WHITEPAPER SECUREAUTH IDP DEVICE FINGERPRINTING LOW-FRICTION, BYOD AUTHENTICATION

Transcription

1 WHITEPAPER SECUREAUTH IDP DEVICE FINGERPRINTING LOW-FRICTION, BYOD AUTHENTICATION

2 Executive Overview The explosion of devices laptops, desktops and now the plethora of mobile devices has left enterprises scrambling to conduct access control to their resources. The current tools are not sufficient for BYOD environments because they do not address the new devices or the new resources for mobile or desktop users. Technology has advanced too far to rely on simple username and password combinations for individual access. They are too easily compromised or forgotten, and create frequent points of vulnerability. Though users may be comfortable with shielding their Facebook profiles behind single factor authentication, enterprise information must be more strongly secured with additional factors, despite the inconvenience that it may introduce. Resolving the conundrum of adding layers of authentication without compromising ease-of-use has proven to be an elusive task for enterprises, until now. SecureAuth s Device Fingerprinting features the flexibility, the security, and the convenience required to increase layers of authentication without creating high friction for users. In many instances, SecureAuth s Device Fingerprinting actually improves user experience. This paper will examine SecureAuth s Device Fingerprinting. It will explain what it is, how it works, and the numerous benefits that it spawns. In conclusion, SecureAuth IdP will be elucidated, acknowledging its complete security package designed specifically for mobile and BYOD work environments. Table of Contents Introduction: What is Device Fingerprinting?.3 How Does it Work?.3 Features of Device Fingerprinting 6 Weighing the Fingerprinting Metrics (Device Heuristics)..8 Device Acceptance Range 9 Management of Range..10 Secure Mobile App for Android and ios...12 Integrated into SecureAuth IdP for All Resources.12 Conclusion.13 WHITEPAPER 2

3 Introduction: What is Device Fingerprinting? Device Fingerprinting is a revolutionary system developed by SecureAuth that enables secure and convenient access to all resources, from any device mobile or desktop. It was created to address continuous security concerns from enterprises whose mobile business bourgeons. With the release of SecureAuth IdP version 7.0 in April, 2013, SecureAuth enabled this new, heuristics approach to identify, authenticate, and assert access. By supporting variations of HTTP headers, IP addresses, browser fonts, browser plugins, user data storage, and the device s time zone, users unique identities can be determined from the distinct desktop and mobile devices used. Each mobile device smartphone, laptop, tablet on various platforms has unique characteristics from which an intelligent system (like the webserver embedded in SecureAuth) can extract information. SecureAuth has exploited that feature and manipulated it to be used for device registration and subsequent device validation. How Does It Work? An Identity Provider (IdP) by design extricates information from data stores to be used for authentication and assertion. SecureAuth is an IdP that also features a built-in, enhanced webserver capable of extracting and validating mobile and desktop device information. Device Fingerprinting enables SecureAuth IdP to pull specific characteristics from a device, store the unique characteristics in the enterprise s directory, and then use those characteristics for validation of the users and devices for subsequent access requests. WHITEPAPER 3

4 Image #1: SecureAuth IdP has integrated 2-Factor user-to-device registration workflow built into the product. The first-time process (Registration): User attempts to access an application from a desktop or mobile device and is redirected to SecureAuth IdP for authentication (1) SecureAuth conducts a configurable (2) SecureAuth authentication (1- factor, 2-Factor, 3-Factor, etc.) Upon successful authentication, SecureAuth sends server-based commands to the client to (3) PULL the unique characteristics from the (4) device (header, fonts, plug-ins, screen size, HTML5 storage facilities, IP address, cookie storage, etc.) SecureAuth creates a numeric representation (5) of the values and then stores it to a local enterprise directory (6) that can be accessed by admins and referenced by the authenticated user ID User is redirected with appropriate SSO from SecureAuth IdP to the original target resource WHITEPAPER 4

5 Image #2: Once the device is registered to the device, subsequent authentications are lowfriction for the user. For subsequent authentications (Validation): User attempts to access an application from a desktop or mobile device and is redirected to SecureAuth IdP for authentication (1) User supplies enterprise credentials, and SecureAuth IdP conducts a device fingerprint of the user s device and checks it with the user ID against the enterprise data store (2) If a match is found, SecureAuth IdP counts it as a successful second factor (no SMS, Telephony, OOB authentication is required) and returns an SSO token to the user for access to the network, cloud, web, or mobile resource (3) Device Fingerprinting enables companies to keep a record of the devices employed by each user, which eliminates the need to impose a HIGH- FRICTION authentication on subsequent authentications. WHITEPAPER 5

