Strong Authentication Flexes Its Muscles at RSA

| 0 Comments | 0 TrackBacks

Page:   1   2   3  Next  »

Gemalto, PassLogix, Entrust Talk Strong Authentication

Authentication, authentication, authentication--at least two factors of it, possibly more--that's a mantra we're hearing a lot at RSA this week, with a range of vendors from well established global giants like Gemalto and HID to Innovation Sandbox players like KikuSema GmbH and RavenWhite presenting solutions for how to ensure the person accessing an application is actually the physical person you think it is.

Multifactors of authentication--something you have, plus something you know--seem to be gaining credence as the baseline for secure authentication. "I don't think you can go to the cloud without two-factor authentication," said Ray Wizbowski, director of marketing communications, North America, for Gemalto, which provides a range of digital identity assurance solutions.

Further, using at least two authentication factors helps users break bad security habits and think more about security, he told Security Squared. "By introducing this technology, it makes people more mindful of security," Wizbowksi said.

At RSA, Gemalto, whose .NET smart card technology is embedded in Microsoft employees' corporate badges worldwide, announced the integration of its Protiva Strong Authentication Server with Microsoft's Forefront Identity Manager (FIM) 2010. What this means is enterprises can use the FIM interface to provision, deploy and manage smart card-based one-time password (OTP) devices linked to Gemalto's server.

Given FIM's own support for smartcard management, the combination should mean enterprises can more easily connect logical and physical access rights based on an employee's role and criteria defined in FIM. And the smartcard or another physical credential is a natural place for convergence to occur, Wizbowski said.

Gemalto also was demonstrating its solution for defeating "man in the middle" and SQL injection attacks, which are rocking the finance world in particular. In these attacks, the criminals either make users think they are connecting with their bank when they're actually at a bogus site, or the criminals hijack an authenticated online session to steal credentials and/or transfer cash.

To thwart these, the Gemalto solution puts a smartcard and reader, connected with a USB cable, at the desktop of the financial institution's customer, explained Wizbowski. Instead of connecting to the bank via a Secure Socket Layer (SSL) connection over the Internet, the smartcard serves up a browser session to the user--and can only do so if the card is in the reader and the user enters the right PIN.

"The card packages up the session," Wizbowski told Security Squared. "There's no injection capability."  Before transmitting the completed session to the financial institution, it's fully encrypted. At no time is the session live on the Internet.

"The ideal customer for this is a business transacting large sums of money," Wizbowski said. Those could include mortgage closings, payrolls, wire transfers, etc. Eventually, as more laptops come equipped with card readers and/or biometric readers, as US credit cards get smarter and as consumers worry more about online security risks, such two and three-factor authentication will become more widespread, he said.

"Consumers are frustrated with payment technology that doesn't protect them," Wizbowski said.

That could be another way "consumerization" influences enterprise security: if consumers are using more smartcard and two-factor authentication technology at home--which is already the case in Europe and Asia--they should be more comfortable using it at work.

Page:   1   2   3  Next  »

Gemalto, PassLogix, Entrust Talk Strong Authentication

Authentication, authentication, authentication--at least two factors of it, possibly more--that's a mantra we're hearing a lot at RSA this week, with a range of vendors from well established global giants like Gemalto and HID to Innovation Sandbox players like KikuSema GmbH and RavenWhite presenting solutions for how to ensure the person accessing an application is actually the physical person you think it is.

Multifactors of authentication--something you have, plus something you know--seem to be gaining credence as the baseline for secure authentication. "I don't think you can go to the cloud without two-factor authentication," said Ray Wizbowski, director of marketing communications, North America, for Gemalto, which provides a range of digital identity assurance solutions.

Further, using at least two authentication factors helps users break bad security habits and think more about security, he told Security Squared. "By introducing this technology, it makes people more mindful of security," Wizbowksi said.

At RSA, Gemalto, whose .NET smart card technology is embedded in Microsoft employees' corporate badges worldwide, announced the integration of its Protiva Strong Authentication Server with Microsoft's Forefront Identity Manager (FIM) 2010. What this means is enterprises can use the FIM interface to provision, deploy and manage smart card-based one-time password (OTP) devices linked to Gemalto's server.

