Flexible Identity. Tokenless authenticators guide. Multi-Factor Authentication. version 1.0

Transcription

1 Flexible Identity Multi-Factor Authentication Tokenless authenticators guide version 1.0

2 Publication History Date Description Revision initial release 1.0 Copyright Orange Business Services 2 of 26

3 welcome Your company has chosen Orange Business Services Flexible Identity Multi-Factor Authentication service (aka FI-MFA) to help you protect your on-line identity and the networks, applications and data you use from unauthorized access. The information in this guide applies to the following tokenless authenticators: GrIDsure SMS Password The information in this guide is intended for: end-users: people in your company that will use the FI-MFA service. operators: people in your company that will manage your FI-MFA end-users. administrators: people in your company that will manage the FI-MFA service. You can click one of the following icons for direct access to your tokenless authenticator: GrIDsure SMS Password Copyright Orange Business Services 3 of 26

4 contents GrIDsure overview... 7 what is a GrIDsure token?... 7 why use a GrIDsure token?... 7 how does a GrIDsure token protect me?... 7 what additional security features does my GrIDsure token offer?... 7 what is the difference between PIP characters and an OTP?... 8 how does a GrIDsure token work?... 8 what are the characteristics of my GrIDsure token?... 9 what is self-enrollment?... 9 how do I self-enroll my GrIDsure token?... 9 how long will my GrIDsure token continue to operate?... 9 what if I have not received the self-enrollment notification?... 9 what is the Self-Service Portal?... 9 why I can t logon using my GrIDsure token?... 9 I entered an incorrect OTP... 9 my user account is locked my GrIDsure token has been suspended or revoked what are my responsibilities? how should I protect my PIN/PIP? how can I change my PIN/PIP? what if I forget my PIN/PIP? GrIDsure introduction enrolling GrIDsure token authenticating with a GrIDsure token Self-Service Portal for GrIDsure accessing the Self-Service Portal Web site resetting a GrIDsure token PIN resetting a GrIDsure token PIP Copyright Orange Business Services 4 of 26

5 sending temporary sign-in password by /sms SMS overview what is a SMS token? why use a SMS token? how does a SMS token protect me? what additional security features does my SMS token offer? what is the difference between a token code and an OTP? what are the characteristics of my SMS token? operation modes how long will my OTP token continue to operate? what is the Self-Service Portal? why I can t logon using my SMS token? I entered an incorrect OTP my user account is locked my SMS token has been suspended or revoked what are my responsibilities? where should I store my SMS token? what if I forget my SMS token? what if I lose my SMS token? how should I protect my PIN? how can I change my PIN? what if I forget my PIN? SMS Introduction authenticating with a SMS token Self-Service Portal for SMS accessing the Self-Service Portal resetting a SMS token PIN resending SMS sending temporary sign-in password by /sms Password overview Copyright Orange Business Services 5 of 26

6 what is a Password token? what are the characteristics of my Password token? what is self-enrollment? how do I self-enroll my Password token? how long will my Password token continue to operate? what if I have not received the self-enrollment notification? what is the Self-Service Portal? why I can t logon using my Password? I entered an incorrect Password my user account is locked my Password token has been suspended or revoked what are my responsibilities? how should I protect my Password? how can I change my Password? what if I forget my Password? Password introduction enrolling Password token authenticating with a Password Copyright Orange Business Services 6 of 26

