the wikid strong authentication systems overview
DESCRIPTION
A high-level overview of the WiKID Strong Authentication System, a dual-source, software-based, two-factor authentication solution. WiKID uses public-key cryptography unlike most token systems and is therefore a secure, extensible replacement for hardware tokens.TRANSCRIPT
WiKID Systems, Inc.
Nick Owen
1375 Peachtree StSuite 600
Atlanta, GA. 30309404-962-8983
WiKID Authentication System• Unique two-factor authentication system with
no hardware and no reader
• Significantly reduces authentication costs while increasing security
• Centralized control of enterprise authentication – even across the supply chain to vendors/consultants!
• Automated initial validation – end-user self-service – easy to implement and maintain
• Capable of session, host and transaction authentication
Lower cost
Ease of Use
Secure
Extensible
WiKID Key Differentiators• Powerful Network Client API extends functionality
– Set up users via trusted AD credentials
– Extensible to across enterprises
– Unique Service-oriented API capabilities
• Multi-platform Token client support
– Blackberry, J2ME, Mac, Linux. Windows, PocketPC
– Embeddable into 3rd party software
– No client hardware required
– Multi-domain capable – Secure cross-enterprise
authentication
WiKID Architecture
Public key
Public Key
1. User Enters 12 digit code, sends Public Key
1.2. WiKID server sends
configuration file and its Public Key2.
3.
Simple Initial Validation of Users
3. User creates PIN
4. Server sends registration code awaits validation
Completed in less than 15 seconds
4.
5. User logs in using trusted credentials
User enters registration code
6. Registration code sent to server and associated with
key pair exchange5.
6.
If the Registration code is received from a trusted Network Client and matches the expected value, the device is automatically validated.
Secret key
Public Key Certificates
1. User selects domain & enters PIN.
2. WiKID server decrypts PIN with Public Key and verifies. Returns
Passcode.
Internet
Internet
3. User enters Username and Passcode.
Typical Usage
4. Application requests verification.
5. WiKID Server Verifies Code.
6. User granted access.Average connection time of 4 seconds
Secret key
Public Key Certificates
1. User selects domain & enters PIN.
2. WiKID server decrypts PIN with Public Key and verifies. Returns
Passcode.
5. User enters Username and Passcode.
Mutual Authentication
6. Banking Application requests verification.
7. WiKID Server Verifies Code.
8. User granted access.Average connection time of 4 seconds
3. Token client fetches and hashes SSL cert and
compares
4. OTP and validated URL presented to user. Default browser launched to site.
Your Enterprise
Vendor
Your Employees
Application
You control user enrollment & provisioning
Vendors use WiKID SSL objects for web-enabled apps
If an employee leaves, disable their account
If you switch vendors, invalidate their certificate
Each vendor has their own Domain and Certificate from your server
No hardware to distribute to non-employees
Vendors/Contractor employees
Application
Simple Cross Enterprise Strong Authentication
Network Clients• Languages
– C# dll, Java Component, PHP, Ruby, Python
• Implementations
– Radius, LDAP, Plone, TACACS+
Benefits
• Reduces costs while increasing security• Security professionals work on security, not logistics• Simple to implement and maintain• Extensible platform for the future – for e-commerce,
supply chain, partners, independent contractors• The only strong authentication system capable of
handling session, host/mutual and transaction authentication in a cryptographically secure manner
Security Features• Request-response architecture: passcodes generated
only upon receipt of valid request• Server-side Java – inherent security features• Strong 1024-bit RSA equivalent asymmetric
encryption of all transactions• Certificate chaining for server-to-server authentication• Server-side PIN storage; Simple user disablement• PIN length, time outs, PIN and passcode attempts all
Admin configurable• Mutual Authentication for HTTPS • Use a separate domain for transaction signing
Administration Features
• Web-based server management
• RADIUS, LDAP and SSL-based API via Java Bean & COM object
• Support now for all major platforms: J2ME, Blackberry, Palm, PocketPC, PC, J2SE (for Mac and Linux)
• Replication for fault-tolerance• Initial validation via NT/AD credentials (scripts provided)
Secret key
Public Key Certificates
1. User selects reset domain & enters PIN.
2. WiKID server decrypts PIN with public key and verifies. Returns
Passcode.
Internet
Internet
3. WiKID Server pushes passcode to PDC as new password, flags for reset.
LAN Password Reset
4. User logs in with username and passcode.
5. User granted access, prompted to change password.
Layered Authentication
User/Session Authentication
Host/Mutual Authentication
Transaction Authentication/Signing
A Cryptographically Secure Approach
Layered Authentication
Thanks!
Nick Owen
http://www.wikidsystems.com
404-879-5227
For additional information, please contact: