55752538 two factor authentication

8/2/2019 55752538 Two Factor Authentication

http://slidepdf.com/reader/full/55752538-two-factor-authentication 1/18

Visolve – Open Source Solutions



Visolve – Securing Digital Assets

ContentsSecurity Overview

Security ConcernsSecurity Needs

Technical OverviewTwo – Factor Authentication System

OTP – One Time Password SolutionsOATH – Open Standards for OTP



Security Layers - Challenges

AuthenticationAbility to ValidateProving Identity

AuthorizationAccess to NetworkAllowing toTransact

AccountingManagementAuditing

UsersProfiling

Security PolicyUser RightsAccess Levels

Security PlatformApplicationsInterface

Security Device



Security Threats & Business Needs

VulnerabilitiesCyber Crime – Identity theft and FraudPhishing & Pharming attacks becoming more

sophisticated and maliciousBusiness needs

Enhanced Security: Stronger user authentication– Two Factor authentication System

Cost effective Password & Identity ManagementDelivery Mechanism – Convenience of carryingsecurity devices and ease of use



Power of One-Time Password (OTP)

OTP deployment makes full life-cyclemanagement easy & cost effectiveFlexibility and availability of various OTP

methods – time synchronized, eventsynchronized or challenge responsePassword generated valid for single useEnhanced security environment for users to

authenticate and transact on webCentralized repository of User profiles andcredentials



Visolve – Open Standards for OTP

Today, with the exception of RADIUS,integration of OTPs can be achieved onlythrough costly proprietary interfaces & protocolsCan leverage on existing VPN/Wireless LANinfrastructureLow cost/no vendor lock alternative toproprietary solutions

Easily added to existing web serverpassword validation infrastructureToken based solution now inexpensive forwider B2C deployments



Technology Overview

HP – UX AAA Server and OATH:Standard Based Two – Factor

Authentication



Technology - FrameworkTwo – Factor Authentication

Authentication using two independent method – typicallysomething you have (device) and something you know(password)

One – Time PasswordPassword valid for single use

Two-Party Model: Client and Server use OTP software orhardware to generate and validate passwordTwo-Channel Model: High value transaction can beauthenticated by requiring an OTP being delivered throughsecondary channel vis email or SMS

OATHOpen standards for OTP generationhttp://openauthentication.or g sequence based algorithmSupported by all of the token device vendors

http://openauthentication.org/

http://openauthentication.org/



Advantages of OATH vs. Proprietary OTP

Low CostSequence based algorithm allows lowmanufacturing cost for token deviceNo Royalty ProgramsLeverage in both price-points and form-factors

Wide variety of user deployment modelsStandalone token device can be built intoconsumer electronicsSecondary channel solutions –SMS

No Vendor LockClient, Server, user managementcomponents can be purchased separatelyMultiple OTP clients can be concurrentlysupported from the same authenticationserver

Easy onCost

Easy toImplement

Easy toEnd Users

Easy toManage



OATH/OTP Authentication Opportunities

User TokensLow priced tokens from multiple vendorsSoft-tokens that can run on java enabled device-mobile phonesSMS delivery of OTP for non java enabled devices

Mobile makes ideal OTP deviceUbiquitousLeverage applications provisioning to manageOTP soft-tokenAddressing Consumer issue of handling multiplehard tokens

Opportunity for OTP authentication as

telecom serviceConsumer authenticates to bank/retailerRetailer authenticates password locallyForward OTP to Service Provider

User – Base

Enterprise

Government

Medical

Finance

Web-Merchants



OATH/OTP Vs. Other Major AuthenticationTechnologies

Method Password OTP + Password Digital Certificates/PKI

Advantages Widely used and supported bythe largest number of applicationsTechnology easily understoodby users

Two-factor authenticationcompatible with passwordbased infrastructure: zeroclient footprint option

Bi-directional authenticationCan provide two-factor.Non-repudiation

Disadvantages Relies on human protectionand management of the secret.

Requires possession of OTP generationsoftware/hardware oraccess to a secondarychannel for OTPtransmission

Certificate management cost can beprohibitive for large user base.Heavy footprint to manage on client.

Not compatible with small devices.Requires distribution of certificate/smart card to client.

Key Vulnerabilities Brute forceMan-in-the-middle/clientinsertionPhishingOver the shoulderKeystroke loggers

Man-in-the-middle/clientinsertionPhishing (reduced to onetime action)

User override of warningsClient insertion (reduced)

Applicability Lower risk environmentsLegacy environmentsNo network usage or protectednetwork usage

B2C CommerceEnterprise Security (VPN)Environments not suitedfor PKI (e.g. passwordbased applicationinfrastructure)

Highly secure environmentsMonetary or legal transactions wherenon-repudiation is a required featureEnvironments where mutualauthentication is required.

