the ciso’s guide - hypr corp€¦ · then regardless of the security value, ciso teams will have...

T H E C I S O ’ S G U I D ETo Deploying True Passwordless Security

by Bojan Simic and Ed Amoroso

2020Edition

2020 Edition

TRUE PASSWORDLESS MFA

www.HYPR.com . ©2020 HYPR All Rights Reservedpage 02

HYPR is designed to eliminate credential stuffing, phishing and password reuse for consumer and employee-facing applications. Unlike authentication methods that rely on centralized passwords stored inside the enterprise, HYPR leverages decentralized authentication to securely store your users’ credentials on their personal devices. This decentralized approach to password-less security removes the hackers’ primary target and forces attackers to focus on each device individually - drastically shifting the economics in the enterprise’s favor.

The HYPR platform is designed to empower true password-less security for large-scale consumer applications, enterprise business use, and integration with existing identity and access management (IAM) infrastructures. An advantage of the platform is a level of interoperability that enables practical transition to a true password-less architecture for a full range of mobile, web, and desktop applications.

This white paper provides security and IT managers with a high-level executive overview of the typical deployment process for HYPR. The purpose is to help managers and practitioners better understand the types of activities that will be required to decentralize their authentication process using the HYPR platform for their organization. More detailed descriptions of the actual steps involved in deployment will be provided by the HYPR team to project participants.

HYPR DEPLOYMENT OVERVIEW FOR MANAGERS



HYPR deployments follow two categories of use cases – each with its own set of practical, technical, and administrative concerns. The specifics of these deployment use cases are sufficiently different to warrant management explanation – hence, this document. The following sections explain how each case proceeds in the most typical projects.

TWO CATEGORIES OF HYPR DEPLOYMENT

HYPR FOR CONSUMER APPLICATIONS

HYPR FOR ENTERPRISE USE

This case involves a line of business, digital identity and fraud teams seeking to reduce customer fraud and account takeover caused by credential stuffing and password reuse. It is generally performed in the context of some digital transformation initiative for business-to-consumer offerings and to meet regulatory compliance requirements such as PSD2 or SCA (Strong Customer Authentication).

This case involves enterprise security teams wishing to decentralize their authentication to reduce the risk of compromise such as phishing and advanced persistent threat (APT) exfiltration. It is generally performed to enable true password-less authentication to Windows and MacOS workstations, as well as Single Sign-On, VPN, and VDI login.



Modern digital transformation initiatives are often at the root of the management decision to deploy HYPR for large-scale consumer mobile applications. As service and application providers realize the need to minimize personal credential risk, while also optimizing the user experience with as little friction as possible, the decision to integrate HYPR makes perfect sense, because it directly supports both increased security and an improved end user experience.

This initial use case for HYPR deployment involves a business or provider dealing with a large consumer base and wanting decentralized credential support. Retail banks, social media companies, Internet service providers, insurance companies, and on-line email vendors are good examples of this category of deployment. In this use case, HYPR enables true password-less authentication for consumer facing mobile and web applications. The result is a phishing-resistant login experience powered by the user’s mobile device.

To ensure success, various cross-functional teams would be involved in the HYPR deployment process. For example, user experience teams, cyber security teams, privacy teams, and software engineering teams will participate in the integration, with direct support from the HYPR team. This team approach allows for meticulous attention to details as the HYPR toolkit is used by these large groups of developers and experts for enabling password-less security.

HYPR DEPLOYMENT FOR CONSUMER APPLICATIONS

This use case presumes that a trained team of capable developers is present that will understand how to integrate the HYPR software development toolkit (SDK).

Passwordless Consumer Authentication

1. User Request

2. User Validity Check

3. Authentication Initiation

4. Authentication Challenge

5. FIDO Signed Response

6. Authentication Complete

HYPR FIDO

SERVER

HYPR FIDO AUTHENTICATOR

3 42

45

5 6

HYPR USER

1

IDENTITY MANAGEMENT SYSYEM

WEB APPLICATION



DEPLOY HYPR FOR CONSUMER AUTHENTICATION IN 2 EASY STEPSIntegration of HYPR for consumer mobile applications will generally focus on the following two common integration points:

Deployment to these integration points is straightforward because, in contrast to most enterprise teams, the typical organization working to embed HYPR for consumer applications will have experience with software development toolkits (SDKs). They will have no trouble selecting a desired interface such as OATH or Open ID Connect for use with their application, and it is not unusual for total project integration efforts to take less than a full day of work.

A recent consumer application project for a Global 2000 Financial Institution, for example, involves integration of HYPR into the company’s mobile application experience for Internet-based eCommerce services. In this case, tens of millions of consumers used these on-line services and the overall successful deployment process took only two and a half days of work.

This includes the applications, systems, and networks that support the decentralized security which characterizes HYPR security.

These are used by consumers to gain access to the specific set of services being secured.