7 GrIDsure overview If you are already comfortable with FI-MFA terminologies and GrIDsure authenticator, you can click here for direct access to instructions. what is a GrIDsure token? A GrIDsure token allows you to generate OTPs one-time passwords each time you log into your organization s resources, without any additional hardware or software applications. The advantage of GrIDsure token is mass deployment without hardware distribution. With our Secure Authentication service, GrIDsure Tokens can be issued, revoked and reissued without restriction or the need to recover something from the end-user. why use a GrIDsure token? Until now, you have probably logged into your organization s resources with your user name and a fixed password. The problem is that passwords are easily compromised, putting your identity and the resources you access at risk. A GrIDsure token allows you to generated and use One-Time Passwords (aka OTPs) each time you log into your organization s resources. As the name implies, an OTP can be used only one time. Each time you log in, you use your GrIDsure token to generate a unique OTP. how does a GrIDsure token protect me? Password theft is a common method that thieves and hackers use to steal identities and gain unauthorized access to networks and resources. Success depends on the stolen password being valid, in the same way that credit card theft relies on the card being usable until it is reported as stolen. Discovering the compromise is almost impossible until damage has been done. Using a GrIDsure token solves this problem, because once you have logged in using an OTP, that password is no longer valid. Any attempt to log in by reusing the OTP will fail, and it will alert your network security professionals to a possible attack on your identity. what additional security features does my GrIDsure token offer? Depending on your organization s policies, your GrIDsure token may be protected against unauthorized use by a Security PIN (aka PIN) that is known only to you. Like a bank card, a thief not only needs access to your GrIDsure token, but must know your PIN as well. Do not share your PIN with others. FI-MFA GrIDsure tokens support server-side PIN (stored on the FI- MFA server). Copyright Orange Business Services 7 of 26

8 what is the difference between PIP characters and an OTP? The OTP value depends on the PIN protection of your GrIDsure token: no PIN-protection: PIP characters form the OTP. server-side PIN-protection: depending on your organization s policies, you need to enter your PIN either before or after the PIP characters code to form the OTP. how does a GrIDsure token work? During self-enrollment step (refer to the related chapter is this section for details), a grid of cells containing random characters is displayed to you. As shapes and patterns are remembered more simply than words and numbers, GrIDsure involves you to remember a sequence of cells in a pattern on the grid that is easily recognizable to you. You choose your Personal Identification Pattern (aka PIP) from the arrangement and sequence of the cells from the grid: When you are required to authenticate securely to a protected network resource, you select the characters that match your PIP from the unique characters shown to you by the grid: In this example, your PIP would be a value of: This is seen in the highlighted cells above. Therefore to authenticate, you would enter 5582 as your one-time password value. The next time you need to authenticate, the characters displayed by the grid will be different, but the PIP remains the same. You just need to enter the new characters in your PIP displayed by the grid. Copyright Orange Business Services 8 of 26

9 what are the characteristics of my GrIDsure token? The characteristics of your GrIDsure token are defined by your organization and applied when your GrIDsure token is initialized. Grid size: may be 5x5, 6x6 or 7x7. Trivial PIP: diagonal line, straight line, or the four corners of the grid (may be allowed or denied). what is self-enrollment? Self-enrollment is a simple process during which you activate your GrIDsure token. During the process, you may be required to enter or create a PIN. When you complete the self-enrollment process, you will be able to use your GrIDsure token to generate token codes for login. how do I self-enroll my GrIDsure token? The self-enrollment process begins when you receive your self-enrollment notification. The contains instructions and your enrollment URL. how long will my GrIDsure token continue to operate? Your GrIDsure token will be able to generate OTPs until it is revoked by your IT administrator. what if I have not received the self-enrollment notification? If you have not received a self-enrollment notification, please contact your IT administrator to arrange for a new to be sent to you. what is the Self-Service Portal? The Self-Service Portal is a Web site created to empower you to perform simple authentication management functions (the range of available functions depends on your organization s policies) and in the process, reduce the workload and your reliance on the help desk. The self-enrollment notification contains the URL to access your Self-Service Portal. why I can t logon using my GrIDsure token? They may be several causes of failed login. I entered an incorrect OTP This is the most common cause. To avoid this, ensure that: Caps lock mode is disabled on your keyboard. you enter right characters and keystrokes. Copyright Orange Business Services 9 of 26

