Stronger authentication without end-user benefits?
Filed under: Authentication Trends, General Information, IT Security, Single Sign-on (SSO), Two-factor Authentication
A recent discussion on LinkedIn started by a PortalGuard team member got some great comments relevant to PortalGuard…
Discussion: Stronger authentication without end-user benefits?
I have heard that many companies view two-factor authentication as a burden to end-users and seem reluctant to move beyond username/password security. What may be interesting to these companies is that stronger authentication initiatives can be coupled with a sign-on benefits to achieve both security as well as usability enhancements. I’m wondering if it is a matter of a change in perspective? Could security professionals get more traction on security projects, that are desperately needed, if usability benefits (e.g. SSO) were more the focus of the business case when promoting these types of projects to senior management? Comments?
Comment #1: It is absolutely true when introducing strong authentication, usability is hurt. I am sure we need to look into more usability enhanced security measure in two-factor authentication. but two-factor authentication itself looks stronger than password/chip pin security.
Comment #2: …your thoughts are interesting. But if SSO and multi-factor authentication are often coupled, I’m not sure the motivation are to boost strong authentication adoption. It’s more that SSO comes with its own security problems. Once authentication is gained, access to a wide range of applications is granted. The impact of a breach is thus potentially greater.
To minimize the risk (for in our field everything is risk related), one of the measures that has to be adopted is a stronger primary authentication. But it’s only one factor and it does not solve all the problems. Suppose I’m logged and have to go to the bathroom, if I forgot to lock my computer, anyone can gain access to all the applications covered by the SSO.
So we often leave critical applications out of the SSO system, and require a strong authentication to those applications. I’m not saying it completely defeats the benefits of SSO, but it can seriously undermine them.
So let’s keep in mind that while multi-factor authentication strengthens security, SSO generally lowers it. Their combination is sometimes positive and sometimes negative, depending on the context.
Now, this is the (somewhat) objective view. The most interesting part of your post is that security professional have to focus on usability benefits, whatever they are, to promote their projects to management. SSO is one aspect. More user friendly multi-factor authentication is another aspect.
###
The PortalGuard software is an authentication platform which is focused on enhancing usability, while maintaining a balance between security, auditing, and compliance for your web and desktop authentication requirements. PortalGuard provides capabilities including multi-factor authentication, transparent user authentication, self-service password management, two-factor authentication, password synchronization and single sign-on which can be seamlessly configured by user, group, or application.
Subscribe to our newsletter: http://portalguard.com/contact_us.php
https://twitter.com/portalguard
http://pinterest.com/pistolstar/portalguard
http://www.facebook.com/pistolstar.authentication
http://www.facebook.com/pages/PortalGuard/240761992635169
Implementing Stronger Authentication Without Impacting Usability and Flexibility
Filed under: General Information, IT Security, Two-factor Authentication
Enterprises typically have various requirements for authentication, based on the individual or groups of users who are entering their systems and using the numerous applications available. The type of application a user is accessing also dictates the authentication requirements. Financial, human resources and other applications that store confidential information or sensitive files and records require stronger authentication than typically needed, mainly to ensure regulatory compliance. In those cases, multi-factor authentication — using “something you know” (a password) and leveraging “something you have” (typically a token) — is probably the best approach for guaranteeing that only authorized users access restricted applications and that sensitive information is protected.
When requiring multi-factor authentication, enabling usability for the users is critical, as they need to gain easy access to the information and files that are required to do their jobs in order to maintain productivity. Also, allowing the organization the flexibility of configuring authentication is necessary for helping them meet the various security requirements of their numerous applications and address the access control needs with different users. However, usability and flexibility with multi-factor authentication have not always been possible. Despite this, companies know that requiring only a password, especially with web-based applications, is insufficient, as passwords are easy to exploit and steal. An authentication solution using two distinct authentication factors is what will help eliminate their concerns with the security of access based on a single, knowledge-based factor.
The optimal two-factor authentication solution offers usability and flexibility as well as security, enabling end-users to achieve uncomplicated access and providing organizations with authentication controls — all while reducing risk. Usability is achieved by using a One-Time Password (OTP) obtained via a laptop, mobile phone or other device the user has, along with another password or username to accomplish two-factor authentication. Flexibility is obtained by allowing the authentication factors to be configurable based on the organization’s employees, applications and needs.
