Two Factor Authentication Systems?

HerculesMO asks: "I've been given a project to undertake that involves setting our internal network systems up to have two factor authentication. I need suggestions to take in front of our CIO that shows how the security model works, cost vs benefit/features, and the different options. At this point, the name brand is RSA and I'm pressed to find any others even though I've done looking around. We are open to biometric tokens as well, because they may be used for digital certificate signing for e-mails. Sadly, it has to integrate with our Windows 2003 Active Directory set up... it's not Linux, but I figure Slashdot readers can come up with lots of Linux security tokens that will work under Windows too, so please have at it! :)"

See this article for pointers

[embobo]

http://www.smallbusinesscomputing.com/webmaster/ar ticle.php/3498116 [smallbusin...puting.com]

It gives pointers to various offerings, including one-time passwords, hardware tokens, smart cards, and biometrics.

Two-factor Coming to 1 Million Paypal Accounts

[Anonymous Coward]

Two-factor authentication was a big part of the recent eBay-VeriSign deal. The headlines all mentioned eBay buying VeriSign's payment processing unit for $370 Million. But the agreement also calls for eBay to buy up to 1 million two-factor authentication tokens from VeriSign for use on Paypal [netcraft.com]. eBay will start rolling out the two-factor authentication tokens to Paypal and eBay users in 2006, including marketing and security programs designed to "promote customer adoption."

This is significant, since you have a lot more phishing attacks targeting Paypal and eBay than the major banks these days.

Re:Can weaken security?

[RandomJoe]

We use the same RSA/Cisco setup where I work. And no, you don't have to enter any other numbers. A few people still have the hard tokens, or key fobs, and they do have to enter the number plus pin. With the soft token, you can open it up in one window and see the same sort of numbers, but they are evidently fed into the VPN client automatically. All I enter is a 4-digit numeric PIN!

A few pointers...

[eldub1999]

First, two-factor authentication is pretty much two-factor authentication. There are moderate differences in the various forms, but that is usually not the driving factor.

The biggest and most overlooked issue is the requirement for client-side software and drivers. The various OTP solutions (SecurID, etc.) are zero footprint. They can be used from any computer. If portability is as imporant as strong authentication, you should consider an OTP solution.

Smartcards and biometric devices require drivers at a minimum. Most require some type of middleware. This means you will have to manage a software deployment and the devices can only be used from systems that have the software installed.

Smartcards provide crypto, which can be leveraged for SSO, secure mail, etc. but by far, most of these projects succeed or fail based on the ability to actually deploy and use the solution.

vasco ?

[ncostigan]

one of the largest players, at least in europe, for 2 factor is vasco security (belgium?)

my bank (SEB in sweden) has been using them for years.
the system is pretty easy to use. you don't need a CS major to work it. /nc

PortWise

[pehag]

check out PortWise, it will give you one solution for OTP with lots of different authentication channels like Blackberry, Mobile Text, Mobile Token and so on. www.portwise.com

PassGo

[petegc]

I work for a company called PassGo Technologies. We have a two-factor authentication system called Defender that is fully integrated with Microsoft's Active Directory. All of the administration for the product is performed using the standard "Users and Computers" interface and all of Defender's information is stored in AD. As fas as I am aware, ours is the only two-factor authentication solution to provide this level of integration. Defender can provide strong authentication to VPNs, SSL VPNs, UNIX devices, NASs, firewalls, Microsoft desktops and Citrix products as well as any device that supports RADIUS. We support token types from a large number of manufacturers including Vasco and ActivCard. Contact me if you need any further information: Phone: +44 1460 258317 Email: pcooke@passgo.com Web: http://www.defender5.com/ [defender5.com]

Consider WiKID - FD: I work there

[nowen]

Did you consider WiKID Systems?

Available in both open (https://sourceforge.net/projects/wikid-twofactor/ [sourceforge.net]) and closed source (http://www.wikid.com/ [wikid.com] versions. Closed source supports wireless devices such as Blackberries, Palm, PocketPC J2ME. Unlike certs, there is no need to manage white & black lists (CRL) etc. Unlike RSA soft tokens, the PIN is stored on the server and communication between the token and the server is encrypted asymmetrically. If the token is stolen, the PIN must be checked at the server allowing lock-out after an admin set number of attempts. Open sourced plugins are available for PHP, Java, COM/IIS, Citrix, C++, SugarCRM, etc. with more on the way. Token roll out can be completely automated via ASP scripts using trusted LAN credentials.

In terms of evaluating based on financial, relative security and operations issues you might want to read this, which I wrote for WiKID: http://www.securitydocs.com/library/3048 [securitydocs.com]. A cleaner costs analysis between a hardware tokens such as RSA and WiKID is here: http://www.wikidsystems.com/features/lessexpensive [wikidsystems.com].