Slashdot Mirror
Two Factor Authentication Systems?
HerculesMO asks: "I've been given a project to undertake that involves setting our internal network systems up to have two factor authentication. I need suggestions to take in front of our CIO that shows how the security model works, cost vs benefit/features, and the different options. At this point, the name brand is RSA and I'm pressed to find any others even though I've done looking around. We are open to biometric tokens as well, because they may be used for digital certificate signing for e-mails. Sadly, it has to integrate with our Windows 2003 Active Directory set up... it's not Linux, but I figure Slashdot readers can come up with lots of Linux security tokens that will work under Windows too, so please have at it! :)"
RFQ to vendors. Let the CIO compare the proposal. Don't do his job. He's not cutting you a slice of his salary.
/. is what to put in the RFQ together.
What you might ask
But you know your system and requirements best.
"Piter, too, is dead."
My corp just switched to a two-factor auth. Previously, things were based on the cisco VPN where the client had to have a certificate (but not an individual-per-client certificate). We then had to log in with our domain login and password.
Now we have switched to cisco VPN plus RSA software token. This is not any better. Now we have a certificate, rsa token, and then we enter a pin number, as short as 4 digits.
This has not improved security one bit, it has actually weakened it. If a laptop is stolen, the "piece you have" went with it. The software token doesn't provide any security over the vpn certificate. Then, the "piece you know", the PIN, is significantly weaker than the old piece you had to know, the domain password (which was a real password with moderately strict rules on complexity).
The whole thing is a counterproductive wankfest. Perhaps you can do it better, but this should be an example of what not to do.
-molo
Using your sig line to advertise for friends is lame.
You've got a couple choices if you want a token-based dual factor authentication scheme. Of course, there's RSA's SecurID that you already know about. There's also CryptoCard, which IIRC can emulate some of the RSA tokens, and has its own scheme.
Now, what's nice about SecurID is AFAIR it's the only token that does *time*-based auth (ie, the displayed number sequences change constantly as a function of elapsed time). However, there's a really ugly problem with their auth servers that we accidentally discovered trying to set up a replicated server for failover purposes. To wit: the servers only sync based on a timed (as opposed to event-based) schedule. So, in the normal course of events, you can sometimes reuse the same token (# stream on the hardware device) even though they supposed to be single use. This happens when you attempt to have both servers service requests, and login 1 uses server A to authenticate against, and login 2 ends up using server B to authenticate in a very short period of elapsed time. Server A hasn't had a chance to tell server B yet that it's already seen that particular number sequence, so B happily accepts it.
Now, the devious-minded can see a problem here... You can be sniffing a network connection, get the token, pin, and password from the network ("hey, we have these hardware tokens, why should we ssh/ssl/vpn?" or what annoyed me, "we can't use ssh key authentication, we *must* use password auth with this"), then DoS one of the auth servers, and attempt a login with the same credentials, hoping to get an alternate, not-yet-synced auth server. Bang, you're in (eventually). So much for the whole non-replayable 2-factor authentication thing.
I don't think this problem was ever solved satisfactorially (I've since moved off that contract), but you can "solve" it by only having a single auth server...
Unfortunately, I know a lot less about CryptoCard, since we went with SecurID ourselves and didn't find the warts until later.
Oh, yeah, good thing this is just windowss, as linux was ok, but Digital Unix and Irix were a bitch to get working with SecurID.
"The urge to save humanity is almost always a false front for the urge to rule." --H.L. Mencken
just encrypt the usernames. now you can leverage your existing authentication to move forward with a two-factor security plan!
http://www.smallbusinesscomputing.com/webmaster/ar ticle.php/3498116
It gives pointers to various offerings, including one-time passwords, hardware tokens, smart cards, and biometrics.
This is significant, since you have a lot more phishing attacks targeting Paypal and eBay than the major banks these days.
Secure Computing has what appears to be a very strong competitor to RSA's SecurID. Their SafeWord product is similar to SecurID, but appears to have some advantages. For one, it only generates tokens when you request it to. I believe it's cheaper too. It supports Active Directory. I've not used it, but their demo was impressive. And Secure Computing is a fairly good security company.
Software sucks. Open Source sucks less.