The OTP in this two-factor authentication scenario would validate both the user AND the device they are using. This tokenless approach leverages a device the user already has rather than requiring them to possess a separate hardware-based OTP-generating token for authentication, thereby increasing user adoption. The user’s device acts as the “token” or “something the user has” when unlocked by the user’s successful login to it. The time-based OTP is generated on a configurable interval and could be implemented as a toolbar in the user’s web browser. The OTP is totally transparent, as it has no interface and does not require additional processes.
The optimal two-factor authentication solution would give organizations the flexibility to configure the length, expiration and format of the OTP and how it is delivered to the user. OTP delivery options include email, printer, transparent token or via SMS, as no gateway is required. Transparent tokens could be made up of several types of parameters, such as a random number, a device serial number and/or Active Directory identifiers, which are encrypted.
Using what is called Contextual Authentication, organizations would also have the flexibility to choose the appropriate authentication method for each user, group or application, meeting the needs of the various access scenarios that occur. For example, onsite users may only need to provide strong passwords, whereas roaming users would be required to use two-factor authentication.
Ask organizations to describe the optimal authentication solution and it would be one offering the option of increasing security with an extra layer of authentication and reducing the risk of hacker attacks by employing credentials which expire after one use. By using a tokenless two-factor approach that leverages a device the user already has, organizations would not only offer their users increased usability but ensure greater user adoption. By having the ability to configure the OTP and its delivery method based on their users, groups, applications and organizational goals, organizations would have the flexibility they need to control the level of security required for certain user access scenarios. Because one password or one factor isn’t always enough, organizations’ authentication requirements would be met and the residual benefits would go beyond stronger authentication to include a lower total cost of ownership.
###
The PortalGuard software is an authentication platform which is focused on enhancing usability, while maintaining a balance between security, auditing, and compliance for your web and desktop authentication requirements. PortalGuard provides capabilities including multi-factor authentication, transparent user authentication, self-service password management, two-factor authentication, password synchronization and single sign-on which can be seamlessly configured by user, group, or application.
Subscribe to our newsletter: http://portalguard.com/contact_us.php
https://twitter.com/portalguard
http://pinterest.com/pistolstar/portalguard
http://www.facebook.com/pistolstar.authentication
http://www.facebook.com/pages/PortalGuard/240761992635169
Security Assertion Markup Language: SAML Protocols Explained
Filed under: General Information, PortalGuard, Single Sign-on (SSO)
SAML is an XML based framework that allows for the generation and transmission of security information between parties that know of one another. SAML is needed and used for allowing Web Based SSO outside of the intranet space.
SAML defines several request-response protocols. Each one is identified by the action it is employed for.
This article discusses four SAML protocols:
- Authentication Request Protocol: Gives the Service Provider the ability to request a SAML response on behalf of a user or principal.
- Artifact Resolution Protocol: Allows the Service Provider and Identity provider to communicate directly with each other without a principal involved.
- Single Logout
- Name Identifier Management
AUTHENTICATION REQUEST PROTOCOL
With SAML 1.1 the IdP sent an unsolicited response to a Service Provider (SP) and the SP had no control over initiating the authentication process. With the advent of SAML 2.0 the Service Provider can now initiate the request for authentication via the Authentication Request Protocol.
Authentication Request Protocol – used by a service provider to request the authentication of a user by the IdP.
When a Service Provider wants to acquire a SAML assertion on behalf of a user looking to gain access to a protected resource, the SP sends an Authentication Request or more precisely <samlp:AuthnRequest>
This is an example of a complete authentication request:
<samlp:AuthnRequest
xmlns:samlp=”urn:oasis:names:tc:SAML:2.0:protocol”
xmlns:saml=”urn:oasis:names:tc:SAML:2.0:assertion”
ID=”ccjskdie-9304-1192-3029-dkejuf72a398″
Version=”2.0″
IssueInstant=”2012-12-05T09:24:43″
AssertionConsumerServiceIndex=”0″
AttributeConsumingServiceIndex=”0″>
<saml:Issuer>https://rp.monopoly.com/SAML2</saml:Issuer>
<samlp:NameIDPolicy
AllowCreate=”true”
Format=”urn:oasis:names:tc:SAML:2.0:nameid-format:transient”/>
</samlp:AuthnRequest>
The above <samlp:AuthnRequest> element, asks for an assertion from the IdP containing an authentication statement. You can see by the <saml:Issuer> element that this was issued by service provider (https://rp.monopoly.com/SAML2). This request gets delivered to the IdP via the browser. The identity provider authenticates the user that originated the request and issues an authentication response, which is sent back to the service provider (again via the browser).
