1 / 46

Tokenless Multi-Factor Authentication

Tokenless Multi-Factor Authentication. Chris Russell, Product Manager. Swivel Secure Ltd…. …company background. Company Background. Established in 2000 A member of the MARR T&T Group Offices: UK, USA, China, Australia Channel: -

moswen
Download Presentation

Tokenless Multi-Factor Authentication

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Tokenless Multi-Factor Authentication Chris Russell, Product Manager

  2. Swivel Secure Ltd… …company background

  3. Company Background • Established in 2000 • A member of the MARR T&T Group • Offices: • UK, USA, China, Australia • Channel: - • UK, Europe, USA, China, Australia, Singapore, Malaysia, India • Patented IP world wide • UK-based software development team • Specialists in two-factor authentication technology • Target sectors • B2B remote network access (VPN) • B2C Scalable secure online service access

  4. The threats… …and why it will get worse

  5. We are all at Risk • UK Internet related fraud is estimated to cost businesses many £M’s per annum • Identity theft is one of the fastest growing crimes in Europe • and worldwide • Increase in use of IT and the demand for instant anywhere, anytime access is fueling the development of a class of professional cyber-terrorists • Every end-point device is a potential security leak • In the US during April there were over 1100 reported phishing attacks, with banks and financial services companies the prime target • Gartner estimates that 20% of all Internet users have been victims of some form of online fraud.

  6. Threats to Online Banking “100,000 computers a week are being compromised by viruses designed to capture bank account details and credit card information” Steve Linford Spamhaus Computers Computing 18th Nov 2004

  7. “Online banks, retailers and governments can reduce online identity theft by better communication, introducing two-factor authentication and educating consumers about new threats” Howard Schmidt CSO eBay

  8. Cyber-Terrorism It’s a BIGproblem and it is growing

  9. Remote Access… …its proliferation

  10. Remote Access • Advances in network technology and communications means that remote workers can be just as “present” as their co-workers in the office • In Western Europe IDC predicts that the number of mobile workers will triple to around 20 million in 2005 • A key driver behind the development is the emergence in SSL VPN technologies. • Access to corporate resources from any browser, anywhere, is simple, fast and cheap…..

  11. Remote Access • Anytime, anywhere access to corporate network/extranet via any Web browser • Most VPN appliances require a username & password to authenticate the person wishing to access the system • UNP systems are highly vulnerable to the whole range of cyber threats and cannot be trusted in any serious security system • Two-factor is becoming regarded as the de facto authentication standard

  12. Multi-factor Authentication… …explained

  13. Two-factor Authentication… And Three- and Four-factor • 1st Factor • Something you know – PIN or Password • 2nd Factor • Something you have – a token; mobile phone • 3rd Factor • Something you are – biometric (retina scan / fingerprint) • 4th Factor • Something you use – the device through which you are authenticating

  14. The PINsafe protocol… … how it works

  15. PINsafe Protocol • Variable length PIN issued to each user • 4 – 10 digits • Can be used with a password or to replace password • Randomly generated 10-digit security string • Delivered to a mobile device or browser • A new one-time code (OTC) for each authentication attempt • Cannot be re-used if intercepted • PIN is NEVER entered as part of authentication

  16. PINsafe Protocol PIN 2 4 6 8

  17. PINsafe Protocol PIN 2 4 6 8 Security String 5 1 7 3 9 2 0 6 4 8

  18. PINsafe Protocol PIN 24 6 8 Security String 5 1 7 3 9 2 0 6 4 8 One-Time Code (OTC) 1

  19. PINsafe Protocol PIN 2 46 8 Security String 5 1 739 2 0 6 4 8 One-Time Code (OTC) 1 3

  20. PINsafe Protocol PIN 2 46 8 Security String 5 1 7 3 920 6 4 8 One-Time Code (OTC) 1 32

  21. PINsafe Protocol PIN 2 4 68 Security String 5 1 7 3 9 2 064 8 One-Time Code (OTC) 1 3 26

  22. PINsafe Protocol PIN 2 4 6 8 Security String 5 1 7 3 9 2 0 6 4 8 One-Time Code (OTC) 1 3 2 6

  23. The Interfaces… … SMS Text Option

  24. PINsafe SMS Option • First Security String delivered as an SMS message upon user registration • One-Time Code (OTC) manually extracted using PIN as a mask • SMS refresh after each authentication attempt • SMS Inbox override

