ActivIdentity Extends Potential Reach of Two-Factor Authentication

| 0 Comments | 0 TrackBacks
In a move that makes two-factor authentication more affordable through greater support of soft tokens and mobile devices, ActivIdentity Corporation today released 4TRESS Authentication Server 7.0. The platform is being marketed heavily to banks to protect their online customers and supports 15 two-factor authentication methods designed to thwart increasingly common cyber-attacks by strengthening proof of the physical identity of the person initiating a transaction.

How It Works


4TRESS sits in the background, its work largely transparent to the end user, who continues to interact with the "channel management system," such as an Internet banking site, said Julian Lovelock, director commerce markets worldwide, for ActivIdentity in an interview with Security Squared.
The Internet banking system prompts the user to authenticate; the user could enter, say, a password created by a one-time-password (OTP) token. The Internet banking system then queries 4TRESS through an authentication policy code that basically asks if the user may be given access to a specific application or service, such as retail banking.

In turn 4TRESS checks the policy set up for that channel and specifically what kind of the credential is valid for the user, such as password or token, then will validate it using the correct algorithms. It then records the transaction in the audit log and sends a message back to the Internet banking system authenticating the individual.

Great Online Appeal


Lovelock said that while this 4TRESS release is initially being marketed to the banking/financial services industry, its features are applicable to many other customer-facing enterprises trying to protect high-value transactions and/or data. Those could include online gaming sites, airline mileage redemption sites, healthcare providers, online retailers storing credit card data and more.

"One of the things we've done in this release is to provide two factor authentication models that don't require a user to be issued a separate device," said Lovelock. 4TRESS 7.0 supports authentication methods like soft tokens, essentially applications downloaded to a mobile phone, PC or within a browser, as well as "out of band" authentication, including SMS. In out of band authentication, an individual may receive a phone call, text message or email over a separate channel, such as a second phone or mobile phone, to authenticate a transaction under way online or in a store.

"It's much more cost effective for an organization to deploy two-factor authentication now that it does not have the cost of issuing physical tokens associated with it," he said.

ActivIdentity sees mobile and smart phones becoming increasingly integral to authentication processes, both as authentication devices and as platforms in need of secure authentication, said Lovelock. "We are looking at how to better secure the phone and putting credentials on the phone to allow it to vouch for identity and secure transactions from the phone and also how we're enabling the phone to be used as part of the authentication process even when that's happening on a different channel."

The Path to Physical Access Control


4TRESS 7.0 also offers enterprise and government entities significant features, Lovelock said.  "This release in fact has a reasonably sophisticated directory integration that will let 4TRESS be deployed in an environment with five or six different directories.

"It's almost got a virtual directory capability and references multiple different directories as user master references," he said. "So you can still have a single authentication infrastructure even though your users are spread over multiple different directories."

4TRESS 7.0 also supports authentication of users to cloud-based applications through protocols like SAML and RADIUS.

Future releases of 4TRESS will work toward the more grounded endeavor of converging physical and logical access control, beginning in the federally mandated FIPS 201 Personal Identity Verification (PIV) credential space, according to Lovelock.

In those next generation releases, 4TRESS "essentially will act as an identity provider that recognizes the PIV card as a valid authentication mechanism. It will be able to assert identity based on the PIV card to other relying party systems or to service providers that might be within the infrastructure or might be in the cloud," he said. "They might not understand the identity as defined as by the PIV cards but 4TRESS would be able to assert the identity in terms they did understand using a protocol such as SAML.

"That gives a very good model for an organization that's deploying PIV C or PIV I cards or in government spaces that have deployed PIV cards and want employees to be able to use multiple different applications and authenticate to them using the PIV card," Lovelock said.

The Acquisition by Assa Abloy/HID Global

Last week during ASIS 2010, Assa Abloy, parent of HID Global, announced its intent to acquire ActivIdentity. HID has physical/logical access control strategies in place, and ActivIdentity's current efforts in similar work should be complementary to those.

"Our understanding is the acquisition is driven by HID's desire to push this physical-logical convergence story," said Lovelock.

"If you think about how 4TRESS plays within that world, we're going to have to support a number of different authentication models," he said. "That's where 4TRESS is actually really powerful, because it gives you that flexibility to support a number of different logical access authentication models. Then there are a number of ways you can tie that in to physical access so it's converged around a single device."

