Two-factor Authentication

Similar documents
STRONGER AUTHENTICATION for CA SiteMinder

Remote Access Securing Your Employees Out of the Office

WHITEPAPER. SECUREAUTH 2-FACTOR AS A SERVICE 2FaaS

Internet threats: steps to security for your small business

ADDING STRONGER AUTHENTICATION for VPN Access Control

Beyond passwords: Protect the mobile enterprise with smarter security solutions

Guide to Evaluating Multi-Factor Authentication Solutions

Modern two-factor authentication: Easy. Affordable. Secure.

Strong Authentication: Enabling Efficiency and Maximizing Security in Your Microsoft Environment

Securing Virtual Desktop Infrastructures with Strong Authentication

Hard vs. Soft Tokens Making the Right Choice for Security

MODERN THREATS DRIVE DEMAND FOR NEW GENERATION MULTI-FACTOR AUTHENTICATION

Contents. Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008

SECURING YOUR REMOTE DESKTOP CONNECTION

Improving Online Security with Strong, Personalized User Authentication

Adding Stronger Authentication to your Portal and Cloud Apps

IDENTITY & ACCESS. BYOD and Mobile Security Seizing Opportunities, Eliminating Risks in a Dynamic Landscape

Advanced Biometric Technology

The Key to Secure Online Financial Transactions

WHITE PAPER Usher Mobile Identity Platform

White Paper. The Principles of Tokenless Two-Factor Authentication

Whitepaper on AuthShield Two Factor Authentication with ERP Applications

A brief on Two-Factor Authentication

Online security. Defeating cybercriminals. Protecting online banking clients in a rapidly evolving online environment. The threat.

Research Information Security Guideline

SECUREAUTH IDP AND OFFICE 365

AUTHENTIFIERS. Authentify Authentication Factors for Constructing Flexible Multi-Factor Authentication Processes

Security in an Increasingly Threatened World. SMS: A better way of doing Two Factor Authentication (2FA)

ADVANCE AUTHENTICATION TECHNIQUES

FileCloud Security FAQ

Top 5 Reasons to Choose User-Friendly Strong Authentication

SecurityMetrics Vision whitepaper

National Cyber Security Month 2015: Daily Security Awareness Tips

Authentication Solutions. Versatile And Innovative Authentication Solutions To Secure And Enable Your Business

Achieving Universal Secure Identity Verification with Convenience and Personal Privacy A PRIVARIS BUSINESS WHITE PAPER

Two-Factor Authentication over Mobile: Simplifying Security and Authentication

Whitepaper MODERN THREATS DRIVE DEMAND FOR NEW GENERATION TWO-FACTOR AUTHENTICATION

How To Protect Your Online Banking From Fraud

Facebook s Security Philosophy, and how Duo helps.

1. For each of the 25 questions, multiply each question response risk value (1-5) by the number of times it was chosen by the survey takers.

IDENTITY & ACCESS. Providing Cost-Effective Strong Authentication in the Cloud. a brief for cloud service providers

Strong Authentication for Secure VPN Access

Authentication Solutions Buyer's Guide

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

THE SECURITY OF HOSTED EXCHANGE FOR SMBs

Two Factor Authentication for VPN Access

AVOIDING ONLINE THREATS CYBER SECURITY MYTHS, FACTS, TIPS. ftrsecure.com

What Do You Mean My Cloud Data Isn t Secure?

Moving Beyond User Names & Passwords

Flexible Identity. OTP software tokens guide. Multi-Factor Authentication. version 1.0

XYPRO Technology Brief: Stronger User Security with Device-centric Authentication

User Identity and Authentication

Google Identity Services for work

V ISA SECURITY ALERT 13 November 2015

RSA SecurID Two-factor Authentication

Securing mobile devices in the business environment

defending against advanced persistent threats: strategies for a new era of attacks agility made possible

VoiceTrust Whitepaper. Employee Password Reset for the Enterprise IT Helpdesk

Top 10 Anti-fraud Tips: The Cybersecurity Breach Aftermath

RSA Solution Brief. RSA SecurID Authentication in Action: Securing Privileged User Access. RSA Solution Brief

Malware, Phishing, and Cybercrime Dangerous Threats Facing the SMB State of Cybercrime

Malware & Botnets. Botnets

Authentication Solutions VERSATILE AND INNOVATIVE AUTHENTICATION SOLUTIONS TO SECURE AND ENABLE YOUR BUSINESS

Software Token Security & Provisioning: Innovation Galore!