Given FIM's own support for smartcard management, the combination should mean enterprises can more easily connect logical and physical access rights based on an employee's role and criteria defined in FIM. And the smartcard or another physical credential is a natural place for convergence to occur, Wizbowski said.

Gemalto also was demonstrating its solution for defeating "man in the middle" and SQL injection attacks, which are rocking the finance world in particular. In these attacks, the criminals either make users think they are connecting with their bank when they're actually at a bogus site, or the criminals hijack an authenticated online session to steal credentials and/or transfer cash.

To thwart these, the Gemalto solution puts a smartcard and reader, connected with a USB cable, at the desktop of the financial institution's customer, explained Wizbowski. Instead of connecting to the bank via a Secure Socket Layer (SSL) connection over the Internet, the smartcard serves up a browser session to the user--and can only do so if the card is in the reader and the user enters the right PIN.

"The card packages up the session," Wizbowski told Security Squared. "There's no injection capability."  Before transmitting the completed session to the financial institution, it's fully encrypted. At no time is the session live on the Internet.

"The ideal customer for this is a business transacting large sums of money," Wizbowski said. Those could include mortgage closings, payrolls, wire transfers, etc. Eventually, as more laptops come equipped with card readers and/or biometric readers, as US credit cards get smarter and as consumers worry more about online security risks, such two and three-factor authentication will become more widespread, he said.

"Consumers are frustrated with payment technology that doesn't protect them," Wizbowski said.

That could be another way "consumerization" influences enterprise security: if consumers are using more smartcard and two-factor authentication technology at home--which is already the case in Europe and Asia--they should be more comfortable using it at work.

<!--nextpage-->

Using What You Already Have

Taking something people already have at work, are familiar with and then turning it into a second factor of authentication is at the core of the v-GO Universal Authentication Manager (v-GO UAM)  from Passlogix.

With v-GO UAM, a user taps the same proximity or smartcard they used to enter the building against a reader on their PC; that's the first factor of authentication. Then the user enters a second factor--a PIN code. Tapping the badge again will lock the workstation or logs the user off.

The solution works with cards from any vendor. Further, users self-enroll: if v-GO UAM does not recognize the card the first time it is tapped, it will prompt the user through a simple enrollment screen.

"We're card agnostic, we're authentication agnostic," Michele Favaro, vice president of marketing, Passlogix, told Security Squared. "We can't tell customers how they should get into their systems."

That said, the solution offers enterprises flexibility in how strong they'd like to be with authentication, she said. For example, v-GO UAM offers self-service password retrieval, and companies can customize how tough the questions will be for a user to answer. One client will not permit any questions or answers that conceivably could be found in its human resources database, Favaro said.

Future versions of v-GO UAM will support additional authentication factors, such as USB tokens and biometrics, with enterprises able to choose which groups of employees could use which factors, depending on security needs or work environments. It can also be combined with Passlogix's single sign on solution, which in turn can be configured so that employees never know the password they're using to access applications.

That scenario, using a building card plus a password generated by the system but unknown to the user, thwarts social engineering criminal schemes, Favaro said. "We're taking the keys out of the front door," she said.

<!--nextpage-->

More Convergence at the Credential Level?

The actual front door of an enterprise has traditionally been the domain of physical access control systems and their vendors. Today, some of these and other physical security vendors are asking more questions about how to extend their offerings into the digital realm, said Nora Cox, senior manager, product management, for Entrust, the Ottawa-based digital identity security solutions provider.

"It's market driven," Cox told Security Squared, pointing out that the physical access space is a fairly mature market. "They'd like to take that same credential and use it for more things."

Her colleague, Mike Moir, product manager, said compliance is driving enterprises to consider stronger authentication, but that cost remains an issue in what technologies they adopt and how converged the solutions might be.

"Most of the regulations are very loose, requiring you to do 'something,' but what is that 'something?'" he said. Most enterprises tend to opt for something less expensive than a smart card. Yet they remain concerned about damage to their brand and reputation from a data breach, Moir said.

"It makes more sense to manage one system than two diverged," he said of the usual separation of physical access and logical/network access. Doing so would enable enterprises to get more return on investing in the more expensive--and more secure--authentication factors.

# # #








 

No TrackBacks

TrackBack URL: http://www.securitysquared.com/cgi-bin/mt/mt-tb.cgi/183

Leave a comment