Swivel Multi-factor Authentication



Similar documents
PINsafe Multifactor Authentication Solution. Technical White Paper

Authentication Solutions

How Secure is your Authentication Technology?

Integration Guide. Swivel Secure Authentication

Two-Factor Authentication and Swivel

Swivel Secure and the Cloud

Two-Factor Authentication

STRONGER AUTHENTICATION for CA SiteMinder

A brief on Two-Factor Authentication

ADDING STRONGER AUTHENTICATION for VPN Access Control

SalesForce SSO with Active Directory Federated Services (ADFS) v2.0 Authenticating Users Using SecurAccess Server by SecurEnvoy

External authentication with Astaro AG Astaro Security Gateway UTM appliances Authenticating Users Using SecurAccess Server by SecurEnvoy

Guide to Evaluating Multi-Factor Authentication Solutions

External Authentication with Juniper SSL VPN appliance Authenticating Users Using SecurAccess Server by SecurEnvoy

Password Power 8 Plug-In for Lotus Domino Single Sign-On via Kerberos

VMware Horizon View for SMS PASSCODE SMS PASSCODE 2014

How To Integrate Watchguard Xtm With Secur Access With Watchguard And Safepower 2Factor Authentication On A Watchguard 2T (V2) On A 2Tv 2Tm (V1.2) With A 2F

AUTHENTIFIERS. Authentify Authentication Factors for Constructing Flexible Multi-Factor Authentication Processes

Dell SonicWALL and SecurEnvoy Integration Guide. Authenticating Users Using SecurAccess Server by SecurEnvoy

Fortigate SSL VPN 4 With PINsafe Installation Notes

How CA Arcot Solutions Protect Against Internet Threats

Fortigate SSL VPN 3.x With PINsafe Installation Notes

DIGIPASS Authentication for SonicWALL SSL-VPN

ipad or iphone with Junos Pulse and Juniper SSL VPN appliance Authenticating Users Using SecurAccess Server by SecurEnvoy

BlackShield ID Best Practice

Multi-factor authentication

KEYSTROKE DYNAMIC BIOMETRIC AUTHENTICATION FOR WEB PORTALS

This release bulletin relates to Version build 2701 of the Swivel Authentication Platform and other new capabilities.

BlackShield ID Agent for Terminal Services Web and Remote Desktop Web

Two-Factor Authentication

Entrust. Entrust IdentityGuard 8.1. Deployment Guide. Document issue: 2.0. Date of Issue: April 2007

External Authentication with Windows 2003 Server with Routing and Remote Access service Authenticating Users Using SecurAccess Server by SecurEnvoy

DIGIPASS Authentication for Sonicwall Aventail SSL VPN

WHITEPAPER. SECUREAUTH 2-FACTOR AS A SERVICE 2FaaS

Case Study SMS Two Factor Authentication. Contact us Infracast Ltd, Merlin House Brunel Road, Theale, Berkshire, RG7 4AB

SharePlus Enterprise: Security White Paper

Hosting topology SMS PASSCODE 2015

RELEASE NOTES. Release Notes. Introduction. Platform. Product/version/build: Remote Control ( ) ActiveX Guest 11.

ESET Secure Authentication Java SDK

ADVANCED TWO-FACTOR AUTHENTICATION VIA YOUR MOBILE PHONE

Out-of-Band Multi-Factor Authentication Cloud Services Whitepaper

Multi Factor Authentication API

Safewhere*Identify 3.4. Release Notes

nexus Hybrid Access Gateway

RSA Authentication Manager 8.1 Help Desk Administrator s Guide

PortWise Access Management Suite

Flexible Identity. OTP software tokens guide. Multi-Factor Authentication. version 1.0

Guide for Setting Up Your Multi-Factor Authentication Account and Using Multi-Factor Authentication

GO!Enterprise MDM Device Application User Guide Installation and Configuration for Android

Establishing two-factor authentication with Cyberoam UTM appliances and HOTPin authentication server from Celestix Networks

Protect Your Customers and Brands with Multichannel Two-Factor Authentication

External Authentication with Citrix Access Gateway Advanced Edition

Active Directory Integration Notes. Introduction. Overview

Establishing two-factor authentication with Check Point and HOTPin authentication server from Celestix Networks

Guide for Setting Up Your Multi-Factor Authentication Account and Using Multi-Factor Authentication. Mobile App Activation

Microsoft Office365 with Active Directory Federated Services (ADFS) Authenticating Users Using SecurAccess Server by SecurEnvoy

