paper. The Principles of Tokenless Two-Factor Authentication

Transcription

1 White Paper The Principles of Tokenless Two-Factor Authentication

2 Table of contents Instroduction... 2 What is two-factor authentification?... 2 Access by hardware token... 3 Advantages and disadvantages of tokens... 3 Authentication using smartcards... 4 Digital certificates are a thing of the past... 4 Tokenless two-factor authentication: BYOD becomes BYOT... 4 Flexibility is key... 5 An overview of the advantages of tokenless 2FA... 7 Summary

3 Introduction The subject of IT security plays an ever more important role in these times of virtual warfare, increasingly complex malware threats and online spyware attacks. This is of particular concern to firms because trends, such as Bring Your Own Device (BYOD), are making corporate networks more open to attack. Attacks are no longer limited to the company's premises and have spread to home offices, hotels and airports locations where, for example, sales representatives spend time and from where they would like to access corporate information. Various methods have been developed to ensure that it is, in fact, employee XYZ who is logging in and not a cyber-gangster misusing login information for his own purposes. The main method is the password, which, together with the user name, enables the user to log in. However, studies have shown that passwords are often chosen with little thought, making them easy to hack and resulting in the account being hijacked in no time at all. More security is provided by what are known as two-factor authentication solutions. This white paper explains the details of how they work, the versions available and the advantages they bring to companies. What is two-factor authentication? The development of IT security measures - especially for authentication processes - has seen security specialists move towards combining several mechanisms with each other. This category also includes two-factor authentication (abbreviated as 2FA). In this approach, at least two of three possible factors are required to clearly identify a user: something known only to the user (e.g. PIN); a tangible item that the user alone possesses (e.g. a token in the form of a USB stick) and/or something that is inseparable from and unique to the user, such as a finger print. A common example of authentication using the two-factor method is obtaining money from a cash machine: to complete the transaction successfully, the customer needs his own bank card as well as his PIN. Access to the account is refused if either of these two components is missing or if the PIN is not entered correctly. 2

4 This double protection reduces the risk of criminals immediately being able to misuse stolen access data to hijack someone else's account. In many 2FA solutions, something in the user's possession is combined with a sequence of numbers for one-time use, i.e. a one-time passcode (OTP). This OTP is either generated by an item in the user's possession, such as a security token, or a reliable server generates the OTP and sends it as a second factor to the device/token. An example of one such transfer method is a text message sent to the user's mobile phone. As a new number is generated each time, OTPs are far less likely to be hijacked than static or simple passwords, which can also be hijacked by means of phishing, keylogging or replay attacks. Access by hardware token The conventional method used in a 2FA solution is a hardware token. A token can, for example, be a USB stick or a key fob. A display often shows the combination of numbers to be entered by the user in order to log in. The OTP generated by the token is then used together with personal login details to clearly identify the user. Advantages and disadvantages of tokens This type of token can be used at any time and anywhere for user authentication. Furthermore, the user is not reliant on any additional hardware or the need to install programs. The disadvantages of this method, however, mainly concern token handling, security and costs. For example, it is necessary to allocate a token to a specific user. This causes the IT department a lot of allocation work to deploy: the more employees who receive a token, the more individual configurations are required. Additional costs are incurred due to the limited life of the devices (about three to four years) and through loss or theft. If employees are based all over the world, costs are also incurred in sending the devices to them. There is also the aspect that the user is reliant on the token because he has to take it with him at all times to authenticate himself. If the token is lost or forgotten, access is not possible. Over time, the employee could find it a nuisance to always have to take the token with him "just in case". A security issue exists and is highlighted as the user doesn t always carry a 3

5 token with them, so when its not with the user, where is it? This vulnerability is a major security issue and emphasized as users may have multiple tokens to carry. Authentication using smartcards Another method is smartcards, which also support personal access processes in the same way as hardware tokens. The advantages of smartcards is the multiple use of the card for building access and for storing multiple certificates in one place. The downside is the deployment of the smartcards and also the delivery and security of the certificates that live on them. Equally a certificate has a time to live and this is the biggest issue with certificate management where administrators need to replace or revoke a certificate. In addition to the deployment of the smartcard so ancillaries are needed in addition as the user's terminal needs to have a smartcard reader, which is often not integrated. This means appropriate hardware or software has to be installed. This usually results in an increased need for employee support as they have to learn how to use the smartcards and the associated hardware and software. Another disadvantage is that smartcards cannot be used with mobile terminals, as a special reading device is not integrated and cannot be installed or connected due to the slim design of mobile terminals in general. Digital certificates are a thing of the past The use of digital certificates is now largely obsolete, as they are not suitable for flexible, location-independent logins and are linked to a single computer. This results in a further disadvantage because anyone using that computer can log in, as the certificate is not assigned to a specific person. If the PC is reformatted or if the hard disk is destroyed, access by means of certificate is irrevocably blocked anyway. Tokenless two-factor authentication: BYOD becomes BYOT A more flexible approach is offered by tokenless two-factor authentication methods. These are not based on separate hardware solutions, but instead use devices already in the user's possession. This may, for example, be a mobile phone, a smartphone or a tablet PC irrespective of whether it is provided by the firm or is used as a personal device. These tokenless 2FA solutions provide all the security functions of hardware tokens but there is no need for additional hardware. This means that BYOD immediately becomes BYOT: Bring Your Own Token. 4