10 Quick Tips to Mobile Security

Stop Identity Theft. with Transparent Two-Factor Authentication. e-lock Corporation Sdn Bhd

Securing corporate assets with two factor authentication

An Innovative Two Factor Authentication Method: The QRLogin System

This session was presented by Jim Stickley of TraceSecurity on Wednesday, October 23 rd at the Cyber Security Summit.

BE SAFE ONLINE: Lesson Plan

Cyber Security, Fraud and Corporate Account Takeovers LBA Bank Counsel Conference December 2014

Mobility, Security and Trusted Identities: It s Right In The Palm of Your Hands. Ian Wills Country Manager, Entrust Datacard

Cyber Security. An Executive Imperative for Business Owners. 77 Westport Plaza, St. Louis, MO p f

PortWise Access Management Suite

Moving Beyond User Names & Passwords Okta Inc. info@okta.com

More effective protection for your access control system with end-to-end security

8/17/2010. Over 90% of all compromised merchants are PCI level 4 (small) merchants or merchants with less than 1 million transactions per year

KEYSTROKE DYNAMIC BIOMETRIC AUTHENTICATION FOR WEB PORTALS

EXECUTIVE BRIEF. IT and Business Professionals Say Website Attacks are Persistent and Varied. In this Paper

IT TRENDS AND FUTURE CONSIDERATIONS. Paul Rainbow CPA, CISA, CIA, CISSP, CTGA

How to reduce the cost and complexity of two factor authentication

Secure Web Access Solution

NATIONAL CYBER SECURITY AWARENESS MONTH

Contextual Authentication: A Multi-factor Approach

Trust Digital Best Practices

Multi-Factor Authentication Protecting Applications and Critical Data against Unauthorized Access

Transcription:

Enter only a Prove Identity Two-factor Authentication EXECUTIVE HANDBOOK 2FA With Fingerprint? PIN? Passcode? www.secsign.com

INDEX 1 2 3 4 5 6 7 8 9 Data Security Breaches Overview 2014-15 Page 3 How Your Company Could Be Next Page 4 Understanding Two-factor Authentication Page 5 Balancing Security and Ease of Use Page 7 Eliminating Passwords for Security and Simplicity Page 9 Comparing Two-factor Authentication Methods Page 10 Assessing Your Risks Page 18 Implementation and Integration Options Page 19 Getting Expert Advice and Implementation Support Page 21 www.secsign.com

1 DATA SECURITY BREACHES OVERVIEW 2014-15 Recent high-profile cybersecurity attacks have reinforced the need for better data security, particularly for businesses who need to protect their customers, reputation, and even their sales revenue and company valuation from the potentially catastrophic effects of a security breach. Perhaps the most widely covered and analyzed security breach in recent months is the case involving Target Corporation, in which approximately 40 million customer payment card accounts were compromised during a span of just three weeks. The company CEO and CIO were both dismissed in the aftermath, and the company has estimated the costs of the breach to be nearly $150 million in just the second quarter of 2014 alone. In the Target incident, an email malware attack was used to steal the network login credentials that Target had issued to an HVAC vendor. By stealing those credentials and using them to gain access to the Target network, attackers were able to deploy point-of-sale malware that scraped computer memory to steal consumer payment card data from thousands of check-out registers. A variation of this same malware strain was later used in a successful attack that compromised 56 million consumer payment cards at Home Depot. Nearly 100 Million Payment Cards and 1.2 Billion Credentials Breached in Just Three Cases. But the largest single attack in recent history is the infamous Russian hacking case. In this case, attackers targeted the websites of businesses and organizations of all types and sizes, making no distinctions between them. First they obtained data from botnet networks of virusinfected computers to identify SQL vulnerabilities on websites that victims visited. Then they used these vulnerabilities to hack into the sites databases and steal massive amounts of confidential user data. The end result was over 420,000 websites being compromised and over 1.2 billion user credentials being stolen. With threats like these and countless other schemes involving hacking, phishing, and malware, businesses face a daily threat of attacks, and if your company has a website, servers, user accounts, and confidential data to protect, then you may be the next target. www.secsign.com Page 3