There are several providers of smart cards for use as a second authentication factor. The one I'm most familiar with is ActivCard. Their stuff is reasonably good, and if it helps in your corporate environment IBM Global Services has a team that does a lot of ActivCard integration, so you can get plenty of support from a reliable provider (for a price :-) ).
IMO, smart cards are a better solution than SecurID tokens. They're cheaper, allow your logical authentication token to be the same card you use as an ID badge (and perhaps for door access) and can do a lot more things. They can act as one-time password generators, just like a SecurID (but guarantee non-reusability of the passwords, unlike SecurID, as mentioned by another poster) but they can also:
The major disadvantage of smart cards as compared to SecurID tokens is that smart cards have no display, so you need a smart card reader to use them. This means that, for example, you could use a SecurID to authenticate to a corporate web site from an Internet cafe, whereas you might not be able to attach a smart card reader to some random PC. As a partial solution, handheld, calculator-like smart card readers exist that can retrieve a one-time password from the card and display it on a screen. I say it's a partial solution because carrying two devices is less convenient than one SecurID. The cost of such a device, plus a card, plus a regular PC-attachable card reader all totals to something less than a SecurID token.
Disclaimer: I work for IBM Global Services, in the group that does smart card stuff, including ActivCard integration work, so I have some biases, but I also have a deep knowledge of the industry and, at present, I think the ActivCard product set is the best choice available, overall. Cryptocard has some good stuff as well, but it's not as complete or as mature, especially in the area of enterprise card management (issuance, re-issuance, revocation, etc. all needs to be integrated and automated, complete with automatic key escrow and recovery, etc.). Both ActivCard and Cryptocard support Linux and OS X, though ActivCard's support for Tiger isn't there yet, and Cryptocard's is, mostly. ActivCard also supports Solaris, including SunRay environments. IBM has some nice assets that we use to build customized solutions, but our stuff is focused more on multi-factor biometric authentication for physical security than logical security.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
"Two" means two.
...
"Factor" means factor.
This concludes your intensive six-week training course.
First, two-factor authentication is pretty much two-factor authentication. There are moderate differences in the various forms, but that is usually not the driving factor.
The biggest and most overlooked issue is the requirement for client-side software and drivers. The various OTP solutions (SecurID, etc.) are zero footprint. They can be used from any computer. If portability is as imporant as strong authentication, you should consider an OTP solution.
Smartcards and biometric devices require drivers at a minimum. Most require some type of middleware. This means you will have to manage a software deployment and the devices can only be used from systems that have the software installed.
Smartcards provide crypto, which can be leveraged for SSO, secure mail, etc. but by far, most of these projects succeed or fail based on the ability to actually deploy and use the solution.
As with all other so-called "security" schemes, it comes down to trusting the luser. Unfortunately in today's climate, this seems to be a losing proposition. "Something you have, and something you know" becomes "Something you can lose, and something you can forget."
Combining SSL, username and password together with a simple One Time Password delivered by pager, mobile text (SMS) or even voice mail, gives good two factor authentication. Several companies provide good solutions that are of differing level of complexity to integrate.
Check out this link for more information on one time password authentication. I work for this company so of course I'm biased =) but its the best OTP service I've used. It will integrate fine with your AD or any other LDAP/SQL user source.
http://www.nordicedge.se/produkt_otp.shtml
The major reason why hardware tokens are not so popular in my experience is that people think they are clumsy to lug about everywhere. Even the keychain versions are annoying. Smart cards are great but you need a computer with a smartcard reader.
I think we'll be seeing more and more applications aimed at users mobile phones, for the simple reason that everyone likely to use an online service is also likely to have a mobile phone.
Most people are much more likely to notice a lost or stolen phone, than a lost or stolen token device...
Good Luck in your solution.
The server asks you to hash a string.
You run a program locally (here's some) or incorporate it into your client in which you enter your password and it spits out the 5 digit hash. Tell the server what the hash was, it compares it to what it thinks you should have entered.
All very simple and works just fine over unencrypted links !
plan9 uses it for ftp access
Apache / Firefox also support something similar for HTTP Authentication - your password is md5'd with some salt instead of just being base64'd
that is all
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
one of the largest players, at least in europe, for 2 factor is vasco security (belgium?)