Connecting an Android to a FortiGate with SSL VPN

White Paper Cybercom & Axiomatics Joint Identity & Access Management (R)evolution

External authentication with Fortinet Fortigate UTM appliances Authenticating Users Using SecurAccess Server by SecurEnvoy

Establishing two-factor authentication with Barracuda NG Firewall and HOTPin authentication server from Celestix Networks

BlackShield ID Agent for Remote Web Workplace

Virtual Code Authentication User s Guide. June 25, 2015

FileCloud Security FAQ

PortWise Access Management Suite

Adding Stronger Authentication to your Portal and Cloud Apps

White Paper March 1, Integrating AR System with Single Sign-On (SSO) authentication systems

Agent Configuration Guide

Strong Authentication: Enabling Efficiency and Maximizing Security in Your Microsoft Environment

External Authentication with Cisco ASA Authenticating Users Using SecurAccess Server by SecurEnvoy

External Authentication with Checkpoint R75.40 Authenticating Users Using SecurAccess Server by SecurEnvoy

Entrust IdentityGuard

RSA SecurID Ready Implementation Guide

Strong Authentication for Microsoft TS Web / RD Web

External Authentication with Citrix Secure Gateway - Presentation server Authenticating Users Using SecurAccess Server by SecurEnvoy

Implementation Guide for protecting

Authentication Solutions Buyer's Guide

The PortalGuard All-In-One Authentication Solution-set: A Comparison Guide of Two-Factor Capabilities vs. the Competition

GO!Enterprise MDM Device Application User Guide Installation and Configuration for Android with TouchDown

Symantec VIP Integration with ISE

SafeNet Authentication Service

Implementation Guide for. Juniper SSL VPN SSO with OWA. with. BlackShield ID

Strong Authentication for Secure VPN Access

Leverage Active Directory with Kerberos to Eliminate HTTP Password

Juniper SSL VPN Authentication QUICKStart Guide

EVALUATION GUIDE. Evaluating a Self-Service Password Reset Tool. Usability. The password reality

Compiled By: Chris Presland v th September. Revision History Phil Underwood v1.1

External Authentication with Windows 2012 R2 Server with Remote Desktop Web Gateway Authenticating Users Using SecurAccess Server by SecurEnvoy

Hang Seng HSBCnet Security. May 2016

Cash Management 5.0 User Guide

Configuration Guide. SafeNet Authentication Service. SAS Agent for Microsoft Internet Information Services (IIS)

White Paper Preventing Man in the Middle Phishing Attacks with Multi-Factor Authentication

Introduction to SAML

DIGIPASS Authentication for Cisco ASA 5500 Series

Integration Guide. SafeNet Authentication Service. Using SAS as an Identity Provider for Drupal

External Authentication with Cisco VPN 3000 Concentrator Authenticating Users Using SecurAccess Server by SecurEnvoy

How To Comply With Ffiec

Two-factor Authentication: A Tokenless Approach

XYPRO Technology Brief: Stronger User Security with Device-centric Authentication

Transcription:

Swivel Multi-factor Authentication White Paper Abstract Swivel is a flexible authentication solution that offers a wide range of authentication models. The use of the Swivel patented one-time code extraction protocol means that Swivel can offer a range of strong single and two-factor authentication solutions 2012 Swivel Secure Limited Equinox 1, Audby Lane, Wetherby, LS22 7RD, UK T +44 1937 582 020 E hq@swivelsecure.com www.swivelsecure.com

Table of Contents Introduction 2 Swivel Overview 2 PINsafe 2 Swivel High Level View 4 Corporate VPN Access, Strong Authentication 5 Webportal Access, Two-factor authentication 5 Security String Delivery 6 On-Demand or In Advance 6 Multiple or Single 7 Two Channel vs. Single Channel 7 Single-Factor vs. Two-Factor 7 Security String Rendering 8 Policies 8 User Groups 8 Conclusion 9 1 of 9

Introduction This paper describes the principles and technology behind the Swivel Multifactor Authentication Solution. It looks at the principles and advantages of multi-factor and multi-channel authentication and how Swivel implements these approaches to authentication. Swivel Overview Swivel is a multi-factor authentication system. At the core of the system is a challenge-response based authentication engine. This engine presents the user with a challenge and checks that their response is correct before the user is allowed access. PINsafe A unique aspect of the solution is the PINsafe one-time code (OTC) extraction protocol whereby a user is sent a security string, the user then combines this security string with their PIN to derive a one-time code. They then use this one-time code to authenticate themselves. The strength of this system is that the user needs both the security string and their PIN in order to authenticate yet the PIN is never entered as part of the authentication process. The one-time code extraction protocol is simple to use, the PIN determines which characters are to be used and in which order, for the one-time code. Figure 1. PINsafe Extraction Protocol 2 of 9

