Strong Authentication

 

 

 

As a network consultant, I have been working with different networking security technologies for several customers in various industries. During the past few years, I was in charge of quite a few network security projects.

During those projects, I noticed that many customers often don’t pay enough attention to the ‘strong authentication’-part. They do invest in securing their network trough high-end network equipment such as proxies, firewalls and SSL VPN appliances.

How to check whether they stole your credentials

Every week, breaches are making the headlines and the number of incidents is increasing rapidly. Some online reports claim that half of the breaches were due to compromised credentials. Test it yourself on this website https://haveibeenpwned.com/ and discover if your credentials were ever stolen by using a well-known online application like Dropbox or LinkedIn.

Nowadays it’s strongly recommended to use a password manager like Keepass or Lastpass. These tools allow the easy management of all your online credentials. They generate a random secure password for every application and the end-user only needs to remember 1 master password for all websites.

Why you need strong authentication

Unfortunately, most people are not thinking in a secure way. They reuse the same password over and over again.  You should actually be very worried  if you know that Amazon, for example allows you to pay immediately with your saved credit card information after you logged in with your static credentials ( = SFA or Single Factor Authentication).

At company level, the administrators need to be aware of ‘Strong Authentication’ or ‘Multi Factor Authentication’ to prevent unauthorized users from accessing corporate data with static passwords alone. This method combines 2 mutually dependent factors to protect data. Authentication methods that depend on more than one factor are more difficult to compromise than single-factor methods. Accordingly, properly designed and implemented multifactor authentication methods are more reliable and they are stronger fraud deterrents than outdated single-factor username/password authentication. When you use multifactor authentication, you are more secure, because if one factor is compromised or broken, the attacker still has at least one more barrier to breach before breaking into the target.

Use case: implementing strong authentication

Lately, I have been working with products of Vasco and RSA. Those companies belong to the global market leaders in user authentication and data security. Both vendors offer a wide range of similar strong authentication solutions.

The vendor Okta, rather focuses on Identity as a Service (IDaaS). Generally, IDaaS solutions are based on the SAML protocol(SSO) and integrate well with 3000 SaaS-based and web applications (e.g.  Office365).  Okta offers a solution with MFA too (Okta verify OTP|Push).

Recently, I implemented the Vasco Identikey authentication server solution for a department of the Belgian government. The goal was to secure the existing SSL VPN solution with MFA and to secure the access to the management of internal network equipment.

How did we do this? Remote partners got a hardware Digipass to authenticate, while all company smartphones were provided with a mobile DIGIPASS.  Features like QR Code Login and TouchID support make it user-friendly.  Cloning the app is prevented by the ‘Device Binding’ feature. Furthermore, the access to the app is secured by a personal PIN code. End-users without a (company) smartphone are covered as well. An SMS with the one time password (virtual Digipass ) is sent to these group users.

Soon, this customer wants to integrate the Vasco setup with the Windows logon screen of the end-users. Vasco offers a small software module for the end users’ Windows machine. It replaces the original login window by a version that will send the login credentials to the Vasco server.
The Windows password can still be preserved and combined with a one-time password (OTP), generated by the Digipass token of the end-user.

Strong authentication for this customer is achieved by combining two or three independent credentials:

  • What the user knows ( Windows Password and/or PIN Code )
  • What the user has ( Vasco Digipass )
  • What the user is ( Fingerprint )