Cost/Complexity/Protection

HIGHERLOWER

Customer slide presentation



OATH Soft Tokens: Three Tier- ServiceProvider Model

1. Provisioning

3. OTPAuthentication

User Key and sequencenumber are generated byservice provider

Key and OATH Applet aredelivered to user device byclient provisioning service.

Webbased

Mgt

2. Local

Authentication

User connects to webretail presence viabrowser. Passwordverified locally

User provides OTPfrom cell phone.Passed to Serviceprovider for

verification

RADIUS

HTTPS

HTTPS

Multiple retailers share thesame OTP service, whilelocally maintaining passwordauthentication

HTTPS

Databa

se

SMS

HP UXAAAHP UXAAA

Databa

se

4. MultipleRetailers

Database

Database




OATH: Provisioning Life Cycle: Token Cards2. New User

Seri al# Key_______

A123 34334343

A124 34555555

Supplier delivers tokens and key file.Admin tool imports serial number/key pairsinto secure storage

1. New Installation

Serial number key and sequence number 0are assigned to user entry. Token device isdelivered to user.

KeysKeys User

User entry can be resynchronized withuser’s token device if needed.

User

User entry locked. Token device may beassigned to another user

User

3. Help Desk 4. Deactivate User

Web basedMgt Web based

Mgt

Web basedMgt Web based

Mgt

Databas

e

Database

Database Databas

e




Basic Password Authentication Sequence

Adding Two Factor Authentication

123456

SupplicantAuthenticators

1. Username/password entered onclient device

3. Web Server,VPN Gateway,Firewall, WLANAcess Point,Unix(login/SSH,…)etc

Authenticate

passwordlocally orforward to AAA

5. AAA Server

Authenticatespassword

Tracks and logs usersession

2.Protocol

VPN:L2TP/IPSec

LAN:802.1x

Web:HTTPS

…Etc.

4.Protocol

RADIUSOTPappended topasswordfield

(separateprompt orcombinedwith existingpasswordinput)

OTPvalidated,

tokensequencenumberupdated inDatabase)

Two factor authentication can be added with minimal disruption.Zero client software changes possible.

sting password based single factor authentication infrastructure.

Database

HP UXAAA




HP-UX AAA Server Overview

Purpose: Centralized service to provideauthentication and recording of useraccess to network resourcesControl access to wireless LANs, VPNgateways, http servers, and otherRADIUS enabled devices orapplicationsProvides access and accountingcontrol for greater security andcompliance

Advantages:Based on widely supported RADIUSand Extensible AuthenticationProtocol standardsHigh performance/high availabilityfeatures for enterprise and serviceprovide deploymentsSupports a wide variety of authentication methods includingpassword, token cards and digitalcertificatesHighly customizable, supports ODBCcompliant databases and LDAPcompliant directoriesIncluded with HP-UX11i

User…

1.Access Points2.VPN Switches3.Firewalls

hpprocurve 10/100Tswitch408 J4097B

HP UXAAA

Database

Webserver




OATH: Higher level HMAC-based OneTime Password Algorithm (HOTP)

Shared Secret(20 bytes)

SequenceCounter (8

bytes)

Run HMAC Algorithm and Truncate

HMAC -SHA1 Truncate

Generate OTP

OTP (6 or 8Digits)

Validate OTP

Shared Secret

SequenceCounter

Authenticator

Password + OTP Password + OTPShared Secret

SequenceCounter +1

AAAServer




Visolve – Fortune 100 Clients

SMB’s

DTS - Largest ISP in MadagascarSeveral K-12 School DistrictsISPs in US and CanadaCity of St.Paul, MNBlueprint Data, FLFanshawe College, LondonGenesis Technology, Taiwan

Axseed – Japan

http://images.google.co.in/imgres?imgurl=http://event.on24.com/event/10/19/04/rt/1/images/thumbnail/hp-use.jpg&imgrefurl=http://www.insight24.com/webcasts/company/hewlett-packard&usg=__9deGyXT_LJybcBfKj3yFko6LtkQ=&h=360&w=480&sz=12&hl=en&start=4&um=1&tbnid=Lbtxi5bC8Ag7-M:&tbnh=97&tbnw=129&prev=/images%3Fq%3DHP%26um%3D1%26hl%3Den

http://images.google.co.in/imgres?imgurl=http://rachel.thepinns.com/logos/ATT_logo.jpg&imgrefurl=http://rachel.thepinns.com/book.html&usg=__Cl1qaW144-e-RkEqkstB4YH6eKg=&h=2269&w=1710&sz=388&hl=en&start=2&um=1&tbnid=UcPwa_vTAWtaEM:&tbnh=150&tbnw=113&prev=/images%3Fq%3Dat%2526t%26um%3D1%26hl%3Den%26sa%3DN

https://www.wellsfargo.com/



THANK YOU

55752538 two factor authentication

Documents