470 likes | 752 Views
Tokenless Multi-Factor Authentication. Chris Russell, Product Manager. Swivel Secure Ltd…. …company background. Company Background. Established in 2000 A member of the MARR T&T Group Offices: UK, USA, China, Australia Channel: -
E N D
Tokenless Multi-Factor Authentication Chris Russell, Product Manager
Swivel Secure Ltd… …company background
Company Background • Established in 2000 • A member of the MARR T&T Group • Offices: • UK, USA, China, Australia • Channel: - • UK, Europe, USA, China, Australia, Singapore, Malaysia, India • Patented IP world wide • UK-based software development team • Specialists in two-factor authentication technology • Target sectors • B2B remote network access (VPN) • B2C Scalable secure online service access
The threats… …and why it will get worse
We are all at Risk • UK Internet related fraud is estimated to cost businesses many £M’s per annum • Identity theft is one of the fastest growing crimes in Europe • and worldwide • Increase in use of IT and the demand for instant anywhere, anytime access is fueling the development of a class of professional cyber-terrorists • Every end-point device is a potential security leak • In the US during April there were over 1100 reported phishing attacks, with banks and financial services companies the prime target • Gartner estimates that 20% of all Internet users have been victims of some form of online fraud.
Threats to Online Banking “100,000 computers a week are being compromised by viruses designed to capture bank account details and credit card information” Steve Linford Spamhaus Computers Computing 18th Nov 2004
“Online banks, retailers and governments can reduce online identity theft by better communication, introducing two-factor authentication and educating consumers about new threats” Howard Schmidt CSO eBay
Cyber-Terrorism It’s a BIGproblem and it is growing
Remote Access… …its proliferation
Remote Access • Advances in network technology and communications means that remote workers can be just as “present” as their co-workers in the office • In Western Europe IDC predicts that the number of mobile workers will triple to around 20 million in 2005 • A key driver behind the development is the emergence in SSL VPN technologies. • Access to corporate resources from any browser, anywhere, is simple, fast and cheap…..
Remote Access • Anytime, anywhere access to corporate network/extranet via any Web browser • Most VPN appliances require a username & password to authenticate the person wishing to access the system • UNP systems are highly vulnerable to the whole range of cyber threats and cannot be trusted in any serious security system • Two-factor is becoming regarded as the de facto authentication standard
Multi-factor Authentication… …explained
Two-factor Authentication… And Three- and Four-factor • 1st Factor • Something you know – PIN or Password • 2nd Factor • Something you have – a token; mobile phone • 3rd Factor • Something you are – biometric (retina scan / fingerprint) • 4th Factor • Something you use – the device through which you are authenticating
The PINsafe protocol… … how it works
PINsafe Protocol • Variable length PIN issued to each user • 4 – 10 digits • Can be used with a password or to replace password • Randomly generated 10-digit security string • Delivered to a mobile device or browser • A new one-time code (OTC) for each authentication attempt • Cannot be re-used if intercepted • PIN is NEVER entered as part of authentication
PINsafe Protocol PIN 2 4 6 8
PINsafe Protocol PIN 2 4 6 8 Security String 5 1 7 3 9 2 0 6 4 8
PINsafe Protocol PIN 24 6 8 Security String 5 1 7 3 9 2 0 6 4 8 One-Time Code (OTC) 1
PINsafe Protocol PIN 2 46 8 Security String 5 1 739 2 0 6 4 8 One-Time Code (OTC) 1 3
PINsafe Protocol PIN 2 46 8 Security String 5 1 7 3 920 6 4 8 One-Time Code (OTC) 1 32
PINsafe Protocol PIN 2 4 68 Security String 5 1 7 3 9 2 064 8 One-Time Code (OTC) 1 3 26
PINsafe Protocol PIN 2 4 6 8 Security String 5 1 7 3 9 2 0 6 4 8 One-Time Code (OTC) 1 3 2 6
The Interfaces… … SMS Text Option
PINsafe SMS Option • First Security String delivered as an SMS message upon user registration • One-Time Code (OTC) manually extracted using PIN as a mask • SMS refresh after each authentication attempt • SMS Inbox override
PINsafe SMS Option • The mobile phone as a token: • Select inbox from phone message menu • Select Swivel Message • Retrieve one-time code and type into browser
PINsafe SMS Option • Dual channel increases protection of credential from spyware • Security string sent via GSM, CDMA/TDMA, SMTP or GPRS network • Manually extracted OTC returned via second channel • Device neutral – works on GSM-enabled PDA/Blackberry • No mobile service necessary at end point during authentication • SMS notification if someone trying to logon as user
PINsafe SMS Option • Dual Channel • With added protection against “loss of token”
The Interfaces… … J2ME Option
J2ME MIDlet • User enters PIN onto device • Automatic OTC extraction from keyboard input • Registration and Security String top up through GPRS connection
J2ME MIDlet • Automatic OTC extraction • Select ‘Login’ from menu • Select ‘Get One-Time Code’ and enter PIN • Retrieve one-time code & type into Browser • Minimal Running Costs • No SMS costs • Minimal GPRS costs • Cache of security strings means can be used when out of coverage • Token-like user experience • Without dedicated token
The Interfaces… TURing
Single Channel • Unique user interface (TURing) • Used as internal or failsafe backup • Randomly generated GIF • Irregular font and patterned backgrounds • Immune from OCR software • PIN is never typed during authentication process • Can be integrated into login pages or delivered separately • Choice of cases and character sets
TURing Interface • Random backgrounds & fonts • Customizable • Generated by XML file
Single Channel • Customizable Interfaces • Adding protection against loggers
Windows GINA • A PINsafe GINA has been developed so that PINsafe can be used for logging into PCs running Windows • The PINsafe Server takes control of the user’s normal Windows password providing improved security and an improved user experience • Users are able to log into Windows using just their PINsafe credentials via any of the PINsafe Interfaces
Integration Options.. Users
Users • PINsafe has been extended to use Active Directory as the User Repository • All user attributes are stored and managed through the normal repository tools • Alternatively PINsafe’s inbuilt repository can be used. • PINSafe’s flexible architecture allows easy integration of other user databases
Web Applications • PINsafe can be integrated to web-based applications via its Agent-XML API • Easy to use XML-based API • Compatible with .net, J2ee etc etc • Ready built IIS, ISA filters already exist
Remote Access • PINsafe can act as a Radius Server for VPN authentications • Easy “standard integration” • VPN+Pinsafe provides highly secure remote access solution • Can provide seamless PINsafe and VPN integation +
Version 3.1… … Technology Highlights
Open Architecture Web VPN Other Authentication Third-Party Agent XML Radius PINsafe User User Database Transport Transport Infrastructure
Third Party Authentication • Allows PINsafe to be easily combined with other authentication platforms • Biometric eg Finger Printing • Hardware Authentication eg Positive ID
Build • Build on standard Servlet Container • Compatible with Solaris, Linux, Windows • Can be supplied as software only, to conform to end-user IT policies • Or as an appliance (DELL/ Hardened Red Hat LINUX) • Available as Highly Available configuration
Other Features • Full logging • Easy to use admin console • All interfaces available, SMS, Turing and Midlet options available for every installation • Different options can be made available to different users • User self-care to reduce admin costs • Eg self unlock, PINchange etc
Summary • Easy to deploy • Cost-effective alternative to traditional authentication solutions • Flexible authentication options • Architecture allows for easy integration • Scalable, Resilient solution