Multi- factor Authentication Initiative

Transcription

1 Multi- factor Authentication Initiative "UCR s Multi- factor Authentication Initiative is an easy- to- use solution to our need to secure our campus community s credentials. The Duo Security system that we integrated with our campus single sign- on infrastructure is more flexible and easier to use than technologies we previously tested. Duo s broad range of options for entering an additional authentication factor ensure that the full spectrum of our user base will be able to take advantage of this enhanced security. I believe this is a best- in- breed implementation of multi- factor authentication. Campus Impact Bob Grant, Executive Director and CTO, UCR Computing and Communications UC Riverside s implementation of a multi- factor authentication (MFA) initiative has provided the campus with a huge leap forward in network security that is easy to adopt by members of the campus community, since it relies on devices (e.g. smartphones) they are already familiar with. Since it is integrated with the campus single- sign- on infrastructure (CAS), it is a smooth extension to the authentication processes they already use. Business Need UCR has made a strategic investment during the past decade in identity management and a single sign- on infrastructure that leverages Jasig s Central Authentication Services (CAS). All members of our campus community use their credentials (a UCR NetID and password) through CAS to access 1

2 web applications and databases. Many of these have increased security requirements because they incur financial obligations and access personally identifiable information (PII) in human resource or student records. This highly integrated authentication and authorization infrastructure is placed in the context of an almost daily onslaught of phishing messages, viruses and network probes that seek to steal the credentials of staff, faculty and students. Consequently there is a clear business need to mitigate the risk of a breach associated with the accidental or purposeful divulging of credentials in a manner that easily integrates into the well- established authentication and authorization channels currently being used by campus (CAS). UCR s implementation of a multi- factor authentication (MFA) initiative based on the Duo Security system and customized to integrate with CAS meets this need since it requires two authentication factors, a password followed by the use of a smartphone or token that can t be divulged in a phishing attack or via other means. Highlights Evaluation of Duo Security vs. in- house developed TOTP MFA solution. Development of reusable modules for integrating Duo Security based multi- factor authentication with a Central Authentication Services (CAS) single sign on system. Development of a user portal for self- management of devices used for authentication (e.g. phones. hardware tokens, and cell and land- line phone numbers). The Process: Technology and Implementation Evaluation The initial evaluation phase began with a process that involved identifying factors to rate potential multi- factor implementations. Ten different factors were identified: Evaluation Factor Integration with CAS Integration with Windows/AD Application specific passwords Highly available Monitorable Multi- channel capable Multiple classes of users Ability to opt- in/opt- out Campus VPN integration Integration with SSH Description Can the product integrate with the campus CAS implementation? Can the product integrate with Active Directory (Windows) based authentication? Can users set passwords for applications that cannot easily be made to use multi- factor authentication such as . Is the product highly available and redundant? Can the product be easily monitored for outages? Do users have the option to use several different types of devices for authentication? (smartphones, tokens, SMS) Can users be classified into groups such as administrators, financial system transactors, etc.? Is it possible to opt- in a subset of users to begin a pilot? Can the product integrate with the campus Cisco VPN? Can the product be used to require multi- factor when authenticating over SSH? 2

3 After some initial research five products were identified for initial evaluation using the evaluation factors: Duo Security, PhoneFactor, Toopher, Authy, and SecureAuth. Additionally an in- house developed solution based on time- based one- time passwords (TOTP) was added to the list. Evaluation Factor Duo PhoneFactor Toopher Authy SecureAuth TOTP Integration with CAS Integration with Windows/AD Application specific passwords Highly available Monitorable Multi- channel capable Multiple classes of users Ability to opt- in/opt- out Campus VPN integration Integration with SSH Based on the initial evaluation, two solutions, Duo Security and the TOTP solution were chosen for further evaluation. Selection Ultimately, the selection of Duo Security over the in- house developed TOTP solution hinged on the number of authentication channels available out of the box. While the TOTP solution could rely on a smartphone product like Google authenticator, or a token, Duo offered a rich set of smartphone applications that performed push authentication requests that made it easier to use. Implementation The implementation thus far of multi- factor authentication consisted of two parts, first writing the code to integrate Duo Security with CAS and second developing a portal utilizing Duo Security APIs for the users of MFA to enroll and manage smartphones and tokens. CAS Integration The Duo Security product comes with a number of integrations, but CAS is not one of them. Fortunately the CAS architecture allows extensions to add new authentication types. At a high level several things needed to be added or changed in CAS: The Spring web flow was altered to show a second authentication screen for Duo if the user was opted into MFA and the application being accessed allowed or required MFA. 3