ARTIFACT RESOLUTION PROTOCOL
A SAML message can be delivered between an IdP and SP either by value or by reference. With the authentication request protocol, the SAML message is considered a value. For the artifact resolution protocol, the message is called an artifact. An artifact reference is resolved by sending a <samlp:ArtifactResolve> request directly to the entity that issued the artifact. This is when the actual SAML response referenced by the artifact is sent to the receiver.
Here is an example that an IdP may send directly to an SP. The element in question here is <samlp:ArtifactResolve> and is sent directly to the SP and not through the client’s Web Browser.
<samlp:ArtifactResolve
xmlns:samlp=”urn:oasis:names:tc:SAML:2.0:protocol”
xmlns:saml=”urn:oasis:names:tc:SAML:2.0:assertion”
ID=”sie983ekcmjsdi_ejsk1wilsdoe9rim4rt”
Version=”2.0″
IssueInstant=”2012-12-07T03:21:23″
Destination=”https://sp.monopoly.com/SAML2/ArtifactResolution”>
<saml:Issuer>https://idp.trouble.org/SAML2</saml:Issuer>
<ds:Signature
xmlns:ds=”http://www.miltonbradley.org/2000/09/signature”>…</ds:Signature>
<samlp:Artifact>BNBMGGFh65/1lPOI+s8YrtK8fOlskeiJDHeiNmDj6RdUmllwnlsKeeRif9Ie=</samlp:Artifact>
</samlp:ArtifactResolve>
The service provider will respond with the SAML element referenced by the enclosed artifact
SINGLE LOGOUT
Local sessions are established at an IdP during the SAML login process and a session for each SP the user gains access to be established. With the IdP knowing about all of the sessions that the user has established, when the user logs out of one session, the IdP can use the Single Logout protocol to log the user out of the other sessions automatically. This process is achieved using the <LogoutRequest> and <LogoutResponse> messages.
NAME IDENTIFIER MANAGEMENT
Once the IdP has established the “name identifier” for a principal or user, if need be, it can use the Name Identifier Management protocol to change the value of the identifier or even specify that the identifier will no longer be used. The IdP will use the <ManageNameIDRequest> message to perform this action. An SP can also use this message to change the SPProviderID or stop using a name identifier with the IdP.
Self-service Password Management Defined
Filed under: Authentication Security, Authentication Trends, General Information, IT Security, Self Service Password Reset
Self-service Password Management (SSPM) puts the power of controlling the user’s password and account in the user’s hands and eliminates the need for a Help Desk person to intervene. Typically an enrolled user would be looking to perform any of the following self-service actions:
1. Unlock their own locked account
When a user account has been locked, it cannot be used to login, even if you know the password. User accounts will be locked after a defined number of incorrect login attempts. Locking an account is designed to thwart any would-be attackers trying to guess a password. If the account is locked, no password will be accepted. Some solutions on the market allow the user to unlock their account using an authentication method other than knowing the password.2. Reset their password without knowing the current password
The best way to change your current password is to first give the existing password to authenticate that you have the right to change the password and then specify the new password. If you have forgotten your password, you will need an alternate way to authenticate yourself and set a new password. To allow the reset to happen the user will need to authenticate using alternate authentication methods, such as challenge questions and answers or knowledge-based authentication, and thus allow for resetting the password without the Help Desk involved.3. Display the existing password
There may be times when the user will not be able to reset their password because they are not connected to the company network. This is the time when the existing password should be shown to the user. Before displaying the current password, a combination of Knowledge Base and one-time password (OTP) authentication methods should be employed.
Self-service authentication methods can be used individually or, for stronger security, in combination with one another. More advanced SSPM solutions can alternately authenticate a user via the following methods before allowing the use of a self-service action:
1. Knowledge Base Challenge Questions
Users are presented with a number of questions that they have answered during enrollment. They must answer a predefined number of the questions correctly before being authenticated.2. One Time Password sent to a phone
The user is presented with a pop-up dialog that asks for the One Time Password (OTP) that was sent to their previously enrolled phone. The OTP will arrive as a text message or a voice recording on the phone where the user can then enter it in. The correct OTP will allow the user to be authenticated.3. One Time Password sent to an email address
Similar to the OTP sent to a phone, the OTP will be emailed to the user’s enrolled email address.