2 HOW YOUR COMPANY COULD BE NEXT If your company is like most enterprises, then you are still relying on login security that uses traditional ID and password combinations as the sole basis for authentication. If this is the case, then your company is far behind the leaders in cybersecurity, and it is openly inviting attacks and offering up glaring vulnerabilities that cybercriminals are well-equipped to exploit. This status quo strategy, which continues to be the norm across companies of all sizes and industries, ignores the clear warnings of security experts, and it invites disaster by failing to implement best practices that can eliminate the risk of cyberattacks. Perhaps your business has been more proactive and forward-thinking when it comes to login security, and perhaps you have implemented stronger protection, such as two-factor authentication. This is an important step toward greater enterprise security, and it is also important in many industries governed by legal requirements or industry regulations, such as HIPAA compliance for healthcare providers and Payment Card Industry (PCI) compliance for merchants that process consumer payment card transactions. But many companies do not realize that most two-factor authentication methods are ultimately unsafe, they are highly vulnerable, and have already been exploited by attackers in other high-profile cybersecurity cases. Many companies do not realize that most two-factor authentication methods are ultimately unsafe and have already been exploited by attackers. Also, while these methods may meet minimum legal and regulatory standards, they do not properly protect organizations from data breaches, and they are not engineered to meet the much stronger requirements that will be codified in the future and that are already emerging, such as those established by the FIDO (Fast IDentity Online) Alliance. So the key to protecting your company and even your own reputation and career is understanding the available methods of two-factor authentication and how to choose the right approach that will make it physically impossible for attackers to compromise your user accounts and use them to steal company data. This means choosing technology that is engineered to render hacking, phishing, and malware obsolete. And it means deploying advanced security across the entire enterprise to protect access to resources by all users. www.secsign.com Page 4

3 HOW TO AVOID DISASTERS UNDERSTANDING TWO-FACTOR AUTHENTICATION What is an Authentication Factor? During a login process, an authentication factor is a requirement that is designed to verify the identity of an authorized user. In login security, there are three categories of authentication factors which are typically used to verify identity. Something that is known only by the user, such as a password or PIN Something that only the user possesses, such as a smartphone, smartcard, USB token, or other hardware key Each category covers a range of potential requirements that can be used to verify identity and authenticate access to websites, applications, networks, systems, and other types of secured services. They can also be used electronically to approve transactions, sign or approve documents, grant access rights to others, or establish a chain of administrative authority. What is Two-factor Authentication? In the wake of recent cyberattacks, information security experts have universally called upon companies to implement, integrate, and enable two-factor authentication to protect user accounts and access to their websites, applications, networks, servers, and systems. Two-factor authentication requires two authentication factors to verify identity, and it usually combines one factor from each of the categories discussed above. Thus, a password might be combined with physical possession of a smartphone, which is used to receive a one-time code via SMS process. Two-factor authentication addresses the fundamental problem of cybersecurity, which is the continued use of traditional ID and password combinations for login security. Using IDs and passwords as the sole means of login security is no longer a safe method for protecting user accounts and preventing unauthorized access by attackers. Brute force attacks, phishing, and malware can easily defeat this outdated login method. Also, hackers are continually developing newer tools and creating botnets of compromised computers to increase their computing power and quickly process huge numbers of brute force login attempts. Combined with lists of IDs and login credentials that have been compiled from previously successful data breaches, this allows them to launch large-scale attacks that are particularly dangerous despite the fundamental simplicity of their methods. www.secsign.com Page 5

3 Phishing schemes that use fake emails and websites are also routinely successful as attackers have become remarkably adept at carefully designing emails and web pages to look like le- By tricking users into sharing their login credentials by notifying them that they need to reset hacking or deploying malicious programs. Nonetheless, malware is another preferred choice for cyber-attacks, as this enables a wide variety of potential ways to steal user credentials and sensitive information using keystroke loggers, redirections to phishing sites, man-in-the-middle attacks, SQL injections, and many more. However, two-factor authentication helps avoid these attacks by adding an additional layer of security that can prevent unauthorized access by requiring the user to verify identity through a separate method that is often inaccessible to attackers. Companies can deploy two-factor authentication to protect administrative and/or user access to their websites, applications, networks, and systems, and most companies that have integrated two-factor authentication rely on third party software, services, and hardware. Two-factor authentication helps avoid attacks by adding an additional layer of security that is often inaccessible to attackers. What Solutions are Available for Two-factor Authentication? One-time Code or One-Time password (OTP) via SMS (e.g. Facebook ) One-time Code or One-Time password (OTP) via Phone Call (e.g. Google) Hardware tokens which generate One-time Codes or One-Time passwords (OTP) (e.g. RSA SecureID) Software which generates One-time Codes or One-Time passwords (OTP) (e.g. google authenticator) Software Push (e.g. Duo Push) Software Push Public Key Infrastructure (PKI) (e.g. SecSign ID) See Chapter 6 (page 9) of this handbook for an in-depth explanation of two-factor authentication methods. www.secsign.com Page 6

