© 2012 secureauth. all rights reserved. 2-factor authentication and single sign-on in a mobile...
TRANSCRIPT
© 2012 SecureAuth. All rights reserved.
2-Factor Authentication and Single Sign-Onin a Mobile World
Thursday, December 5, 2013
www.secureauth.com
2FA & SSO in a Mobile World - Agenda
• Challenges of Mobile Technology on the Enterprise
• The Reality of this Challenge• Security Implications• Mobile Architecture• 2-Factor Authentication• Mobile Fingerprinting• Single Sign-on• Self-Service Password Reset• One touch Revocation• Conclusions
© 2012 SecureAuth. All rights reserved. 2
Mobile Challenges
• Which Mobile Device Management?• How do you drive new services?• How do you manage the ever growing
complexity?• What to do when the number of devices goes up
exponentially?• Are you faced with departments bulk buying
devices without an IT process?• How do you manage devices that suddenly
appear on your network?
© 2012 SecureAuth. All rights reserved. 3
The Reality
• The migration from desktop to mobile has already begun
• The migration will only gain speed as mobile devices become more capable
• Business units want to move quickly• Creates a piece meal solution
-Cloud based-Blackberry-Multiple MDMs
• Reactive environment managing devices suddenly appearing
• Speed to market is much greater• Need to help employees strategically contribute
to bottom line
© 2012 SecureAuth. All rights reserved. 4
5
WHY DOES AN ENTERPRISE NEED TO BECOME AN IDENTITY
PROVIDER?
1X ID
DEVICE
PASSWORD
FEW APPLICATIONS
2005ENTERPRISE USERS:
2013ENTERPRISE USERS:
nXIDS
DEVICES
PASSWORDS
MANY APPLICATIONS
VS.
BYOD
© 2013 SecureAuth. All rights reserved.
Security Implications in Mobile
• How do you safely allow devices not owned by corporate onto the network without adding wrappers?
• How do you separating personal and corporate data?
• Companies replacing MDM every 2-3 years
Playing vanilla is reactive:
• Long term cost unpredictable
• Stuck using development tools
native to MDM
• User satisfaction is varied
© 2012 SecureAuth. All rights reserved. 6
Mobile Architecture
Best Practices• All mobile device should connect to and SSID off the corporate network• The User/Device should be authenticated • Only application level connectivity should be allowed
© 2012 SecureAuth. All rights reserved. 7
© 2012 SecureAuth. All rights reserved. 8
USING IDP TO MANAGE MOBILE
Definition:
• A system that creates, maintains, and manages identity information.
• Provides principal authentication to other service providers (applications) within a federation or distributed network.
• The IdP sends an attribute assertion containing trusted information about the user to the Service Provider (SP).
Source: MIT Knowledge Base
An IdP (Identity Provider) establishes a circle of trust between the User and the Service Provider i.e.
applications
1. User directed to IdP2. IdP authenticates user3. User redirected to SP with token
Scope of Trust
1
2
3
EnterpriseIdentity Provider
(IdP)
ServiceProvide
r (SP)
User
2-Factor Authentication
9
• X.509 v3 Certificates• SMS OTP• Telephony OTP• E-mail OTP• Help Desk• Prox Cards
• NFC• Yubikey USB Keys• CAC/PIV Cards• Kerberos / IWA• Static PIN• Custom
X.509K
Accept AuthorizationAuthentication Accounting Assert
This
is w
here
the
inte
grato
rs/c
onsu
ltants
put
thei
r hac
ks in
pla
ce
THE AUTHENTICATION FUNNEL
10 © 2013 SecureAuth. All rights reserved.
Mobile Device Fingerprinting
• Pulls unique device characteristics such as:• Headers, Fonts, Time Zones,
etc.
• Can set “trust period” of device
• From hours to years
• Can revoke with “1-touch”• From help desk console• Select which device to
revoke
IdP for Mobile
12
SecureAuth Delivers:
1. Multi-Factor Authentication
2. IdP (SSO to cloud, web, gateways, mobile)
3. IdM (Identity Management)
Single SSO/2F Platform for Web, Network, Cloud and Mobile Resources
IdP
© 2012 SecureAuth. All rights reserved.
IdP - The (4) Resources
4 Key IdP integrations
1.Web
2.VPN/Gateways
3.SaaS/Cloud
4.Mobile
(1)
(2)
(3)
(4)
© 2012 SecureAuth. All rights reserved. 14
1. IdP – SSO (Web)
1. Web
2. Gateway / VPN
3. SaaS / Cloud
4. Mobile Apps
Assert identity 2F/SSO
K
PKBAEnterprise Web Applications
2-Factor
© 2012 SecureAuth. All rights reserved. 15
2. IdP – SSO (VPN/Gateway)
1. Web
2. Gateway / VPN
3. SaaS / Cloud
4. Mobile Apps
Assert identity 2F/SSO
PKBA
Gateway / VPNs2-Factor
© 2012 SecureAuth. All rights reserved. 16
3. IdP – SSO (Cloud/SaaS)
1. Web
2. Gateway / VPN
3. SaaS / Cloud
4. Mobile Apps
Assert identity 2F/SSO
PKBA
SaaS Apps
K
2-Factor
2F/SSO for mobile provides• 2-Factor Auth• Directory-
based Auth• SSO to other
apps• No thick client
Assert identity 2F/SSO
1. Web
2. Gateway / VPN
3. SaaS / Cloud
4. Mobile Apps
4. IdP – Native Mobile Apps
Configurable Authentication: 20 methods
SecureAuth IdP
1. SMS OTP2. Telephony OTP3. Email TOP4. Static PIN5. KBA/KBQ6. Yubikey (USB)7. X.509 Native8. X.509 Java9. NFC Prox Card10. CAC/PIV Card11. Mobile OATH Token (TOTP)12. Browser OATH Token13. Windows
Desktop OATH Token
14.3rd Party OATH
Tokens15.PUSH Notification16 Help Desk17.Social IDs (Google, Facebook, Twitter, LinkedIN)18.Federated
IDs (SAML, WS-Fed, OpenId)19. Device Fingerprinting20. Password
Conclusion – Mobile Strategy
1. There are alternatives to MDM2. MDM solutions have a 2-3 year life cycle3. MDM may limit your ability to service users4. Keep Mobile devices off corporate networks. WiFi SSID
should be separate from Corporate WAN/LAN5. Take an application centric approach to mobile6. 2-factor/Multifactor Authenticate the User AND the
Device7. Leverage native mobile applications and web
applications8. Allow single sign-on to native, web, and SaaS
applications9. Enable users to strategically contribute to the bottom
line10.Mobile strategies should be enabling
19
© 2012 SecureAuth. All rights reserved.
Thank you!
Who Title E-mail Phone
Sales Sales [email protected] +1.949.777.6959
Joe Revels
Sales Director, Northwest and Asia Pacific
[email protected] +1.415.302.3002
SecureAuth Contacts
www.secureauth.com