10 your OTP is correctly formed (in accordance with the PIN protection type of your GrIDsure token). my user account is locked You exceeded the maximum number of consecutive failed logon attempts. You must wait the amount of time defined by your organization before your user account will unlock. my GrIDsure token has been suspended or revoked Please contact your IT administrator. what are my responsibilities? Using your GrIDsure token provides strong security, and simplifies your work efforts by reducing or eliminating the need to remember or periodically change passwords. As an additional measure, Orange recommends that you observe the following tips to ensure the highest level of security. how should I protect my PIN/PIP? Protect them just as you would the PIN for your bank or credit card. Never share it with anybody, including people you trust. This includes your colleagues and systems administrators at your company and personnel who are, or claim to be representatives of Orange or a Partner of Orange. You should be extremely suspicious of anyone who ever tells you at they need to know your PIN/PIP, and you should report any such incident to your IT administrator immediately. Never write down your PIN/PIP. how can I change my PIN/PIP? If you wish to change your PIN/PIP, or if you are concerned that it has been compromised, use the Reset PIN / Reset PIP function of your FI-MFA Self-Service Portal, or contact your IT administrator if these functions were not enabled by your organization s policies. what if I forget my PIN/PIP? If you forget your PIN/PIP, use the Send sign-in password by /sms function of your Self-Service Portal or contact your IT administrator if this function was not enabled by your organization s policies. Copyright Orange Business Services 10 of 26

11 GrIDsure introduction GrIDsure users can generate OTPs without any additional hardware or software applications, and use them to authenticate to FI-MFA-protected applications and resources. enrolling GrIDsure token Step 1: you have or will receive a Self-enrollment notification. Open it, click the selfenrollment Web site link (beginning with and then switch to your Web browser to start the self-enrollment process. Step 2: choose your PIP using the grid, enter the characters that match your PIP in the Enter Value case-sensitive field (depending on your organization s policies, you may need to memorize the displayed PIN), and then click the Next button. If successful, the following page is displayed: Copyright Orange Business Services 11 of 26

12 Step 3: memorize your User ID before closing your Web browser. Your GrIDsure token is now active and able to generate OTPs. authenticating with a GrIDsure token You have the ability to authenticate with your GrIDsure Token only against systems that support GrIDsure (such as your Self-Service Portal described below). Step 1: open the Self-enrollment notification you previously received, click the FI-MFA Self-Service Portal link (beginning with and then switch to your Web browser to display the homepage. Click the Sign In button, and then the Sign in using your token button. Step 2: enter your User ID and then click the OK button without entering any value in the OTP field to display the grid. Enter the characters that match your PIP in the OTP field (depending on your organization s policies, you may need to enter your PIN before the characters that match your PIP), and then click the OK button. Step 3: if successful, the homepage of your Self-Service Portal is displayed again, but the Sign In button has been replaced by the Sign Out one. Copyright Orange Business Services 12 of 26

13 Self-Service Portal for GrIDsure accessing the Self-Service Portal Web site Open the Self-enrollment notification you previously received, click the Self-Service Portal link (beginning with and then switch to your Web browser to display the homepage. resetting a GrIDsure token PIN Step 1: from the Self-Service Portal homepage, click the Reset PIN icon, the Sign in using your token button, and then authenticate against your Self-Service Portal. If successful, the Create New PIN page is displayed. Step 2: enter your new PIN, you are required to re-enter it for verification purposes, and then click the OK button. Step 3: if successful, the Your Security PIN has been successfully reset. message is displayed. Click the Sign Out before closing your browser. Copyright Orange Business Services 13 of 26