  25. PINsafe SMS Option • The mobile phone as a token: • Select inbox from phone message menu • Select Swivel Message • Retrieve one-time code and type into browser

  26. PINsafe SMS Option • Dual channel increases protection of credential from spyware • Security string sent via GSM, CDMA/TDMA, SMTP or GPRS network • Manually extracted OTC returned via second channel • Device neutral – works on GSM-enabled PDA/Blackberry • No mobile service necessary at end point during authentication • SMS notification if someone trying to logon as user

  27. PINsafe SMS Option • Dual Channel • With added protection against “loss of token”

  28. The Interfaces… … J2ME Option

  29. J2ME MIDlet • User enters PIN onto device • Automatic OTC extraction from keyboard input • Registration and Security String top up through GPRS connection

  30. J2ME MIDlet • Automatic OTC extraction • Select ‘Login’ from menu • Select ‘Get One-Time Code’ and enter PIN • Retrieve one-time code & type into Browser • Minimal Running Costs • No SMS costs • Minimal GPRS costs • Cache of security strings means can be used when out of coverage • Token-like user experience • Without dedicated token

  31. The Interfaces… TURing

  32. Single Channel • Unique user interface (TURing) • Used as internal or failsafe backup • Randomly generated GIF • Irregular font and patterned backgrounds • Immune from OCR software • PIN is never typed during authentication process • Can be integrated into login pages or delivered separately • Choice of cases and character sets

  33. TURing Interface • Random backgrounds & fonts • Customizable • Generated by XML file

  34. Single Channel • Customizable Interfaces • Adding protection against loggers

  35. Windows GINA • A PINsafe GINA has been developed so that PINsafe can be used for logging into PCs running Windows • The PINsafe Server takes control of the user’s normal Windows password providing improved security and an improved user experience • Users are able to log into Windows using just their PINsafe credentials via any of the PINsafe Interfaces

  36. Integration Options.. Users

  37. Users • PINsafe has been extended to use Active Directory as the User Repository • All user attributes are stored and managed through the normal repository tools • Alternatively PINsafe’s inbuilt repository can be used. • PINSafe’s flexible architecture allows easy integration of other user databases

  38. Web Applications • PINsafe can be integrated to web-based applications via its Agent-XML API • Easy to use XML-based API • Compatible with .net, J2ee etc etc • Ready built IIS, ISA filters already exist

  39. Remote Access • PINsafe can act as a Radius Server for VPN authentications • Easy “standard integration” • VPN+Pinsafe provides highly secure remote access solution • Can provide seamless PINsafe and VPN integation +

  40. Version 3.1… … Technology Highlights

  41. Open Architecture Web VPN Other Authentication Third-Party Agent XML Radius PINsafe User User Database Transport Transport Infrastructure

  42. Third Party Authentication • Allows PINsafe to be easily combined with other authentication platforms • Biometric eg Finger Printing • Hardware Authentication eg Positive ID

  43. Build • Build on standard Servlet Container • Compatible with Solaris, Linux, Windows • Can be supplied as software only, to conform to end-user IT policies • Or as an appliance (DELL/ Hardened Red Hat LINUX) • Available as Highly Available configuration

  44. Other Features • Full logging • Easy to use admin console • All interfaces available, SMS, Turing and Midlet options available for every installation • Different options can be made available to different users • User self-care to reduce admin costs • Eg self unlock, PINchange etc

  45. Summary • Easy to deploy • Cost-effective alternative to traditional authentication solutions • Flexible authentication options • Architecture allows for easy integration • Scalable, Resilient solution

  46. Questions?…

More Related