# # #

In a move that makes two-factor authentication more affordable through greater support of soft tokens and mobile devices, ActivIdentity Corporation today released 4TRESS Authentication Server 7.0. The platform is being marketed heavily to banks to protect their online customers and supports 15 two-factor authentication methods designed to thwart increasingly common cyber-attacks by strengthening proof of the physical identity of the person initiating a transaction.

How It Works


4TRESS sits in the background, its work largely transparent to the end user, who continues to interact with the "channel management system," such as an Internet banking site, said Julian Lovelock, director commerce markets worldwide, for ActivIdentity in an interview with Security Squared.
The Internet banking system prompts the user to authenticate; the user could enter, say, a password created by a one-time-password (OTP) token. The Internet banking system then queries 4TRESS through an authentication policy code that basically asks if the user may be given access to a specific application or service, such as retail banking.

In turn 4TRESS checks the policy set up for that channel and specifically what kind of the credential is valid for the user, such as password or token, then will validate it using the correct algorithms. It then records the transaction in the audit log and sends a message back to the Internet banking system authenticating the individual.

Great Online Appeal


Lovelock said that while this 4TRESS release is initially being marketed to the banking/financial services industry, its features are applicable to many other customer-facing enterprises trying to protect high-value transactions and/or data. Those could include online gaming sites, airline mileage redemption sites, healthcare providers, online retailers storing credit card data and more.

"One of the things we've done in this release is to provide two factor authentication models that don't require a user to be issued a separate device," said Lovelock. 4TRESS 7.0 supports authentication methods like soft tokens, essentially applications downloaded to a mobile phone, PC or within a browser, as well as "out of band" authentication, including SMS. In out of band authentication, an individual may receive a phone call, text message or email over a separate channel, such as a second phone or mobile phone, to authenticate a transaction under way online or in a store.

"It's much more cost effective for an organization to deploy two-factor authentication now that it does not have the cost of issuing physical tokens associated with it," he said.

ActivIdentity sees mobile and smart phones becoming increasingly integral to authentication processes, both as authentication devices and as platforms in need of secure authentication, said Lovelock. "We are looking at how to better secure the phone and putting credentials on the phone to allow it to vouch for identity and secure transactions from the phone and also how we're enabling the phone to be used as part of the authentication process even when that's happening on a different channel."

The Path to Physical Access Control


4TRESS 7.0 also offers enterprise and government entities significant features, Lovelock said.  "This release in fact has a reasonably sophisticated directory integration that will let 4TRESS be deployed in an environment with five or six different directories.

"It's almost got a virtual directory capability and references multiple different directories as user master references," he said. "So you can still have a single authentication infrastructure even though your users are spread over multiple different directories."

4TRESS 7.0 also supports authentication of users to cloud-based applications through protocols like SAML and RADIUS.

Future releases of 4TRESS will work toward the more grounded endeavor of converging physical and logical access control, beginning in the federally mandated FIPS 201 Personal Identity Verification (PIV) credential space, according to Lovelock.

In those next generation releases, 4TRESS "essentially will act as an identity provider that recognizes the PIV card as a valid authentication mechanism. It will be able to assert identity based on the PIV card to other relying party systems or to service providers that might be within the infrastructure or might be in the cloud," he said. "They might not understand the identity as defined as by the PIV cards but 4TRESS would be able to assert the identity in terms they did understand using a protocol such as SAML.

"That gives a very good model for an organization that's deploying PIV C or PIV I cards or in government spaces that have deployed PIV cards and want employees to be able to use multiple different applications and authenticate to them using the PIV card," Lovelock said.

The Acquisition by Assa Abloy/HID Global

Last week during ASIS 2010, Assa Abloy, parent of HID Global, announced its intent to acquire ActivIdentity. HID has physical/logical access control strategies in place, and ActivIdentity's current efforts in similar work should be complementary to those.

"Our understanding is the acquisition is driven by HID's desire to push this physical-logical convergence story," said Lovelock.

"If you think about how 4TRESS plays within that world, we're going to have to support a number of different authentication models," he said. "That's where 4TRESS is actually really powerful, because it gives you that flexibility to support a number of different logical access authentication models. Then there are a number of ways you can tie that in to physical access so it's converged around a single device."

# # #

No TrackBacks

TrackBack URL: http://www.securitysquared.com/cgi-bin/mt/mt-tb.cgi/253

Leave a comment