14 resetting a GrIDsure token PIP Step 1: from the Self-Service Portal homepage, click the Reset PIP icon, the Sign in using your token button, and then authenticate against your Self-Service Portal. If successful, the Select Pattern page is displayed. Step 2: choose your new PIP using the grid, enter the characters that match your PIP in the Enter cell values case-sensitive field, and click the OK button. Step 3: if successful, the Your PIP was successful. message is displayed. Click the Sign Out before closing your browser. sending temporary sign-in password by /sms This temporary sign-in password is only for authentication against the Self-Service Portal (useful to reset a forgotten PIN/PIP) and is valid during 10 minutes. Step 1: from the Self-Service Portal homepage, click the Sign In button, the Send Sign in password by (or Send Sign in password by SMS ), enter your User ID, and then click the Send button. Step 2: you have or will receive a Self-service Temporary Sign In Password notification (or SMS) including your temporary sign-in password. Step 3: from the Self-Service Portal homepage, click the Sign In button, the Sign in using your token button, and then authenticate using your temporary sign-in password as OTP. Copyright Orange Business Services 14 of 26

15 SMS overview If you are already comfortable with FI-MFA terminologies and SMS authenticator, you can click here for direct access to instructions. what is a SMS token? FI-MFA supports sending token codes to mobile phones via SMS messages. This allows the user to use their phone as a SMS token without requiring any additional software on the phone. why use a SMS token? Until now, you have probably logged into your organization s resources with your user name and a fixed password. The problem is that passwords are easily compromised, putting your identity and the resources you access at risk. A SMS token allows you to generate and use One-Time Passwords (aka OTPs) each time you log into your organization s resources. As the name implies, an OTP can be used only one time. how does a SMS token protect me? Password theft is a common method that thieves and hackers use to steal identities and gain unauthorized access to networks and resources. Success depends on the stolen password being valid, in the same way that credit card theft relies on the card being usable until it is reported as stolen. Discovering the compromise is almost impossible until damage has been done. Using a SMS token solves this problem, because once you have logged in using an OTP, that password is no longer valid. Any attempt to log in by reusing the OTP will fail, and it will alert your network security professionals to a possible attack on your identity. what additional security features does my SMS token offer? Depending on your organization s policies, your SMS token may be protected against unauthorized use by a Security PIN (aka PIN) that is known only to you. Like a bank card, a thief not only needs access to your SMS token, but must know your PIN as well. Do not share your PIN with others. FI-MFA SMS tokens support server-side PIN (stored on the FI-MFA server). what is the difference between a token code and an OTP? The OTP value depends on the PIN protection of your SMS token: no PIN-protection: the token code forms the OTP. Copyright Orange Business Services 15 of 26

16 server-side PIN-protection: depending on your organization s policies, you need to enter your PIN either before or after the token code to form the OTP. Copyright Orange Business Services 16 of 26

17 what are the characteristics of my SMS token? The characteristics of your SMS token are defined by your organization and applied when your SMS token is initialized. operation modes SMS No Waiting: a user attempts to authenticate using their user name and SMS OTP. After successfully authenticating, the user then received their next token code. The advantage is that a user always has a valid token code (which cannot be used without their PIN) on their phone. This method most closely mimics a traditional logon. No Waiting Plus: this mode is very similar to SMS No Waiting, except that it will send up to 5 token codes in each SMS message. This is ideal for users that are frequently in areas with sporadic or unreliable SMS delivery because they are not dependent on the SMS service until all token codes have been consumed. The following diagram describes SMS No Waiting/No Waiting Plus modes: SMS challenge-response: a user attempts to authenticate using only their user name (blank password). FI-MFA server immediately sends the user a token code to be used. User then uses their OTP to authenticate. The following diagram describes SMS challenge-response modes Copyright Orange Business Services 17 of 26