Enrollment is also something to consider when looking at SSPM solutions. Typically, depending on the authentication methods selected for the specific SSPM installation, the user will be prompted for any combination of the following information in order for the solution to be able to allow self-service actions:
1. Knowledge Base Challenge Questions
The user will be presented with all of the Challenge Questions that are configured. Instructions will be provided for how many of the questions need to be answered for enrollment. For example, there could be 10 questions and the user is required to answer 5 of them. Once the required number of answers is met, the user has enrolled.2. OTP to phone
As part of the enrollment process, the user will be prompted for a phone number to receive OTPs. An OTP will immediately be sent to the phone number and prompt the user to enter the OTP which will complete the enrollment.3. OTP to email address
During enrollment, the user is prompted for an alternate email address for which the OTP can be sent to. As part of the enrollment process, an OTP is sent to the given email address and the user is prompted to enter the password to complete the enrollment.
###
The PortalGuard software is an authentication platform which is focused on enhancing usability, while maintaining a balance between security, auditing, and compliance for your web and desktop authentication requirements. PortalGuard provides capabilities including multi-factor authentication, transparent user authentication, self-service password management, two-factor authentication, password synchronization and single sign-on which can be seamlessly configured by user, group, or application.
Subscribe to our newsletter: http://portalguard.com/contact_us.php
https://twitter.com/portalguard
http://pinterest.com/pistolstar/portalguard
http://www.facebook.com/pistolstar.authentication
http://www.facebook.com/pages/PortalGuard/240761992635169
PortalGuard SSPM Awarded – Download Available
Just wanted to quickly announce before the holiday that PortalGuard’s Self-service Password Management (SSPM) has been getting recognized on various download sites. Two have gone ahead to award the download with 5 star and safety awards. Below is a link to our previous blog post with the description and link to the download for you to check out SSPM that is supported on both the web and desktop.
http://blog.pistolstar.us/blog/new-download-self-service-password-management/
Security vs. Convenience: Who wins?
Filed under: Authentication Security, Authentication Trends, Data Security, General Information, IT Security, password management, password security, Security Attacks
Can you stay safe without losing your mind? When creating a password do you lean towards security or do you look for the convenience? Most of us really want the security without all the hassle.
LifeHacker decided to take all of the methods for securing passwords that they have presented and looked for the best combination of security and convenience. So how do you choose the best password security for you? Read More…
###
The PortalGuard software is an authentication platform which is focused on enhancing usability, while maintaining a balance between security, auditing, and compliance for your web and desktop authentication requirements. PortalGuard provides capabilities including multi-factor authentication, self-service password reset, password synchronization and single sign-on which can be seamlessly configured by user, group, or application.
Subscribe to our newsletter: http://portalguard.com/contact_us.php
https://twitter.com/portalguard
http://pinterest.com/pistolstar/portalguard
http://www.facebook.com/pistolstar.authentication
http://www.facebook.com/pages/PortalGuard/240761992635169
What’s Your Password History?
Filed under: Authentication Security, Authentication Trends, Data Security, IT Security, PortalGuard
What’s your password history? This is a question many end users are not able to answer causing increased frustration. Of course password history is extremely important as it prevents the user from reusing a password which could have potentially been compromised in the past.
One of the biggest challenges with implementing password history policies is being able to maintain usability while increasing compliance and security. By limiting the user to only using passwords that are new to them each time, the user becomes frustrated every time they are required to reset their password. Unfortunately with limits being enforced, the frustrated user is more likely to write down passwords. 
If you are thinking of implementing a password history policy it is better to tailor it to your environment and only make it a requirement when it makes sense in relation to the required level of data protection.
Some key things to remember surrounding password history is that it has an inverse relationship to your password expiration policies. So if you are expiring passwords frequently then you would need a higher password history limit. For example, if you expire passwords as frequently as every 30 days you would want a high password history limit, say around 50. This would not allow the reusing of any passwords for 1500 days. It is important to remember what is necessary for the type of data you are trying to protect.
The other concern is how to help your users create passwords and not get frustrated with having to remember brand new ones. Many times a user will create a password and continually use variations of the same password (ex. password, password1, password2, password3, etc.). Something to take into consideration may be the limiting of similar passwords as it may be crucial to your security.
To help users with all of these issues the option you could give them is to use a pass phrase. Instead of a single “X” length of characters you could allow them to login with an entire sentence. This might be easier for some users to remember and therefore reset their pass phrase when needed.
Overall the goal is to decrease user frustrations while still implementing effective password history policies. Make sure to consider what level of data protection is required and what is necessary in terms of the limits you are setting for your end users.