/nc
my bank (SEB in sweden) has been using them for years.
the system is pretty easy to use. you don't need a CS major to work it.
check out PortWise, it will give you one solution for OTP with lots of different authentication channels like Blackberry, Mobile Text, Mobile Token and so on. www.portwise.com
Sadly, it has to integrate with our Windows 2003 Active Directory
Why troll?
I want to delete my account but Slashdot doesn't allow it.
I work for a company called PassGo Technologies. We have a two-factor authentication system called Defender that is fully integrated with Microsoft's Active Directory. All of the administration for the product is performed using the standard "Users and Computers" interface and all of Defender's information is stored in AD. As fas as I am aware, ours is the only two-factor authentication solution to provide this level of integration. Defender can provide strong authentication to VPNs, SSL VPNs, UNIX devices, NASs, firewalls, Microsoft desktops and Citrix products as well as any device that supports RADIUS. We support token types from a large number of manufacturers including Vasco and ActivCard. Contact me if you need any further information: Phone: +44 1460 258317 Email: pcooke@passgo.com Web: http://www.defender5.com/
The second piece is simple - this is your password, just as it always has been. The second piece is not as simple, but not as hard as you think.
First, determine (or guesstimate) the average number of logins a user will do in a day to your system (whatever it is). Let's suppose it is three times a day (that may be a ridiculously low number, I know). Take that number, and multiply it by the number of days that you want to allow the use of "something you have" - let's say 30 days (or approximately 1 month). So, there you have 90 unique instances. Multiple that number by something I will call the "secure factor" - that is, the number of "somethings I have, to type in" - let's say in this case "4", for a total of 360. Take the square root of that and round up to the nearest whole number (in this case, 19), square it again to get your "number of values" - or in this case, 361.
Now, have your system generate 361 keyboard typeable characters and store them as a string in the user's login profile. Present this list to the user as a grid of numbers (in this case, a grid 19x19), marked off along the X-axis by letters, and the Y-axis by numbers. For a website this system would be VERY easy to implement.
When the user updates their password (which expires each month), they get a new grid of numbers to print out and keep with them. When the user logs in, the system presents a challenge to them for them to type in as part of thier login procedure - in our case, 4 "secure factors", like "A7 D9 A18 E10" - and they would have to type those characters from their grid into the provided area. The system would then take this, check it against what it has stored in the user's login profile, and if those numbers match, the login matches, and the password matches, the user is allowed access. Those numbers used are "marked off" as used in the user's profile, and a different set is picked on the next login. When all sets are used up, the user is prompted to change their password, thus generating a new set for the user as well (with instructions to throw away the old set). This system should allow for 3 logins a day for 30 days, or a shorter combo which expire quicker because you run out of values (longer combos will expire on the password expiration).
Thus, essentially, the "what you have" becomes a grid one-time-pad, generated when the password for the user is updated. For this system to be truely secure, the grid should be delivered over a secure channel (in the case of a web server, SSL) when it is generated. Other issues to think about is what to do if someone is trying to guess the one-time pad (maybe they have a scrap of it?) - maybe flag the account on a wrong attempt and have the user update the password? You would also need to think about what to do if the user has lost the pad.
All in all, this solution or something similar could be pretty robust, fairly compact (if you make the printed OTP compact), and portable across all systems. Plus, it is fairly easy and cheap to implement (and train for). However, as I cautioned in the start, it is probably a patented method, but I think such a system is so obvious I wouldn't be surprised if there existed a PEAR (PHP) or CPAN (Perl) module for it...
Reason is the Path to God - Anon
AC, can you (or anyone else?) please elaborate on why this is insecure? I am not a cryptologist, so I don't take offence at your observation, but I would like a more in-depth explanation...
Reason is the Path to God - Anon
Dogbert Consulting Services
We secure your cash so you don't have to
Did you consider WiKID Systems?