6 Features of Device Fingerprinting Though some of the values of Device Fingerprinting have already been indicated, there are several benefits that come with it. Low-friction authentication is one of the most significant features of SecureAuth s Device Fingerprinting. As illustrated in the processes above, users whose devices have already been registered with the Server are not burdened with multiple authentications for each subsequent session. This dramatically simplifies the login and access process for users who employ the same resources, especially portals, with frequency. SecureAuth IdP already specializes in providing a flexible and convenient workflow for users; this addition only strengthens it. By allowing the directory to store the collection of devices, users can be allowed subsequent authentication without further friction. If a user attempts access from a different device, SecureAuth can be configured to either deny access or to usher the user through another enrollment so that the user can register the new device. Should an enterprise choose the latter, a user would work through another enrollment and a fingerprint of the additional device will then be stored for subsequent access requests. The user s data store profile will house two (or more) fingerprints that can be used for future validation. Device Fingerprinting permits a simplified, one-time registration workflow from all devices, whether mobile or traditional computers. Shared Machines are no longer problematic with SecureAuth IdP. Device Fingerprinting enables multiple users to work on the same device while maintaining effective security. When the device authentication is registered with the enterprise, it is linked to one specific user s profile. That user is then able to work on the device without re-authenticating because the Server recognizes that that user has already validated it. When new users attempt to access enterprise resources from the same device, SecureAuth IdP, through its ability to pull user-based identifiers from the device and matching them against information housed in the user s back end data store, recognizes that the device has not been registered to this new user. WHITEPAPER 6

7 As a result, the new user will be redirected to the IdP for authentication before access is granted. From there, the Fingerprint Server will store this device under the new user s profile without eliminating or altering the previous user s registration. Users can work on multiple devices and multiple users can work on a single device all without high-impact authentication processes. Identity Access Management (IAM) with SecureAuth IdP is completely configurable and flexible because it is designed to utilize the enterprise native store and use existing username spaces. As detailed, SecureAuth registers the device to the user via a storable value. Multiple devices can be registered to a single user Each access from each device is logged per device Users can be issued a time for valid registration, which forces them to re-register after a realm-based duration period Devices can be uniquely identified/revoked per users All devices can be revoked per user, at one time The ability to revoke all devices per user at one time is especially relevant. Administrators can access all of the information that is collected and stored by the Fingerprint Server at anytime. In a very simple, admin-friendly tool, any modifications can be effortlessly made including 1-Touch Revocation, which maintains security even if the device is compromised or the user has left the company. Because each device is linked to the users that employ them, admins can quickly and easily search the directory to find the device that requires forced revocation. Once the user has been pinpointed, admins are able to revoke all or individual devices by simply unchecking them from the acceptable devices list. SecureAuth IdP also enables user self-management, including profile registration and modification, password reset, and self or device revocation. Users are able to revoke access on their own devices at any time, without requiring the admin s assistance. This is all accomplished without necessitating any thick clients on the device. WHITEPAPER 7

8 Weighing the Fingerprinting Metrics (Device Heuristics) To facilitate strong authentication without compromising ease-of-use, SecureAuth Device Fingerprinting offers a heuristic-based approach for identifying devices. As described above, the solution offers a built-in, 2-Factor workflow to enable the first time device registration. With SecureAuth s Device Fingerprinting deployed, enterprises can set scoring values to heuristic components that will weigh device characteristics in accordance to enterprise priorities. In this way, an enterprise can match their user base and how/which devices are used in accordance to the resources. With this heuristic component, an enterprise can customize the fingerprinting to their deployment environment. Image #3: SecureAuth allows the admin, per protected resource, to select which device identity characteristics the admin wishes to weigh. WHITEPAPER 8

9 SecureAuth scores specific mechanisms that are used to determine whether a user has surpassed the threshold set by the enterprise. These mechanisms include: HTTP header information: o User-Agent o Accept o Accept CharSet o Accept Encoding o Accept Language Browser Plug-in List Browser Flash Fonts Device Host Address/IP Screen Resolution HTML5 Local Storage HTML5 Session Storage IE User Data Support Browser Cookie Enable/Disable Setting Time Zone Each of these features come with a default setting and can be adjusted accordingly to meet unique conditions that the enterprise might have for a particular resource. It is important to note that SecureAuth IdP is a multitenanted solution, so admins can adjust these settings per each resource with distinct values. Device Acceptance Range SecureAuth enables a Device Acceptance Range to give enterprises full control of device validation. This Device Acceptance Range can be configured for different levels of acceptance. The admin console can control this range, which affects key concepts concerning the device: When the device fingerprint is accepted, as is o The device looks mostly similar to the stored fingerprint When the device fingerprint should be updated o The device has undergone some minor updates/upgrades and the device fingerprint should be updated When the device is new altogether o It is a new device, therefore a new registration is required WHITEPAPER 9