The security string can be presented to the user in a number of ways, in an SMS message, via a Java Applet or as an obfuscated image (known as a TURing image), as show in figure 2. 1 Figure 2. Security String as an Obfuscated Image There are a number of advantages to this approach and these include: The one-time code that the user enters is different for every authentication which provides defence against key-logging attacks, and many simple man-in-the-middle and phishing attacks. The user never enters their PIN to authenticate, again providing defence against the attacks listed above. As authentication requires two elements, the security string can be sent via a different channel to the authentication request, providing defence against man-in-the-middle attacks. The delivery of the security string can be tied to a specific device, e.g. a mobile phone, providing a two-factor authentication solution. It should be noted that PINsafe is a unique element of the system, but not one that a customer has to implement. For example, if required users can be sent one-time passcodes they merely have to enter as part of the authentication process without needing to extract a one-time code. 1 The obfuscation of the image provides defence against Optical Character Recognition (OCR) attacks. 3 of 9

Swivel High Level View The Swivel Core server sits at the centre of the authentication system. It manages the user data, creating and managing credentials as required, enforcing authentication policies and issuing authentication challenges (security strings or one-time passcode). User Applications (or Agents) submit authentication requests to the Swivel server, these agents are, or are deployed on the resource that is being protected by Swivel. Agents may be a SSLVPN servers, piece of agent software installed on a web site, web application nor desktop or a web page authenticating a cloud service. Swivel can deliver security strings to users in a number of different ways including but not limited to: Returning the security to the string into the web form that requested it. Sending the security string as a text message to the user s mobile device. Downloading security strings to a user s registered mobile application. It is this splitting of the delivery of security strings and the submission of authentication requests into two separate logical channels that delivers the advantages described above. Swivel has a user database in which it stores the data relating to the user s Swivel Account. It can create all the Swivel accounts that an enterprise needs by synchronizing with an enterprise s existing user database, typically an Active Directory installation. Alternatively user accounts can be 4 of 9

generated manually or created via an external application using the Swivel Admin API. With different agents, Swivel server configurations and different end-user devices, the basic Swivel model can provide a range of different authentication models; some examples are described below. Corporate VPN Access, Strong Authentication This is typical for a VPN solution. Swivel synchronises with the Active Directory and creates user-accounts in the Swivel database, as required. The application in this case is the VPN server. The VPN server s log on page is modified to include a TURing image. 1. The user enters their username and initiates an authentication session. 2. The user requests and receives a security string from the Swivel server and displays the security string as a TURing image within their web browser. 3. The user derives and enters their one-time code to the VPN. The VPN server submits an authentication request, using the RADIUS protocol, to the Swivel server. Swivel responds, via RADIUS, with either pass or fail. Webportal Access, Two-factor authentication This model maybe more typical of using Swivel to protect a web site or web application. When a user registers with the portal, the portal creates a Swivel account for that user. When the user goes to access a page on the portal, a Swivel filter determines whether they need to authenticate or not. If an authentication is required, the user is redirected to a log-on page. 1. As a result of account creation or a previous authentication attempt, the Swivel server will have sent the user, via SMS (transport) a security string. 2. The login page on the user application asks the user for their username and one-time code. 3. The user enters their one-time code, the application uses the Agent- XML API to make the authentication request and the Swivel server responds with pass or with an error message. 4. In Automatic mode the user is automatically sent a new security string. 5 of 9