18 how long will my OTP token continue to operate? FI-MFA SMS tokens will be able to generate OTPs until it is revoked by your IT administrator. what is the Self-Service Portal? The Self-Service Portal is a Web site created to empower you to perform simple authentication management functions (the range of available functions depends on your organization s policies) and in the process, reduce the workload and your reliance on the help desk. The self-enrollment notification contains the URL to access your Self-Service Portal. why I can t logon using my SMS token? They may be several causes of failed login. I entered an incorrect OTP This is the most common cause. To avoid this, ensure that: Caps lock mode is disabled on your keyboard. you enter right characters and keystrokes. your OTP is correctly formed (in accordance with the PIN protection type of your OTP token). my user account is locked You exceeded the maximum number of consecutive failed logon attempts. You must wait the amount of time defined by your organization before your user account will unlock. my SMS token has been suspended or revoked Please contact your IT administrator. what are my responsibilities? Using your SMS token provides strong security, and simplifies your work efforts by reducing or eliminating the need to remember or periodically change passwords. As an additional measure, Orange recommends that you observe the following tips to ensure the highest level of security. where should I store my SMS token? You should keep your token separate from your computer. Do not leave it on your desk, or with your computer bag. Treat it as you would your wallet, purse, or credit cards, and keep it with you at all times. Copyright Orange Business Services 18 of 26

19 what if I forget my SMS token? Your OTP token is a primary security device designed to protect you and the resources you access. Keep it with your car keys or purse or other valuable items that you use on a regular basis to minimize the potential to forget it. If you do forget your OTP token, contact your IT administrator. what if I lose my SMS token? If you lose your token, report it immediately to your IT administrator: he will take the necessary actions to ensure the lost token does not present a security risk. Depending on your organization s policies, he will provide you with a temporary alternative for logging into the network until you receive a replacement token. how should I protect my PIN? If you have a PIN, protect it just as you would the PIN for your bank or credit card. Never share it with anybody, including people you trust. This includes your colleagues and systems administrators at your company and personnel who are, or claim to be representatives of Orange or a Partner of Orange. You should be extremely suspicious of anyone who ever tells you at they need to know your PIN, and you should report any such incident to your IT administrator immediately. Never write down your PIN. how can I change my PIN? If you wish to change your PIN, or if you are concerned that it has been compromised, use the Reset PIN function of your Self-Service Portal, or contact your IT administrator if this function was not enabled by your organization s policies. what if I forget my PIN? If you forget your PIN, use the Send sign-in password by /sms function of your Self- Service Portal or contact your IT administrator if this function was not enabled by your organization s policies. Copyright Orange Business Services 19 of 26

20 SMS Introduction FI-MFA supports sending token codes to mobile phones via SMS messages. This allows the user to use their phone as a hardware token without requiring any additional software on the phone. authenticating with a SMS token You have the ability to authenticate with your SMS token against any systems that require a logon password. Enter your User ID and the SMS token code as password (depending on your organization s policies, you may need to enter your PIN either before or after the token code). Self-Service Portal for SMS accessing the Self-Service Portal Contact your IT administrator to know which URL to use (beginning with to connect to the Self-Service Portal. resetting a SMS token PIN Step 1: from the Self-Service Portal homepage, click the Reset PIN icon, the Sign in using your token button, and then authenticate against your Self-Service Portal. If successful, the Create New PIN page is displayed. Copyright Orange Business Services 20 of 26

21 Step 2: enter your new PIN (you are required to re-enter it for verification purposes), and then click the OK button. Step 3: if successful, the Your Security PIN has been successfully reset. message is displayed. Click the Sign Out button before closing your browser. resending SMS If published by your organization, this function allows you to request an SMS/OTP resend to your registered mobile device. sending temporary sign-in password by /sms This temporary sign-in password is only for authentication against the Self-Service Portal (useful to reset a forgotten PIN) and is valid during 10 minutes. Step 1: from the Self-Service Portal homepage, click the Sign In button, the Send Sign in password by (or Send Sign in password by SMS ), enter your User ID, and then click the Send button. Step 2: you have or will receive a Self-service Temporary Sign In Password notification (or SMS) including your temporary sign-in password. Step 3: from the Self-Service Portal homepage, click the Sign In button, the Sign in using your token button, and then authenticate using your temporary sign-in password as OTP. Copyright Orange Business Services 21 of 26

