© 2012 SecureAuth. All rights reserved.

2-Factor Authentication and Single Sign-Onin a Mobile World

Thursday, December 5, 2013

www.secureauth.com

2FA & SSO in a Mobile World - Agenda

• Challenges of Mobile Technology on the Enterprise

• The Reality of this Challenge• Security Implications• Mobile Architecture• 2-Factor Authentication• Mobile Fingerprinting• Single Sign-on• Self-Service Password Reset• One touch Revocation• Conclusions

© 2012 SecureAuth. All rights reserved. 2

Mobile Challenges

• Which Mobile Device Management?• How do you drive new services?• How do you manage the ever growing

complexity?• What to do when the number of devices goes up

exponentially?• Are you faced with departments bulk buying

devices without an IT process?• How do you manage devices that suddenly

appear on your network?

© 2012 SecureAuth. All rights reserved. 3

The Reality

• The migration from desktop to mobile has already begun

• The migration will only gain speed as mobile devices become more capable

• Business units want to move quickly• Creates a piece meal solution

-Cloud based-Blackberry-Multiple MDMs

• Reactive environment managing devices suddenly appearing

• Speed to market is much greater• Need to help employees strategically contribute

to bottom line

© 2012 SecureAuth. All rights reserved. 4

5

WHY DOES AN ENTERPRISE NEED TO BECOME AN IDENTITY

PROVIDER?

1X ID

DEVICE

PASSWORD

FEW APPLICATIONS

2005ENTERPRISE USERS:

2013ENTERPRISE USERS:

nXIDS

DEVICES

PASSWORDS

MANY APPLICATIONS

VS.

BYOD

© 2013 SecureAuth. All rights reserved.

Security Implications in Mobile

• How do you safely allow devices not owned by corporate onto the network without adding wrappers?

• How do you separating personal and corporate data?

• Companies replacing MDM every 2-3 years

Playing vanilla is reactive:

• Long term cost unpredictable

• Stuck using development tools

native to MDM

• User satisfaction is varied

© 2012 SecureAuth. All rights reserved. 6

Mobile Architecture

Best Practices• All mobile device should connect to and SSID off the corporate network• The User/Device should be authenticated • Only application level connectivity should be allowed

© 2012 SecureAuth. All rights reserved. 7

© 2012 SecureAuth. All rights reserved. 8

USING IDP TO MANAGE MOBILE

Definition:

• A system that creates, maintains, and manages identity information.

• Provides principal authentication to other service providers (applications) within a federation or distributed network.

• The IdP sends an attribute assertion containing trusted information about the user to the Service Provider (SP).

Source: MIT Knowledge Base

An IdP (Identity Provider) establishes a circle of trust between the User and the Service Provider i.e.

applications

1. User directed to IdP2. IdP authenticates user3. User redirected to SP with token

Scope of Trust

1

2

3

EnterpriseIdentity Provider

(IdP)

ServiceProvide

r (SP)

User

2-Factor Authentication

9

• X.509 v3 Certificates• SMS OTP• Telephony OTP• E-mail OTP• Help Desk• Prox Cards

• NFC• Yubikey USB Keys• CAC/PIV Cards• Kerberos / IWA• Static PIN• Custom

X.509K

Accept AuthorizationAuthentication Accounting Assert

This

is w

here

the

inte

grato

rs/c

onsu

ltants

put

thei

r hac

ks in

pla

ce

THE AUTHENTICATION FUNNEL

10 © 2013 SecureAuth. All rights reserved.

Mobile Device Fingerprinting

• Pulls unique device characteristics such as:• Headers, Fonts, Time Zones,

etc.

• Can set “trust period” of device

• From hours to years

• Can revoke with “1-touch”• From help desk console• Select which device to

revoke

IdP for Mobile

12

SecureAuth Delivers:

1. Multi-Factor Authentication

2. IdP (SSO to cloud, web, gateways, mobile)

3. IdM (Identity Management)

Single SSO/2F Platform for Web, Network, Cloud and Mobile Resources

IdP

© 2012 SecureAuth. All rights reserved.

IdP - The (4) Resources

4 Key IdP integrations

1.Web

2.VPN/Gateways

3.SaaS/Cloud

4.Mobile

(1)

(2)

(3)

(4)

© 2012 SecureAuth. All rights reserved. 14

1. IdP – SSO (Web)

1. Web

2. Gateway / VPN

3. SaaS / Cloud

4. Mobile Apps

Assert identity 2F/SSO

K

PKBAEnterprise Web Applications

2-Factor

© 2012 SecureAuth. All rights reserved. 15

2. IdP – SSO (VPN/Gateway)

1. Web

2. Gateway / VPN

3. SaaS / Cloud

4. Mobile Apps

Assert identity 2F/SSO

PKBA

Gateway / VPNs2-Factor

© 2012 SecureAuth. All rights reserved. 16

3. IdP – SSO (Cloud/SaaS)

1. Web

2. Gateway / VPN

3. SaaS / Cloud

4. Mobile Apps

Assert identity 2F/SSO

PKBA

SaaS Apps

K

2-Factor

2F/SSO for mobile provides• 2-Factor Auth• Directory-

based Auth• SSO to other

apps• No thick client

Assert identity 2F/SSO

1. Web

2. Gateway / VPN

3. SaaS / Cloud

4. Mobile Apps

4. IdP – Native Mobile Apps

Configurable Authentication: 20 methods

SecureAuth IdP

1. SMS OTP2. Telephony OTP3. Email TOP4. Static PIN5. KBA/KBQ6. Yubikey (USB)7. X.509 Native8. X.509 Java9. NFC Prox Card10. CAC/PIV Card11. Mobile OATH Token (TOTP)12. Browser OATH Token13. Windows

Desktop OATH Token

14.3rd Party OATH

Tokens15.PUSH Notification16 Help Desk17.Social IDs (Google, Facebook, Twitter, LinkedIN)18.Federated

IDs (SAML, WS-Fed, OpenId)19. Device Fingerprinting20. Password

Conclusion – Mobile Strategy

1. There are alternatives to MDM2. MDM solutions have a 2-3 year life cycle3. MDM may limit your ability to service users4. Keep Mobile devices off corporate networks. WiFi SSID

should be separate from Corporate WAN/LAN5. Take an application centric approach to mobile6. 2-factor/Multifactor Authenticate the User AND the

Device7. Leverage native mobile applications and web

applications8. Allow single sign-on to native, web, and SaaS

applications9. Enable users to strategically contribute to the bottom

line10.Mobile strategies should be enabling

19

© 2012 SecureAuth. All rights reserved.

Thank you!

Who Title E-mail Phone

Sales Sales sales@secureauth.com +1.949.777.6959

Joe Revels

Sales Director, Northwest and Asia Pacific

jrevels@secureauth.com +1.415.302.3002

SecureAuth Contacts

www.secureauth.com