4 BALANCING SECURITY AND EASE OF USE Ease of use has been the biggest obstacle to the adoption of two-factor authentication, even though the added security is critical to protecting user accounts. The additional steps required by two-factor authentication, such as entering one-time codes or passwords, along why major tech companies like Google and Microsoft have made two-factor authentication optional for users of their services. Even if it is enabled, due to usability concerns, most services require two-factor authentication only when a user logs in from a new device. This means that, in all other instances, no additionthese services are tracking user behavior and hardware, which can be unsettling. This is not a proper approach to authentication and login security, and most two-factor authentication solutions miss out on one of the most important potential improvements in ease of use and security combined removing passwords or other sensitive credentials from the login process, thus removing the credentials that motivate and enable the vast majority of cyberattacks, and also eliminating the need to remember and type long, complicated passwords and receive and re-enter one-time security codes or passwords. EASE OF USE SECURITY 2FA www.secsign.com Page 7

4 The need to eliminate passwords and other sensitive credentials from login processes is nothing new. In 2004, speaking at a security conference, Microsoft Chairman Bill Gates declared that passwords would soon be on the decline because they simply were not secure. There is no doubt that over time, people are going to rely less and less on passwords. People use the same password on different systems, they write them down, and they just don't meet the challenge for anything you really want to secure. - Bill Gates In the years since, the password has been declared dead by numerous major companies and data security experts who have been pushing for the imminent departure from vulnerable password-based security and toward a safer future where better methods are deployed. In 2013, Google s manager of information security, Heather Adkins, stated quite simply: Passwords are dead. Citing Google s implementation of two-factor authentication, Adkins said that passwords are done at Google and that the game is over for relying on passwords as the chief method to secure users and their data. Earlier that same year, WordPress founder Matthew Mullenweg, citing a wave of cyberattacks against WordPress websites, called for administrators to turn on two-factor authentication and stated that developers who do this will be ahead of 99% of sites out there and probably never have a problem. EASE OF USE SECURITY 2FA www.secsign.com Page 8

5 ELIMINATING PASSWORDS FOR SECURITY AND SIMPLICITY In exploring the options available for enterprise login security, it is critical to keep ease of use and security in mind. User adoption and compliance are critical to implementing any improved security measures, but the actual strength of security is overwhelmingly the most important factor. Choosing ease of use over security will leave your company vulnerable, and it may only be a matter of time before disaster strikes. Thankfully, this is not a choice that any company is forced to make. The right authentication method will deliver the strongest possible security while also ensuring that the login process is simple and user-friendly, and, ideally, it should offer options to use two-factor authentication as a single sign-on solution and as an on-site service that can operate on company architecture and behind your firewalls. And the right method will not only simplify authentication but also remove passwords and all sensitive credentials from the login process. www.secsign.com Page 9

6 COMPARING TWO-FACTOR AUTHENTICATION METHODS Method Login Requirements Security Ease of Use Integration Google, Examples Apple, Twitter, Facebook SMS OTC/OTP ID + password + onetime code or password. OTC/OTP received via SMS text message and re-entered via browser or application Uses credentials targeted by attackers. Invites attacks. Vulnerable to: Malware intercepts Man-in-the-middle attacks SIM card cloning Phone number porting Requires users to remember and enter complicated passwords. Requires mobile network service and receipt and entry of SMS code. Usually supports websites, applications, and mobile devices. Typically deployed in the cloud. Google Uses credentials targeted Apple by attackers. Facebook Invites attacks. Vulnerable to: Twitter Malware intercepts Man-in-the-middle attacks Overall rating SIM card cloning Phone number porting OTC/OTP VIA PHONE CALL ID + password + onetime code or password. OTC/OTP received via telephone call. Uses credentials targeted by attackers. Invites attacks. Vulnerable to: Malware intercepts Man-in-the-middle attacks SIM card cloning Phone number porting Requires users to remember and enter complicated passwords. Requires mobile network service and receipt and entry of phone call. Usually supports websites, applications, and mobile devices. Typically deployed in the cloud. Google Uses credentials targeted by attackers. Invites attacks. Vulnerable to: Malware intercepts Man-in-the-middle attacks Overall rating SIM card cloning Phone number porting HARDWARE TOKEN ID + password + USB hardware token Uses credentials targeted by attackers. Invites attacks. Vulnerable to: Hacking of master key from token provider s server Requires users to remember and enter complicated passwords. Requires hardware token that is not compatible with most mobile devices. Usually supports websites, applications, and networks, but only through interfaces equipped with standard USB ports. Typically deployed as an on-premise solution in the cloud. RSA Usually Secure supports ID websites, applications, and networks, but only through interfaces equipped with standard USB ports. Overall Typically rating deployed as an on-premise solution in the cloud. SOFTWARE OTC/OTP ID + password + onetime code or password Uses credentials targeted by attackers. Invites attacks. Vulnerable to: Potentially vulnerable to software hacking. Requires users to remember and enter complicated passwords. Requires receipt and entry of one-time code or password. Usually supports websites, applications, and mobile devices. Typically deployed in the cloud or on-premise using third party software. Authy Usually supports Google websites, Authenticator applications, and mobile devices. Duo Security Typically deployed in Overall the cloud rating or on-premise using third party software. SOFTWARE PUSH ID + password + QR code or mobile tap Uses credentials targeted by attackers. Invites attacks. Vulnerable to: Potentially vulnerable to software hacking. Requires users to remember and enter complicated passwords. Requires receipt and entry of one-time code or password. QR code method requires potentially unreliable or Usually supports websites, applications, and mobile devices. Typically deployed in the cloud or on-premise using third party software. SecurEnvoy Requires users to Duo remember Security and Push enter complicated passwords. Requires receipt and entry of one-time code or password QR code method requires potentially unreliable or Overall rating No mobile network service required SOFTWARE PUSH PKI No password. No sensitive credentials entered, transmitted, or stored. ID + PIN, passcode, or Replaces credentials with 2048-bit encrypted key pairs. Removes credentials targeted by attackers. Discourages attacks because there are no credentials to steal. Optional biometrics for added security. Patented SafeKey mechanism prevents brute force hacking of encrypted private key. No need to remember or type long, complicated passwords. No need to wait for and enter one-time codes or passwords. No mobile network service required. Only one entry required on the login screen. Authentication with simple mobile tap and entry of PIN, passcode, and/or scan of Support for virtually any website, application, network, or device. Free plug-ins for ASP.net, PHP, Java, Perl, Python, Ruby, WordPress and Joomla. Cloud or on-site deployment. On-site server option, behind enterprise administration and reports. SecSign No need IDto remember or type long, complicated passwords No need to wait for and enter one-time codes or passwords No mobile network service required Only one entry required on the login screen Authentication with simple mobile tap and Overall entry of rating PIN, passcode, and/or scan of www.secsign.com Page 10