Security String Delivery The examples above show how Swivel offers strong authentication by requiring the user to have a security string and a PIN in order to authenticate. There are a number of ways that security strings can be: Generated Transported Displayed This section describes the different methods to help to show Swivel s flexibility and the different ways that it can strengthen authentication. On-Demand or In Advance Security strings can be sent only as and when an Agent/Application requires a user to authenticate or they can be sent to the user in advance so the user has them ready at the time of authentication. The default behavior for SMS operation is for the user to be sent a security string in advance, after each authentication attempt, this has the advantage that the user always has a valid security string in their SMS inbox when they come to authenticate. In this model the Swivel server initiates the sending of a security string to the user after each authentication attempt, whether the attempt was successful or not. Security strings that are delivered in advance are valid until they are used or until more security strings are requested. An alternative model is for the security string only to be sent to the user when they are attempting to authenticate. In this model the Agent user requests a security string on the user s behalf by making a request to the Swivel server Security Strings module. If a security string is requested as in the on-demand mode, it has a limited validity period; once this period has expired the user cannot authenticate using that security string. The advantage that on-demand brings with it is tighter control of the security by the agent. This can be used as a defense against phishing attacks as security strings will only be sent out when the real site deems it necessary. The model can also be extended so that the user has to provide a valid password before the security string is sent to them. This defense is strengthened as it enables the application to add context information to the security string. As the authentication session is under the control of the Agent, the Agent knows what the user is authenticating for. If, for example, the user is authenticating to authorize a purchase this information can be included in the security string sent to the user, e.g. the SMS could state Security string for $340 purchase. 6 of 9

Multiple or Single Where Security Strings are sent in advance they can be sent individually or in batches. For example the Swivel Mobile Clients can download 99 security strings for authentication. For SMS up to 10 security strings can be sent within a single message. This reduces the reliance of having network connectivity at the time of authentication. Two Channel vs. Single Channel Security strings can be delivered to the user as part of their log-on dialogue, e.g. incorporated in a VPN log-on page, or delivered to a mobile phone or other device. In the first case the security string is sent via the same channel over which the authentication takes place; hence single channel. In the second case the security string is sent via a different route; hence two channel. Two channel is generally more secure because in order to determine someone s PIN, you need to know the security string that they have been sent and the one-time code that they have entered. Sending these two via separate channels makes intercepting them more difficult. In single channel mode the security strings are sent to the agent that requested them, i.e. the TURing image is sent to the agent that requested the security string and that will then go on to make an authentication request. In two channel mode the security string is delivered directly to the user via a separate logical channel. This is done by the core platform sending the security strings via a transport module to a specific device (e.g. via SMS or telephone call) or by the user downloading strings to a specific device over the mobile network. Single-Factor vs. Two-Factor Single-factor authentication relies on the user knowing something that only the user would know, the most common example being a password. Twofactor adds another element, generally something that a user owns; referred to as a token. Swivel can be used as a single-factor or two-factor authentication system. In single-factor operation the security string can be retrieved by the user or agent on any device, therefore access to a token is not required to access the security string. In two-factor operation the security string will only be sent to a specific device, i.e. the user s registered mobile phone. For example in SMS mode the security string will be sent by SMS to the mobile phone associated with that user s account. In order to successfully authenticate a user needs to 7 of 9

be in possession of that specific mobile phone (the second factor) and then to know the PIN to extract the one-time-code (first factor) Two-factor is a stronger form of authentication as it means any attacker has to successfully compromise both factors of authentication. The Swivel- PINsafe implementation of two-factor authentication is particularly affective as the attacks need to be simultaneous, as the PIN is never entered as part of the authentication, it cannot be attained in isolation via a key-logging attack. Security String Rendering The security string sent to the user can be rendered in a number of different ways to optimize security and usability. Here are some examples. The Swivel server can supply the security string as an obfuscated TURing image as a defense against OCR attacks The Swivel server can supply the security string as plain text to the Swivel mobile client. The Swivel server can send the security string as audio within a telephone call. The security string can also be delivered to an application for the application to render the security string in any way it requires. Policies User Groups The flexibility of Swivel is further facilitated by the ability to segregate users into different groups and to associate different authentication models with those different groups. Different user groups can be allocated different user-rights within the Swivel server. This includes what authentication modes they can use (single, SMS and mobile clients) as well as which applications the user is allowed to authenticate to. Users can then be made a member of one of more of these groups to determine which applications authentication models are available to them. When using Swivel with Active Directory these user groups can me matched to existing groups with Active Directory meaning that Swivel users rights can be managed directly from Active Directory. 8 of 9

Conclusion The Swivel server is architected to and successfully delivers a flexible, strong authentication system. The lack of reliance on a dedicated authentication token and eliminates the hassle and cost of managing such tokens and drastically decreases deployment time. The flexibility of the product means that it can provide different authentication solutions to different users, even within the same Swivel installation and it can accommodate an enterprise s authentication requirements both now and as they change over time. Its open design makes integration easy and a single Swivel server can be integrated with many different IT resources. All of these factors make Swivel a low-risk choice of authentication solution 9 of 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information