6 Users have so far been able to authenticate themselves without tokens in two different ways: software installed on the device either generates new passcodes on request or the user receives access data in real time by text message. The pitfall with the software solution is the existence of many different types of mobile phone and the associated wide variety of operating systems. In this case, it is not just procurement that is cost-intensive, the IT department would also have to be trained in all three types of software. An alternative is to send the passcode by text, as text messages do not constitute an invasion of personal property. The downside to this solution is, however, the need for real-time mobile network connections. Flexibility is key For greater independence, 2FA solutions, such as SecurAccess, provide flexible passcode transmission options: Pre-loaded text message: whenever an OTP is used, this causes a new OTP to be sent so that the latest passcode is always available. Real-time text message Text message with three codes: a single text contains three OTPs; codes that have been used are dynamically replaced in the same text message. Periodically sent text message: The OTPs are sent at a set time after a certain number of days. The current code can be used several times. Soft-token app for smartphones: available for devices with ios, Android, Windows (7) or Blackberry operating systems. The user scans a seed record using a QR code and then receives an OTP that changes every 30 seconds. Soft token for laptops (Microsoft/Mac): Clicking on the software generates an OTP that changes every 30 seconds. Voice call: First the user enters a PIN or passcode and a six-digit passcode is then displayed. A call is automatically initiated at the same time. The user takes the call and enters the passcode using the telephone keypad. Pre-loaded This operates in the same way as the pre-loaded text messages. The same applies to the following three methods: real-time ; with three codes and periodically sent . 5

7 This enables the user to be particularly flexible in order to be able to adapt to the given circumstances. For example, in the case of a road warrior who continually has to log on remotely to see company information, the periodically sent text message or would make sense because the representative would then have reusable codes at his disposal. Staff who rarely log in remotely or who do not have a mobile phone can use the voice call method. Users who know in advance that they will have only a poor or no network connection in a certain region can fall back on the three-code method in order to have a ready supply of OTPs. A unique point for SecurEnvoy is the ability to go between devices with only one having a live capability. Life Cycle Management is a term SecurEnvoy now use to describe the creation, movement and management of seed records of devices. Traditionally seeds are created and installed onto a device, however if you use multiple devices and/or change the type of authentication you wish to use these seeds are not easily disposed of and very difficult re-enable! They are also quite expensive and cannot be reused on another device. Understanding how users manage and use their devices has allowed SecurEnvoy to build a solution that allows the user to move between devices and methods of authentication without leaving a footprint behind. Traditional seed records are created by the vendor where a copy is normally kept, the recipient then installs this onto a device and uses the device as a virtual token. However if the users chooses to use another method of authentication so the seed must either be deleted or left running. The issue with this, now we live with multiple devices, is leaving multiple devices with live capabilities when they are in our possession and when they are not. With this older method of seed management it leaves a lot to go wrong and isn t as secure as it should be. SecurEnvoy allow the user to have as many devices as they choose to have the technology available to them, at no extra cost, but allow only one of these devices to be the authenticator at one time and thus alleviating any potential compromise of a user s identity. This seed and identity management is key in securing the user and ensuring the company has business grade technology that is 100 % reliable. Equally it s important that these sedds are not kept by the vendor, so uniquely, SecurEnvoy don t provide the seeds themselves and nor do they have access to them, instead 6

8 the customer installs the on-premise software and create their own seeds and manage these themselves. This method is the same for our cloud providers who alos benefit from this methodology as they also don t keep or manage the seeds, only the client does. From a security perspective this is key critical to the longer term trust of a solution. Finally security is most powerful when the seed cannot be compromised, it is for this reason SecurEnvoy uniquely create split keys. One part is a finger print of the device and resides on the device and the other part sitting securely back in the enterprise. If either side were compromised the seed is not available for compromise and is unique to the device. This same method works for our customers because each seed is created on the fly to allow the user to move between devices. Should one device be compromised only one part is taken, the other part can be deleted from the server and alleviates any possible compromise. An overview of the advantages of tokenless 2FA Cost savings: there is no need for additional hardware tokens, which have to be purchased, configured, maintained and regularly replaced if lost or stolen. It works with all the latest mobile phones, smartphones, laptops, tablets, Microsoft PCs and Apple Macs. Flexible code transmission options, for example by text, , soft token or voice call The user has the choice and is in control, taking a lot of the strain off the IT department, as it only needs to define the general conditions, such as the specific time for periodic passcode updates and such like. There is no need for personalised configuration, unlike the case with tokens, so this also reduces the workload. Summary With the help of 2FA, companies can ensure that their staff can clearly identify and authenticate themselves, as only the correct combination of user data and OTP allows them to log in. The tokenless method also has further advantages, for example cost savings, as there is no need to invest in separate tokens. The staff do not have to carry an additional device around with them either, instead they simply use their existing mobile terminal. The authentication method is particularly secure 7

9 because one component is known only to the user and the other is sent to a device that is only in the user's possession. Even if the employee loses his smartphone or login details or if they are stolen these factors, on their own, are of no use to a thief. A range of transmission options also provides flexibility and can be adapted to different working conditions. 8