4 Spring web flow action beans were added to connect to the Duo Security web services and perform the second authentication for a user (send a push notification to Duo Mobile, verify a passcode generated by a token, etc). The CAS security context was extended for an authenticated user so CAS could keep track of whether a CAS ticket granting ticket was generated using only a username/password (one factor) or username/password plus a Duo Security authentication (two factors). Added code to query the attributes in the CAS services registry to determine if a particular application requires MFA or not. UCR has placed the code to integrate with CAS in an open- source repository and has already had inquiries from two other universities regarding our implementation. Multi- factor Authentication Enrollment Portal Duo Security does not offer a customizable branded enrollment portal for users but does offer a rich set up APIs for building such a solution. UCR opted to build a customized portal utilizing these APIs to facilitate enrollment and subsequent profile management. This application, written using the Grails framework has several features: A step- by- step wizard to walk a user through enrolling in MFA for the first time. Once enrolled, the ability to add/remove smartphones and tablets that are running the Duo Security mobile app. Once enrolled, the ability to add/remove hardware tokens such as a Yubico YubiKey. Ability to request several single use passcodes in the event the enrolled smartphone/token is unavailable. Implementation Flexibility UCR s implementation allows applications to flexibly configure their MFA requirement based on a number of attributes. The most secure level to be utilized once MFA is rolled out extensively on campus is to require MFA of every user of the application. This would require a user to be setup for MFA before using the application the first time. Current applications enabled for MFA only require it for users who have enrolled in MFA production pilot. Other applications may choose to not require MFA at all. Our campus portals and about 20 other applications currently utilize MFA for all enrolled users. Testimonials I ll admit, when it was proposed that I pilot the new multi- factor authentication tool, I was worried that it was going to take longer to access campus applications and because I am a non- techy, using MFA would not be easy. I was pleasantly surprised to find out my experience was the exact opposite. The Duo Security application was easy to install on my iphone and it is extremely user friendly. As soon as I try to log on to any campus application or the R Space portal, a push notification is sent to my iphone. When I acknowledge the push notification, in no time at all, a screen appears on my phone asking me to verify my 4

5 authentication by simply touching Approve on my phone screen. It is an extremely fast and painless process. I have had absolutely no problems with MFA and am still able to access applications in a timely manner. I wish all pilots went this smoothly. " Shelley Gupta, CFAO, Computing and Communications "UC Riverside s implementation of MFA has already become a integral part of the defense in depth strategy for campus users and resources. Our security teams spend considerable time dealing with compromised credentials and MFA is a new defense layer to combat these issues. The MFA implementation provides the critical enhancement of security for users without sacrificing usability and functionality of campus services. It has truly been a commendable implementation Nick Turley, Manager of IT Security, Computing and Communications Timeline May 2013 June 2013 August 2013 September 2013 October 2013 March 2014 Project Initiation Evaluation and selection of solution Integration with CAS completed Enrollment portal completed Production Pilot begun with Computing and Communications staff MFA deployment planning and phased deployment to campus Team Members Computing & Communications Michael Kennedy, Enterprise Architect Stephen Hock, Manager of Identity Management, Infrastructure and Security Jonathan Ocab, Systems Analyst, Infrastructure and Security Andrew Tristan, Associate Director, Infrastructure and Security Russ Harvey, Director, Infrastructure and Security Submitted By Michael Kennedy Enterprise Architect Computing & Communications [email protected] (951)