Chris Russell, Product Manager

dashingincestuousSécurité

22 févr. 2014 (il y a 3 années et 4 mois)

52 vue(s)

Tokenless Multi
-
Factor Authentication

Chris Russell, Product Manager


Swivel Secure Ltd…

…company background

Company Background

Established in 2000

A member of the MARR T&T Group

Offices:


UK, USA, China, Australia

Channel:
-


UK, Europe, USA, China, Australia, Singapore, Malaysia, India

Patented IP world wide

UK
-
based software development team

Specialists in two
-
factor authentication technology

Target sectors


B2B remote network access (VPN)


B2C Scalable secure online service access


The threats…

…and why it will get worse

We are all at Risk

UK Internet related fraud is estimated to cost businesses many
£M’s per annum

Identity theft is one of the fastest growing crimes in Europe

and worldwide

Increase in use of IT and the demand for instant anywhere, anytime
access is fueling the development of a class of professional cyber
-
terrorists

Every end
-
point device is a potential security leak

In the US during April there were over 1100 reported phishing
attacks, with banks and financial services companies the prime
target

Gartner estimates that 20% of all Internet users have been victims
of some form of online fraud.

Threats to Online Banking

“100,000 computers a week are being compromised by
viruses designed to capture bank account details
and credit card information”


Steve Linford Spamhaus Computers

Computing 18
th

Nov 2004

“Online banks, retailers and governments can reduce online
identity theft by better communication, introducing two
-
factor authentication and educating consumers about
new threats”

Howard Schmidt CSO eBay

Cyber
-
Terrorism

It’s a
BIG

problem and

it is growing

Remote Access…

…its proliferation

Remote Access

Advances in network technology and communications means
that remote workers can be just as “present” as their co
-
workers
in the office


In Western Europe IDC predicts that the number of mobile
workers will triple to around 20 million in 2005


A key driver behind the development is the emergence in SSL
VPN technologies.


Access to corporate resources from any browser, anywhere, is
simple, fast and cheap…..

Anytime, anywhere access to corporate network/extranet via any
Web browser


Most VPN appliances require a username & password to
authenticate the person wishing to access the system


UNP systems are highly vulnerable to the whole range of cyber
threats and cannot be trusted in any serious security system


Two
-
factor is becoming regarded as the
de facto

authentication
standard

Remote Access

Multi
-
factor Authentication…

…explained

1st Factor


Something you know


PIN or Password


2nd Factor


Something you have


a token; mobile phone

Two
-
factor Authentication…

3rd Factor


Something you are


biometric (retina scan / fingerprint)


4th Factor


Something you use


the device through which you are authenticating

And Three
-

and Four
-
factor

The PINsafe protocol…

… how it works

PINsafe Protocol


Variable length PIN issued to each user


4


10 digits


Can be used with a password or to replace password


Randomly generated 10
-
digit security string


Delivered to a mobile device or browser


A new one
-
time code (OTC) for each authentication attempt


Cannot be re
-
used if intercepted



PIN is NEVER entered as part of authentication

PIN

2 4 6 8

PINsafe Protocol

5 1 7 3 9 2 0 6 4 8

Security String

PINsafe Protocol

PIN

2 4 6 8

2

4 6 8

5
1
7 3 9 2 0 6 4 8

1

One
-
Time Code

(OTC)

PINsafe Protocol

PIN

Security String

2

4

6 8

5 1 7

3

9 2 0 6 4 8

1

3

PINsafe Protocol

PIN

Security String

One
-
Time Code

(OTC)

2 4

6


8

5 1 7 3 9

2

0 6 4 8

1 3

2

PINsafe Protocol

PIN

Security String

One
-
Time Code

(OTC)

2 4 6


8

5 1 7 3 9 2 0

6

4 8

1 3 2


6

PINsafe Protocol

PIN

Security String

One
-
Time Code

(OTC)