22 Password overview If you are already comfortable with FI-MFA terminologies and Password authenticator, you can click here for direct access to instructions. what is a Password token? A Password token allows you use Single-factor authentication (SFA) each time you log into your organization s resources. Single-factor authentication (SFA) is the traditional security process that requires a user name and password before granting access to the user. what are the characteristics of my Password token? The characteristics of your Password token are defined by your organization and applied when your Password token is initialized. Change frequency: from 0 (never) to 365 days. Maximum lifetime: up to 99 minutes, hours, days or weeks (this characteristic may be disabled for unlimited lifetime). what is self-enrollment? Self-enrollment is a simple process during which you activate your Password token. When you complete the self-enrollment process, you will be able to use your Password each time you log into your organization s resources. how do I self-enroll my Password token? The self-enrollment process begins when you receive your self-enrollment notification. The contains instructions and your enrollment URL. how long will my Password token continue to operate? Your Password token will continue to operate until it is revoked by your IT administrator. what if I have not received the self-enrollment notification? If you have not received a self-enrollment notification, please contact your IT administrator to arrange for a new to be sent to you. what is the Self-Service Portal? The Self-Service Portal is a Web site created to empower you to perform simple authentication management functions (the range of available functions depends on your organization s policies) and in the process, reduce the workload and your reliance on the help desk. Copyright Orange Business Services 22 of 26

23 The self-enrollment notification contains the URL to access your Self-Service Portal. Copyright Orange Business Services 23 of 26

24 why I can t logon using my Password? They may be several causes of failed login. I entered an incorrect Password This is the most common cause. To avoid this, ensure that: Caps lock mode is disabled on your keyboard. you enter right characters and keystrokes. my user account is locked You exceeded the maximum number of consecutive failed logon attempts. You must wait the amount of time defined by your organization before your user account will unlock. my Password token has been suspended or revoked Please contact your IT administrator. what are my responsibilities? Using your GrIDsure token provides strong security, and simplifies your work efforts by reducing or eliminating the need to remember or periodically change passwords. As an additional measure, Orange recommends that you observe the following tips to ensure the highest level of security. how should I protect my Password? Protect them just as you would the PIN for your bank or credit card. Never share it with anybody, including people you trust. This includes your colleagues and systems administrators at your company and personnel who are, or claim to be representatives of Orange or a Partner of Orange. You should be extremely suspicious of anyone who ever tells you at they need to know your Password, and you should report any such incident to your IT administrator immediately. Never write down your Password. how can I change my Password? If you wish to change your Password, or if you are concerned that it has been compromised, contact your IT administrator. Upon verifying your identity, he will give you a temporary Password. The next time you log in, you will be required to change it to one known only by you. what if I forget my Password? Use the same method as the change of Password. Copyright Orange Business Services 24 of 26

25 Password introduction Password users can use Single-factor authentication (SFA) to authenticate to FI-MFA-protected applications and resources. enrolling Password token Step 1: you have or will receive a FI-MFA self-enrollment notification. Open it, click the self-enrollment Web site link (beginning with and then switch to your Web browser to start the self-enrollment process. Step 2: enter your Password in both Enter Password and Confirm Password, and then click the Next button. If successful, the following page is displayed: Step 3: memorize your User ID before closing your Web browser. Your Password token is now active and allows you to use Single-factor authentication. Copyright Orange Business Services 25 of 26

26 authenticating with a Password You have the ability to authenticate with your Password against any systems that support SFA (such as your Self-Service Portal described below). Step 1: open the FI-MFA Self-enrollment notification you previously received, click the FI-MFA self-service portal Web site link (beginning with and then switch to your Web browser to display the homepage. Click the Sign In button, and then the Sign in using your token button. Step 2: enter your User ID, your Password in the OTP field and then click the OK button. Step 3: if successful, the homepage of your Self-Service Portal is displayed again, but the Sign In button has been replaced by the Sign Out one. Copyright Orange Business Services 26 of 26