Stronger Passwords Weighing In
Filed under: Authentication Security, Authentication Trends, Data Security, General Information, IT Security, password security, PortalGuard, Security Attacks
One of the pains in an employee’s daily routines is the idea of password management. Especially being able to easily understand what the IT Security Staff means by using a “strong” password. In a recent CNN.com article they stressed the importance of implementing “super passwords” suggesting that passwords should all be a minimum of 12 characters in length. If these types of standards are going to become the norm, due to the varying types of attacks being performed, than the usability of passwords for the user will decrease.
By implementing a simple Password Strength Meter, your employees can easily have visual feedback as to whether or not they are following password policies and avoiding weak passwords. This will also make password strengths easy to enforce for varying levels of required data protection.
With the Password Strength Meter provided by PortalGuard the user has a real time response to their choice of characters for their new password. With each character that is typed in the meter will show the user whether their password is becoming weaker or stronger. The administrators can implement this on every login page or only on those protecting critical data. The idea is that Password Strength Meters are going to aid the user in implementing stronger passwords while maintaining usability.
CNN.com Super Passwords Article
Homegrown Solutions – Yikes!
Filed under: Authentication Trends, Deployment Issues, General Information, IT Security, PortalGuard, Uncategorized
With ever increasing demands for specific security and authentication functionality the issue that many organizations are facing is the ability to find a solution that provides an exact fit with their requirements.
Due to this issue many corporations, especially at the enterprise level, are footing the bill to develop these solutions in-house. Although this can provide the exact fit that you are looking for, a homegrown solution is not something that PistolStar recommends. By implementing a homegrown solution it is easy to run into the following issues:
- Higher upfront costs in development and testing time/resources
- More lead-time required – deployment schedule must be pushed out
- Run into all the pitfalls and bugs yourself – impacts user adoption and satisfaction
- Workforce/expertise attrition – what if your developers leave?
- Ongoing maintenance demands and costs
With such complications being present homegrown solutions really open up the floodgates to security holes and unknown issues. By stepping out of your area of expertise and running across the bugs yourself, you have the potential to expose and open up a much larger and more dangerous “can of worms”.
Your end-users are also a concern when choosing to buy or build. By making your employees the “test bunnies” you are in danger of greatly reducing usability, productivity and employee adoption rates. Also your end-users are not always the best measure of success. When implementing a homegrown solution, it is when something is wrong that you are most likely to hear a large uproar from you users, but this gives you no direct insight into the functionality or parts of the solution which they really enjoy.
Overall if you are weighing your options between homegrown or buying we strongly recommend to stay away from homegrown. To replace the homegrown option, it is important to find a third-party solution that provides the flexibility of a custom solution but at an affordable price. By leveraging APIs, such as the PortalGuard API, you can utilize already existing functionality while reducing the complications of starting from scratch.
So whether you decide to use a fully homegrown solution, leverage an API or purchase a solution it is important to consider your users and organization’s requirements. Possibly a combination of all three methods could be the best way to go.
We encourage questions on homegrown solutions so please feel free to email us at pr@pistolstar.com.
What is Absolutely Necessary?
Filed under: Authentication Security, Authentication Trends, Data Security, IT Security, PortalGuard, Uncategorized
What is absolutely necessary? This is a question in regards to authentication which needs to be asked often. With severe trade-offs between usability and security it is important to understand your users and what access they have to different levels of critical data.
Many times an end-user’s usability may be compromised because they are being required to follow authentication policies which are too strong for the type of data they are accessing. By making the user jump through extra hoops to access data this can greatly slow down productivity.
Due to this issue the answer to the question is NOT a “One Size Fits All” approach. Ideally, you would want to implement a solution which takes into consideration the underlying data being protected. The key is to have an authentication solution that has the intelligence to require only what is necessary from the user and environment, to provide the appropriate level of data protection, achieving a balance between usability, security, auditing and compliance.
To achieve this is to look at the defense and depth of the authentication needed for the data. Let’s take for example the lowest level of protection. For this you might require only a username and password. When moving up to the next level more authentication is needed, such as multi-factor in the form of a personal watermark, for example when used in online banking. Finally on the highest levels of data protection the strongest authentication practices can be implemented, such as out-of-band authentication where the user would receive a one-time password on their mobile device to use along with their login credentials. This is an affordable way to implement best practices.
Overall it is important to keep not only your end-users in mind but also the underlying data that they are accessing. By implementing the same authentication for all levels of data protection you could easily lower usability and security, but with a more exact fit this can be avoided all together.