6 SMS Two-factor Authentication The most common method of two-factor authentication is one that is used by some of the biggest names in the tech industry, including Google, Apple, Facebook, and Twitter. It relies on the user s access to SMS texting on his or her mobile device and uses one-time codes (OTCs) or one-time passwords (OTPs) to verify access. Using the SMS method, whenever two-factor authentication is enabled and required, the user logs in with a user ID and password. The secured service sends a text message containing the required code or password to the user s mobile phone, and the user must re-enter this information through the login screen in order to complete verification. Presumably, only someone who knows the user s ID and password and also possess the user s mobile device can perform this second verification step, so this helps prevent brute force attacks against the login server. Vulnerabilities of SMS Two-factor Authentication In recent cases, SMS two-factor authentication has been exploited in attacks against prominent online services, including online banking provided by Swiss banks, which are known for having some of the best cybersecurity in the world. In the attack against Swiss banks and other online banking providers, malware was combined with a man-in-the-middle attack to successfully thwart two-factor authentication. Using Password-based Logins Invites Cyberattacks The biggest problem with the SMS method, and with many others, is that it still requires the entry of a password along with a user ID during the login process. This fails to eliminate the primary motivator of cyberattacks, which is to steal credentials like passwords and use them to access confidential information and compromise servers and networks. By continuing to use sensitive credentials like passwords during the login process, any service using passwords as the first factor in two-factor authentication will continue to give attackers every incentive to target their users and servers. Malware Can Easily Defeat SMS Two-factor Authentication Predictably, given the incentive of stealing credentials, there are already a variety of tactics that attackers have used to compromise SMS two-factor authentication. The simplest threat is malware. Using software that users have unwittingly installed on their computers by downloading infected files or clicking malicious links, attackers can simply log all the keystrokes entered on the user s keyboard or in a web browser to steal login credentials, including any SMS codes or one-time passwords that are entered for verification. www.secsign.com Page 11