10 For the device registration, SecureAuth IdP generates a numeric fingerprint of the device. This numeric fingerprint is stored in the enterprise data container and is associated with a user. For subsequent authentications, SecureAuth IdP reexamines the device with the same algorithm and creates a new numeric fingerprint. The matching percentage of the subsequent authentication is a number between 0 and 100, and we call it the DCS, Device Certainty Score. Management of Range SecureAuth has given the admin two adjustable scores to modify the Device Validation Range. These scores are the match score and the update score. The match score is a configurable setting that communicates to the system the lowest level of the DCS that can be accepted before a new fingerprint is computed. The update score is the lowest level of the DCS that can be accepted before SecureAuth IdP triggers a user to re-register. This too is configurable. By having this adjustable range between a match score and an update score, devices can be updated and evolve without requiring the user to reauthenticate. WHITEPAPER 10

11 Image #4: SecureAuth allows the enterprise to set a Device Acceptance Range to adjust the rigidity of the fingerprinting and validation process, namely a (1) match score and an (2) update score. This enables devices to evolve without the user having to re-register. If the computed DCS is greater or equal to the match score, then the device is considered pre-registered and no second factor will be conducted by the SecureAuth authentication workflow. If the DCS is BELOW the match score but ABOVE the update score, then the device is considered to likely be pre-registered but might have a few characteristics changed. SecureAuth IdP will conduct a secure second factor and then UPDATE the fingerprint for the user in the enterprise directory. Lastly, if the DCS is BELOW the update score, SecureAuth conducts a secure second factor, and then creates a digital fingerprint for this new device and stores it in the enterprise namespace for this user. This device is considered new and is now ALSO registered to the user. For example, a user may elect to register his Windows 7 desktop the first time. Before he returns, the system goes through a major upgrade, including browser plug-ins and system modifications. For his next usage, SecureAuth would recognize that the device is the same, but the fingerprinting would WHITEPAPER 11

12 reflect the variation. To be secure, the user would re-authenticate, but the record would show only one device enrolled to the user. Just as administrators can set preferences for all individual users with SecureAuth IdP, adjustments can also be made per authentication realm that establishes the distinct heuristic requirements for individual applications. Secure Mobile App for Android and ios For enterprises that require higher than normal security for mobile device access, SecureAuth has created device-specific mobile applications for Android and ios devices, in addition to browser-based fingerprinting. These apps can be deployed by the enterprise to augment the process of device verification. The application is designed to execute native commands on ios and Android clients for the purpose of extracting device specific information. Both platforms query the device and extract the friendly name. Android s would be Android Nexus 7.4.2, for example. The mobile applications also work further and pull device-specific information. For Android, the app is able to extract the serial number from the mobile unit; and for ios, it pulls the UDID for versions 5.0 and earlier, and the Advertiser ID for later models. Integrated into SecureAuth IdP for All Resources Device Fingerprinting is one part of an entire solution that SecureAuth has been developed to specifically target the needs of an enterprise. The SecureAuth IdP fingerprinting solution can be used for ALL enterprise resources, including: Enterprise Web Applications (SharePoint,.NET, J2EE, WebLogic) Network Resources (Juniper, F5, Citrix) Cloud Resources (Google, Microsoft, Salesforce, Taleo) Mobile Applications (Android, ios, Windows) SecureAuth IdP offers 2-Factor Authentication (2FA) and Single Sign On (SSO) to all enterprise resources, including native mobile applications without any hardware, installation, or coding required. 2FA and SSO are transparent as well as user-friendly. Admins can configure the authentication settings to require 2FA every session, every week, every WHITEPAPER 12

13 month, or whatever time period they choose. Different 2FA workflows can be configured for specific sets of users, specific applications, and specific devices. SSO can also be extended to enterprise network, web, cloud, and mobile resources specifically for users, applications, and devices. SecureAuth s frictionless success is rooted in its ability to conduct authentication, device registration, and identity assertion in a transparent way, thereby allowing administrators to deploy a solution that requires marginal management and no user support. With SecureAuth IdP, users will not be calling the helpdesk due to confusing or complicated authentication. Conclusion SecureAuth is continually perfecting its solution to ensure security and to improve the end-user experience. With the innovative supplement of Device Fingerprinting to the already powerful access platform, SecureAuth IdP is steadily eliminating the need for any other products addressing enterprise application access. Enterprises can now embrace BYOD and mobile business because with SecureAuth, they have the necessary security to manage the devices and the access in the safe way that their policies dictate, all the while not complicating authentication for its user base. SecureAuth s ability to configure different workflows for different users and different applications ensures that the various use cases that surface in BYOD deployments and mobile application access will be met with sound security and ease-of-use. WHITEPAPER 13

14 InNet innetworktech.com