/ ) and closed source (http://www.wikid.com/ versions. Closed source supports wireless devices such as Blackberries, Palm, PocketPC J2ME. Unlike certs, there is no need to manage white & black lists (CRL) etc. Unlike RSA soft tokens, the PIN is stored on the server and communication between the token and the server is encrypted asymmetrically. If the token is stolen, the PIN must be checked at the server allowing lock-out after an admin set number of attempts. Open sourced plugins are available for PHP, Java, COM/IIS, Citrix, C++, SugarCRM, etc. with more on the way. Token roll out can be completely automated via ASP scripts using trusted LAN credentials.
e .
Available in both open (https://sourceforge.net/projects/wikid-twofactor
In terms of evaluating based on financial, relative security and operations issues you might want to read this, which I wrote for WiKID: http://www.securitydocs.com/library/3048. A cleaner costs analysis between a hardware tokens such as RSA and WiKID is here: http://www.wikidsystems.com/features/lessexpensiv
tokenrevolt.com
You should try TeleAuth. It has an easy to use API, PAM modules for unix-like OSs, and best of all, is free.
http://teleauth.com/
This thread caught my attention, because I recently started using teleauth for my servers. It is an open spec, has open source client tools, PAM modules and integrates with OpenVPN.
You can also use it within your custom applications with its HTTP/S based API.
I have never used it on Windows, but the site says that this is possible through pGina.
Did I mention that it was free. (We pay for commercial support though).
I have to wonder if you don't mean three-factor authentication. After all, most systems already have two-factor authentication:
- Username
- Password
A system that simply lets walk-up users enter with no regard to who it is uses no authentication (think of a Windows system that boots to the desktop with no password prompt). A system where you have to identify yourself (username) but not verify the identity (password) uses one-factor authentication (think of a Windows system where there's a password prompt, so you have to type in a username, but that user has not been assigned a password). After all, you can say "If someone comes along and says his name is Sam, let him in the building. But don't let anybody named Joe in." Or, you can say "Let Joe in only if he says the secret code, and let Sam in only if his eyes are orange (but he doesn't need to know the secret code)."
To add biometrics, one-time-pad, SecureID, etc. to username and password would be to add a third-factor for authentication. You could say "Let Joe in only if he says the secret code AND his eyes are orange."
Give me my freedom, and I'll take care of my own security, thank you.
Not even all OTP tokens from, say, RSA Security -- the vendor I know best -- are created equal.
Specific mechanisms for "strong authentication" -- since the 1970s, by classical definition, an app which relies on at least two of the three factors (something known, something held, something one is) by which a computer can validate the identity of a pre-registered human user -- are designed for a particular threat environment.
Typically, in a variety of form-factors, OTP generators offer greater or lesser security on a spectrum -- greater or lesser resistance to various potential threats -- in a variety of pricing schemes. Among the competitive vendors, some support systems -- the authentication servers and agents -- are better adapted to a large volume of authentication calls, or a multi-server geographically-dispersed user base. In small tech-savvy environments, public domain OTP options will always have their place, although commercial enterprises typically want some solvent external entity to accept the risk and track the evolving threats.
RSA, as several posters have noted, has a unique "time-synch" OTP technology. A RSA SecurID continuously generates and displays a new 6-8 digit (or alphanumeric) pseudo-random "token code" every 60 seconds -- an OTP that is valid for no more than a minute or two. In RSA's security paradigm, a SecurID "token holder" is always required to supply a user-memorized password or PIN for two-factor authentication (2FA).
In the enterprise OTP token market it has dominated for nearly 20 years, RSA still closes about 7 of every ten sales. In the nascent consumer market for strong authentication -- where the scale and complexity of the implementations could be unprecedented -- all bets are off and a billion-dollar free-for-all looms.
Most of RSA's leading challengers -- Vasco, ActivCard, Secure Computing, CryptoCard, VeriSign -- have been mentioned, but no one has pointed out how many new vendors are rushing into this market, offering both new and old technologies. Some are big companies; others are tiny. Even low-tech options like TAM cards -- pre-printed lists of OTPs, now indexed, available on wallet-sized "scratch-cards" -- have become quite popular, particularly in Europe.
You'll find the classic OTP tokens for two-factor authentication (2FA) tokens with a variety of form-factors and cryptographic models: time-synch from RSA; mostly Challenge/Response and "event synch" -- click for an OTP -- from the others. One thing you won't find, despite some claims in this thread, are OTP tokens from anyone but RSA which offer RSA's "time-synch" short-term OTPs. None of the challengers, new or traditional, can yet mimic SecurID's patented functionality.