6 Man-in-the-middle Attacks Can Also Defeat SMS Two-factor Authentication Then there are man-in-the-middle attacks, which are a variation on simpler malware approaches. These attacks use malware to trick users into visiting a counterfeit website that is designed to appear identical to the real website that the users intend to visit. The user unwittingly enters the user ID and password combination into the fake website, and the counterfeit site actually connects to the real website and sends the credentials. The real website then sends the user a text message with the required verification code or password, and the user unknowingly enters this information using the fake login screen. The counterfeit website then forwards this information to the real website, which authenticates the user and grants access. The attacker forwards the user to the real website, and everything appears to be normal to the user, but the attacker now has the user s credentials and can have full access to the user s account. SIM Card Vulnerabilities Provide More Opportunities for Attackers to Steal OTCs and OTPs Another tactic used by attackers is number porting, in which the attacker tricks the user s mobile provider into transferring the user s phone number to a new account under the attacker s control. Or, alternatively, attackers may compromise a user s mobile account and order a second SIM card, which the attacker receives and installs on another mobile device. Using either of these methods, an attacker can receive any SMS messages sent to the user and thus use them to authenticate access to any of the victim s accounts that use this form of two-factor authentication. Beyond these tactics, there is the prospect of SIM card cloning, in which attackers may be able to take advantage of encryption and software flaws in certain SIM card technologies. This allows attackers to remotely gain control of a SIM card and even clone it, so they can access SMS text messages or simply receive copies of them. And, finally, another threat to SMS twofactor authentication is Trojan malware that is designed to target mobile devices like Android smartphones. Masquerading as a security certificate, these Trojans are capable of intercepting and forwarding inbound text messages. Thus, attackers have yet another means for potentially intercepting verification codes and using them to gain unauthorized access to user accounts. www.secsign.com Page 12

6 Hardware Token Two-factor Authentication To avoid SMS vulnerabilities in two-factor authentication, some developers have turned to hardware tokens as a way to verify user identity without relying on SMS text messages. The user must carry a token or fob, which is typically connected to a computer through a USB port. A user can only access a secured service by logging in using an ID and password and also connecting the USB-enabled token to the computer that is being used to access the service. Hardware Tokens Address SMS Vulnerabilities but Burden Users and Discourage Adoption This method has potential vulnerabilities of its own, as demonstrated several years ago when RSA Security, a division of EMC Corporation and developer of token-based authentication, was hacked. RSA Security was forced to replace more than 40 million hardware tokens because it had been victimized by a phishing attack and malware that allowed hackers to access sensitive company information that may have included its master key for its tokens or technical details about its security technology. Moreover, most token authentication solutions still involve the entry of passwords during the login process, and, thus, these credentials will be typically transmitted through a web browser and must also be stored on a server. Once again, this means that sensitive credentials are still used during logins, and any service using them will still be a high-value target for attackers. So, even if the hardware token makes user access more secure, the use of passwords in transit and their storage on a server means that a company s architecture and network will be primary targets for attacks. And even if those credentials cannot be used to remotely log into the company network or website without a token, the user ID and password combinations are still highly valuable due to the possibility that they may be usable for other websites and services that do not have twofactor authentication. But another problem for token-based two-factor authentication is that it cannot be used to protect user access to online services through smartphones or tablets. These devices are not equipped with USB ports, so the same security fobs cannot be used with them. This is a major usability issue that limits their application and effectiveness. And, as companies increasingly deploy smartphones and tablets for use by their workforce, this poses a significant challenge in maintaining high levels of security. www.secsign.com Page 13

6 Software-based Two-factor Authentication with OTC/OTP The usability challenges with token-based authentication has led some developers to use software-based authentication as a basis for verifying user identity. Using this approach, during the login process, the user typically enters a user ID and a password during the login process but then uses a mobile app or some other software application to receive a one-time code or one-time password, which must be re-entered through the browser or application that initiated the authentication request. This means that authentication can be completed regardless of what type of device the user is using to log into the secured service. It accommodates desktop, smartphone, and tablet logins equally. However, like SMS authentication methods, these services still use ID and password combinations, so, once again, the transmission and storage of passwords will inevitably invite attacks. Moreover, despite the seemingly simplicity and convenience of software two-factor authentication, it burdens the user with the process of having to wait to receive a one-time code or password and then enter it through the browser or application that has initiated the authentication process. This can slow down the login process and is yet another obstacle that discourages user adoption. www.secsign.com Page 14

6 Software Push Two-factor Authentication To simplify the authentication process and create a more user-friendly method, some developers have introduced two-factor authentication using software and mobile push technology that allows users to verify their identity using a QR code or by tapping a button in a mobile app. These solutions make use of public key cryptography, which stores encrypted private keys on code or by tapping a button. This avoids the vulnerabilities of SMS transmissions and the headaches of using hardware tokens for authentication, but it creates other potential problems. Mobile Tap Method With the mobile tap approach, anyone with access to the user s mobile device could potentially use it to authenticate a login. All the people in possession of the phone needs to do is enter the ID and password through and tap the button to verify authentication. Anyone who has stolen a user s device and has found the required ID and password combin- QR Code Method With the QR code method, after entering an ID and usually an accompanying password, the user must then use a mobile device to scan a QR code that is shown on the login screen. On the mobile device, the QR scanning app contains a randomly generated secret code that is The QR code method uses public key cryptography, which is an ideal approach to two-factor authentication, but it also places a burden on the user in requiring a successful scan of the QR code. frustrating process that delays logins. And, once again, such obstacles can hamper user adoption and compliance. www.secsign.com Page 15