1 3 2

6

2 4 6 8

5 1 7 3 9 2 0 6 4 8

PINsafe Protocol

PIN

Security String

One
-
Time Code

(OTC)

The Interfaces…

… SMS Text Option

First Security String delivered as an SMS message upon user
registration


One
-
Time Code (OTC) manually extracted using PIN as a mask


SMS refresh after each authentication attempt


SMS Inbox override


PINsafe SMS Option

The mobile phone as a token:


Select inbox from phone message menu


Select Swivel Message


Retrieve one
-
time code and type into browser

PINsafe SMS Option


Dual channel increases protection of credential from spyware


Security string sent via GSM, CDMA/TDMA, SMTP or GPRS network


Manually extracted OTC returned via second channel


Device neutral


works on GSM
-
enabled PDA/Blackberry


No mobile service necessary at end point during authentication


SMS notification if someone trying to logon as user

PINsafe SMS Option



PINsafe SMS Option


Dual Channel


With added protection against “loss of token”

The Interfaces…

… J2ME Option

User enters PIN onto device

Automatic OTC extraction from keyboard input

Registration and Security String top up through GPRS
connection


J2ME MIDlet

Automatic OTC extraction


Select ‘Login’ from menu


Select ‘Get One
-
Time Code’ and enter PIN


Retrieve one
-
time code & type into Browser


Minimal Running Costs


No SMS costs


Minimal GPRS costs


Cache of security strings means can be used when out of coverage


Token
-
like user experience


Without dedicated token

J2ME MIDlet

The Interfaces…


TURing


Single Channel

Unique user interface (TURing)


Used as internal or failsafe backup


Randomly generated GIF


Irregular font and patterned backgrounds


Immune from OCR software


PIN is never typed during authentication process


Can be integrated into login pages or delivered separately


Choice of cases and character sets


Random backgrounds & fonts

Customizable

Generated by XML file

TURing Interface

Single Channel

Customizable Interfaces

Adding protection against loggers

A PINsafe GINA has been developed so that PINsafe can be
used for logging into PCs running Windows


The PINsafe Server takes control of the user’s normal Windows
password providing improved security and an improved user
experience


Users are able to log into Windows using just their PINsafe
credentials via any of the PINsafe Interfaces

Windows GINA

Integration Options..


Users


Users

PINsafe has been extended to use Active Directory as the User
Repository


All user attributes are stored and managed through the normal
repository tools


Alternatively PINsafe’s inbuilt repository can be used.


PINSafe’s flexible architecture allows easy integration of other
user databases


Web Applications

PINsafe can be integrated to web
-
based applications via its
Agent
-
XML API


Easy to use XML
-
based API


Compatible with .net, J2ee etc etc


Ready built IIS, ISA filters already exist

Remote Access

PINsafe can act as a Radius Server for VPN authentications


Easy “standard integration”


VPN+Pinsafe provides highly secure remote access solution


Can provide seamless PINsafe and VPN integation


+

Version 3.1…

… Technology Highlights

Open Architecture

PINsafe

Agent XML

Radius

User

Transport

Web

VPN

User

Database

Transport

Infrastructure

Third
-
Party

Other

Authentication

Allows PINsafe to be easily combined with other authentication
platforms



Biometric eg Finger Printing



Hardware Authentication eg Positive ID




Third Party Authentication

Build on standard Servlet Container


Compatible with Solaris, Linux, Windows


Can be supplied as software only, to conform to end
-
user IT
policies


Or as an appliance (DELL/ Hardened Red Hat LINUX)


Available as Highly Available configuration

Build

Other Features

Full logging


Easy to use admin console


All interfaces available, SMS, Turing and Midlet options available
for every installation


Different options can be made available to different users


User self
-
care to reduce admin costs


Eg self unlock, PINchange etc

Summary

Easy to deploy


Cost
-
effective alternative to traditional authentication solutions


Flexible authentication options


Architecture allows for easy integration


Scalable, Resilient solution

Questions?…