As you survey your options, it's important to keep your eye on the prize here. 2FA protocols are used to validate -- to a relatively high degree of certainty -- a claim that a "token-holder" is entitled to resources and account privileges on a (usually remote) computer or network, on which he has been pre-registered by an authorized party.
With more trustworthy authentication, your managers and security architects can enforce more rigorous accountability. (The gentleman who lamented his company's adoption of user-based strong authentication, on top of the client-based VPN authentication he thought was "more secure," doesn't get it.) Accountability is the goal.
Accountability is the ability to associate a consequence with a past action of an individual. To hold individuals accountable, it must be possible retrospectively to tie them with actions or events for which accountability is desired, or to be able to independently detect and respond to inappropriate behavior. Authentication can never be viewed in isolation. It is obviously dependent upon other critical elements in the security paradigm -- authorization and audit mechanisms, to be sure; but also network integrity and local PC and end-point host security as
Dudes, as usual, I see a lot of strong opinions with little to no information, or wrong info. Try finding out a little more about each of the options. Two factor authentication is a really good idea and several companies do it well.
...
To answer of few of the issues some posters have with my employer (I don't speak for them but you can easily get in touch with someone who can)
- for the dude with the Cisco VPN setup: The certificate is from Cisco, not RSA. It is a good idea in that it validates the client machine, but it is configurable. Don't require them if you really think that will improve security. The issue with keeping a software token on the portable machine that needs access is one to think about. It is one option and has obvious risks, but someone thought they weren't as bad as you do. Is your laptop hard drive encrypted? Did you configure the soft token to use a password? Did you configure the soft token to only work on that one machine? There are certainly many other choices of tokens. Choose another if you don't like that one.
- For the dude thinking they can re-use a tokencode: good luck with that. If the tokencode changing every 30-90 seconds isn't enough for you, get a shorter one. If the servers synching every 100 seconds by default isn't enough, decrease the interval. If you don't like that, configure locking so it can never happen. If you don't like that, have your administrator pay attention.
- For all those who talked about one type of token: hey, all those providers have a huge variety. Off the top of my head, I believe my employer has: key fob, card, USB (with smartcard), software (Windows, CE, Palm, Blackberry), GSM phone, smart card.
- Trying not to turn this into a sales pitch, but sometimes you get what you pay for and sometimes the cheapest initial investment is not the best value. Look into some of the possibilities that RSA has.
We probably have what you are looking for. It's just released so there's an excellent reason why you couldn't find anything like it.
Features:
smart-card authentication for Active Directory clients.
It's really easy to convert as few or as many clients/users as needed.
Users can be enrolled and administered from any PC. (With proper authority and token)
If you have HID prox cards for physical security, we can manufacture a combination prox/smart card. If you have an ID card system, you may be able to re-issue an ID card with the smart card. Just depends on your software.
It's ready today. This is not a drill. Please contact me at your earliest convenience.
Michael 213-743-9181 ext. 231
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
Have a look at TriCipher: They let you use cookies, generic USB drives, or smart cards as 2 factor mechanisms. . . .
The Defender Hand-Held Token looks exactly like the old (physically unreliable) Axent Defender tokens, which used the (withdrawn in 1999) x9.9 Asynchronous authentication algorithm which was later proven to be extremely weak crytographically.
Many existing token products, including Vasco, Safeword, and ActivCard include support for x9.9 for backwards compatibility, as do a number of software applications.
I do not deploy Linux. Ever.
I work with a company called Entrust and we have a competitive product to RSA's SecurID that suits the criteria you've outlined above that you may be interested in looking into. Entrust IdentityGuard is a comprehensive strong authentication platform for Internet and enterprise applications. This suite of strong authentication capabilities enables your organization to take a risk-based approach to tailoring your security deployment. The flexible deployment options enable you to match strong authentication methods to the level of risk associated with the different types of users, transactions, and applications of your unique environment. Feel free to contact me if you are interested in more information. You can also visit our website at http://www.entrust.com/identityguard/index.htm for more details.