6 Software Push PKI Authentication One approach to two-factor authentication actually eliminates all of the security vulnerabilities and usability issues that plague other methods. Importantly, it also avoids the use of passwords or any other sensitive credentials during the login process, meaning that it is physically impossible for attackers to steal user credentials because they are not entered, transmitted, or stored for the purposes of logins. This method uses mobile push authentication and public key infrastructure (PKI), using the same security principles and the same combination of knowledge and possession that is used in smart card security. Mobile Push PKI Authentication Involves Three Core Elements: 1. A 2048-bit encrypted private key is encoded and secured on the user s mobile device. The private key is secured by a mechanism that prevents brute force attacks, even if a user s mobile device is lost or stolen. 2. A 2048-bit encrypted public key is stored and secured on a Trust Center Server, which can be deployed in the cloud or by configuring and operating your own authentication server, with the same powerful security, on your own architecture. 3. Physical possession and rightful ownership of the private key is confirmed through one of several verification options, which allow the private key to digitally sign an authentication challenge that is generated by the authentication server and sent to the mobile device. With this approach, the login process provides the best possible security and simplifies authentication by eliminating the use of passwords and sensitive credentials. The login and authentication process is simple and can be completed within seconds using a login on a website or through a mobile application, with authentication completed using a mobile app. Users log into a secured service through a website or application, as usual, but the user only enters a non-confidential user ID and does not enter a password. The user ID is non-confidential because there is no need to secure it. The ID cannot be used on its own to access the account or obtain any confidential information. Once the user ID is entered, the web or app server communicates with an authentication server, which issues a challenge that must be digitally signed by the private key on the user s mobile device. The mobile app is used to digitally sign the challenge with the private key. www.secsign.com Page 16

6 Four Options Available to Verify User Identity To confirm possession of the encrypted private key on the user s mobile device and allow it to digitally sign the authentication request, the user must verify identity through knowledge and/or biometrics. A properly deployed PKI authentication solution can offer four ways to do this 1. Enter a user-defined PIN or a passcode (which is used only in the app and never transmitted) 2. Use fingerprint biometrics, such as Apple s Touch ID, to confirm private key ownership 3. Combine a user-defined PIN or passcode with a fingerprint. This creates a combination of knowledge and biometrics for extra security. 4. Use only the physical presence of the private key on the mobile device to verify authentication. While this option removes PIN, passcode, or fingerprint protection for the private key, it still provides a stronger alternative to password-based logins because the private key exists only on the user s mobile device, so only someone who possesses the device can access the user s account. An Access Symbol Provides Final Confirmation of Identity Once ownership of the private key is confirmed, the mobile app can show a set of four symbols. The user taps the symbol that matches one shown on the login screen of the secured website or application, and this provides final identity verification. The mobile app notifies the authentication server of the result, and access to the user account is granted. Properly Designed PKI Authentication Makes It Impossible for Attackers to Steal User Credentials Using mobile push PKI authentication, a user can complete authentication in just a few seconds, and all of this happens without using a password and without entering, transmitting, or storing any sensitive credentials as part of the login process. This means that there is physically nothing for criminals to steal or use to gain unauthorized access to accounts or data. No amount of brute force, phishing, malware, man-in-the-middle attacks, or SIM card attacks will provide them with a credential that can be used to access a user account and cause further damage. Thus, it is possible to implement a level of security that is even stronger than the two-factor authentication used by most major banks to protect online banking logins, but this can be done by using a method that is actually simpler and easier for users. www.secsign.com Page 17

7 ASSESSING YOUR RISKS Do your users access corporate resources with a password authentication method? Is your admin server access protected by a password authentication method? Are your authentication methods compliant with regulatory or industry requirements for data security, such as PCI or HIPAA? Are you using two-factor authentication as an added layer of security? What type of two-factor authentication method are you using, and is it truly safe? Have you integrated two-factor authentication for all of your company user accounts, web sites, networks, servers, and systems? All of these are important questions that IT professionals must consider in evaluating current levels of company security and in mitigating the potential risks of a data security breach. If you are using password authentication methods, then your company and your user credentials are a prime target for attackers. Forward-thinking organizations that are keen to protect their reputations and avoid disastrous security breaches must rethink traditional authentication and deploy better approaches. Continuing to use passwords and other sensitive credentials for authentication invites a number of potentially dangerous security risks, and cybercriminals have already deployed a wide variety of attack methods that can exploit this weakness. If you are not using two-factor authentication as an added protection for account logins, then you are not offering an appropriate level of security to protect your user accounts, customer data, and confidential business information. And, if your company routinely handles customer payment data or is involved in sectors like healthcare and banking or finance, then you could face fines, penalties, or other damages for failure to comply with legal requirements and industry regulations. Also, your company may have already implemented two-factor authentication and may be actively using it, but if you are only using it to protect particular resources or systems, or only for administrative access or for certain users, then you may still be non-compliant and are still highly vulnerable to potential cyber-attacks and security breaches. In the case of Target, when the company was attacked by cybercriminals, two-factor authentication was implemented only for employees with direct access to confidential information. It had not been extended to protect vendor access to the company s network, even though the Payment Card Industry (PCI) data security standard requires this for all remote access originating from outside the company network. This created a vulnerability that attackers were able to exploit, and it offered a tough lesson on the need for comprehensive implementation of two-factor authentication. www.secsign.com Page 18