Back-End Infrastructure

Front-End Mobile Apps



Modern digital transformation initiatives are often at the root of the management decision to deploy HYPR for large-scale consumer mobile applications. As service and application providers realize the need to minimize personal credential risk, while also optimizing the user experience with as little friction as possible, the decision to integrate HYPR makes perfect sense, because it directly supports both increased security and an improved end user experience.

This initial use case for HYPR deployment involves a business or provider dealing with a large consumer base and wanting decentralized credential support. Retail banks, social media companies, Internet service providers, insurance companies, and on-line email vendors are good examples of this category of deployment. In this use case, HYPR enables true password-less authentication for consumer facing mobile and web applications. The result is a phishing-resistant login experience powered by the user’s mobile device.

HYPR DEPLOYMENT FOR ENTERPRISE

The presumption in HYPR usage for enterprise is that simple integration is as important as the functional controls that result from the software integration. This makes sense, because if the HYPR platform cannot be simply deployed, then regardless of the security value, CISO teams will have no reasonable means to move forward. As suggested above, CISO teams rarely include teams of experienced and available software developers.

The HYPR team has therefore predefined modules for deployment and integration into existing endpoint, server, and network infrastructure. Tailoring for an enterprise requires only the skills to use administrative tools and to install software, rather than any need to code new applications, middleware, or scripts.

HYPR’s goal is for CISO-led teams to have little trouble integrating the decentralized authentication platform into their enterprise in a straightforward manner.

HYPRFIDO

SERVER

WORKSTATION

15

23

4

MOBILE DEVICE6

7

Passwordless Workstation Login

1. Locked Workstation State

2. Initiate Workstation Unlock

3. Request FIDO Authentication

4. Secret Authorization

5. Secret Verification

6. Validate Security Context

7. Workstation Unlocked



DEPLOY HYPR ACROSS THE ENTERPRISE IN 5 EASY STEPSThe most typical HYPR enterprise deployment includes the following five steps – each of which will require the coordination of security and IT operations teams. It should be noted that most enterprise teams run Windows on their PC endpoints, in coordination with either BYOD or corporate-owned mobiles. Obviously this can vary – but we list below the steps that have been the most commonly observed for HYPR customers in this common configuration:

This first step requires that the enterprise team install the HYPR client onto all endpoints. The HYPR client simply changes the existing Credential Provider function on Windows endpoints to use certificate based logon from its default setting to use passwords. This first step is roughly the same for MacOS, but the specific utility is obviously different. The HYPR team will work with the enterprise to utilize whatever endpoint software deployment tool is preferred for this endpoint step.

This second step involves the enterprise IT teams enabling Certificate Based Logon on the Windows Domain Controller. This setting is disabled by default, but the feature is required for proper client-server interaction with HYPR platform. Administrators simply need to click to enable the feature on the server.

The third step in the deployment process involves installation of the HYPR server either on-premise or in the cloud. This step is highly dependent on the local requirements, policies, and constraints for server deployment at the customer’s enterprise. In some cases, this requires considerable documentation and assurance, and the HYPR team will assist accordingly. The HYPR server runs as a virtual appliance on the deployed server.

Each enterprise will have different requirements for architectural support of the new HYPR platform, including the server. Data replication, disaster recovery, hot standby requirements, and other considerations are often important aspects of a HYPR enterprise deployment. Again, the HYPR team will follow local guidance from the enterprise team to ensure that all functional, resilience and assurance requirements are met.

All HYPR deployments require the mobile app, which is used to store user credentials. Obviously, pushing the mobile app to employee and contractor mobile devices will follow the local mobile device management (MDM) and enterprise mobility management (EMM) tools in place. The end-result is that each user has the HYPR mobile app installed on their mobile device that is white-labeled and branded for their organization.

Step 1: Endpoint Credential Provider

Step 2: Domain Controller Setting

Step 3: HYPR Server Deployment

Step 4: Enterprise Architecture

Step 5: Mobile App



The most obvious enterprise advantage enabled by the HYPR deployment is that a true password-less architecture emerges – and this is both more secure for the organization and more popular with users than the existing password solution. Additional advantages include the ability to create fine-grained user access policies, and to integrate with related identity and access management (IAM) tools such as Okta, ForgeRock, CA Single Sign-On, Ping Federate, and many others.

HYPR is the leading provider of True Password-less Security. With millions of users deployed across the Global 2000, HYPR is the first Decentralized Authentication Platform designed to eliminate credential reuse, fraud and phishing for consumers and employees across the enterprise.

www.HYPR.com

For additional details on HYPR deployment for either consumer or enterprise use, please reach out to [email protected]

SUMMARY

ABOUT HYPR CORP

NEED MORE INFORMATION?

the ciso’s guide - hypr corp€¦ · then regardless of the security value, ciso teams will have...

Documents