8 IMPLEMENTATION AND INTEGRATION OPTIONS Fortunately, with professionally engineered two-factor authentication using mobile push software and PKI, you can easily integrate the strongest possible login security with all of your websites, applications, networks, and services. Integration Advantages of Software Push PKI 1. Integrates with virtually any service or device: a) Websites b) Desktop and mobile applications c) Servers d) Systems e) Smart TVs 2. Single sign-on capability 3. Self-enrollment of all authentication users a) Users generate their own ID and can easily link it to new or existing login accounts 4. Cloud deployment with Trust Center Server, multiple firewalls, & shared secret mechanism 5. On-premise installation option with turnkey virtual appliance 6. Plugins in APIs for a full range of coding languages and content management systems a) PHP, ASP.net, C#, Java, Perl, Python, Ruby, WordPress, and Joomla 7. Minimizes keyboard entries and eliminates the need to enter complex user IDs or passwords 8. Supports WLAN authentication and does not require mobile network access a) Ideal for overseas travel or when otherwise out of mobile network Cloud Deployment Using a third party provider and simple plugins, the PKI authentication method can be integrated and deployed within minutes, and you can use a highly secured cloud service to provide authentication through a Trust Center Server and operating behind multiple firewalls with a shared secret mechanism to protect the server key. Cloud-based PKI authentication can be implemented for free, with support for an unlimited number of users, and it can operate as a single sign-on service, with a single user ID used to access multiple secured services. On-premise Deployment As an option for those that prefer to operate their own authentication server, behind their own firewall and on their own infrastructure, companies can also work with a third party provider to install and integrate PKI authentication on-premise. This allows the authentication service to operate exclusively on a company s own architecture with single sign-on capability and centralized administration and reporting, and the service can even operate outside the Internet on the company Intranet. www.secsign.com Page 19

8 Trusting a Third Party Vendor for Two-factor Authentication Naturally, a primary concern when dealing with any data security implementation is potential reliance on a third party service and the ensuing long-term costs or the security risks that this may entail. Thankfully, with a properly designed and delivered solution for software push PKI, an on-premise installation will provide complete and total control for the company deploying the technology, and there will be no long-term contracts or costs beyond the initial installation and integration effort. In choosing a third party, it is also important to take in account the authentication method and also the encryption and transfer protocol methodology, so you can ensure that no passwords or identity credentials are transmitted to a server or stored on a server. Also, the ease of integration with new biometric smartphone features, like Touch ID fingerprint scanning, should also be a primary consideration as these verification methods become increasingly important and widespread in strengthening login security. Flexibility to integrate the solution with existing identity and access management (IAM) and back end technologies, using Java, Ruby, Python, Perl, PHP or any other coding environment is ultimately crucial to ensuring that the chosen authentication method can be used for all services within the enterprise. www.secsign.com Page 20

GETTING EXPERT ADVICE & IMPLEMENTATION SUPPORT SecSign Technologies is a sister company of SecCommerce Informationssysteme GmbH, a pioneer of cryptography solutions with more than 16 years of experience in developing public key infrastructure (PKI), electronic signature, and smartcard technologies. Our security experts and cryptography engineers have developed, deployed, and maintained systems business data and user access for numerous major corporations, including IBM, Siemens, Johnson & Johnson, Fujitsu, T-Systems, BMW, and Audi. Our security engineers can provide insight and assistance in deploying PKI authentication to protect your business. Contact us today to request a free consultation and to learn more about our SecSign ID solution for mobile two-factor authentication using public key infrastructure. To request your consultation, please visit our web page and send us some basic information that will help us identify your security needs and the opportunities to implement the right solutions to protect your company. 2831 St. Rose Parkway, Suite 200 Henderson, Nevada 89052 (702) 664 6467 info@secsign.com www.secsign.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information