Secure Remote Authentication without Tokens
 
Hardware tokens such as smart cards and key fobs are commonly used for multifactor authentication on networks. Although the tokens generate a unique identification number that is changed frequently - generally at least once a minute - we now know that they can become vulnerable to malicious attack.  After entering his user name and password or PIN, the user is challenged to enter the identification number displayed on the token and with a PIN. This authenticates the user , but not the server - which has proven to be just as important. 

"Many companies - including Milestone - have used hardware tokens to authenticate users who are connecting remotely," said Tom Olson, Senior Systems Security Engineer, Milestone Systems. "Some organizations also use hardware tokens to meet with industry and government regulations requiring strong authentication for both internal and external users. However, recent breaches have changed all that.

"Not only was the token solution expensive, but the problem of simply issuing and managing all those pieces of hardware could quickly become a nightmare for an IT department trying to provide strong authentication for a large number of users.  Now, a hacker has figured out how to breach the token."

No More Tokens, No More Phish

Milestone Systems, Inc. partners with SecureAuth of Irvine, CA, to provide customers with a cost-effective, software-based alternative.The SecureAuth Identity Enforcement Platform (IEP) leverages X509 certificate authentication in a tokenless, non-phishable, 2-way authentication solution that that allows secure single sign-on into the enterprise network, SaaS Applications and Web application resources. More secure than hardware or software tokens, SecureAuth is inexpensive to acquire, deploy and manage. In fact, Milestone just deployed SecureAuth on its own system.

"SecureAuth delivers strong multifactor authentication in an easy-to-deploy, low-maintenance software product that performs bilateral authentication." said Olson. "It authenticates the user AND the server. SecureAuth is truly plug-n-play, allowing secure access into the enterprise network and application resources."

How It Works

SecureAuth for VPN authentication is a browser-based, bi-directional X.509 certificate authentication solution. SecureAuth integrates tightly with the Juniper IVE and provides a turnkey solution to deliver the industry's most secure, non-phishable authentication. Residing in the enterprise's network and utilizing existing data stores, SecureAuth features first-time self-registration with the power to automatically deploy end-users. The solution eliminates the need for administrator resources to deliver software, make upgrades or train end-users on complex remote access procedures.

SecureAuth works by authenticating both the user and the client for each session via a non-exportable cryptographic credential. When an authorized user logs in the first time, he is immediately redirected to the SecureAuth registration system, which contacts him (via e-mail, phone or other out-of-band method) with a PIN. Once he enters the PIN, the system installs a bi-directional X.509 certificate on his computer. This provides the full security benefits of X.509 certificate authentication without additional infrastructure requirements.

"Once the certificate is installed, SecureAuth automatically checks to see if it is present when the user logs in," said Olson. "This level of security has become especially critical in light of DNS phishing attacks that secretly redirect users to a hacker-created site that captures log-in information. Such an exploit won't work with SecureAuth because the absence of a certificate prevents the hacker from gaining access to the network."

Secure From Any Computer

What if the user attempts to log in remotely from a different device that lacks the proper certificate? SecureAuth offers several mechanisms for validating the user's identity.

"The system can look up the user's work e-mail address in the network data store and send a one-time-use code that's valid for 120 seconds. Alternatively, the system can send a code to a home e-mail address, send it via an SMS text message, or call the user's cell phone, office phone or even home phone," Olson explained. "For consumer applications, the system can ask the user one or more challenge questions from a knowledgebase."

Milestone is working with SecureAuth with SSL VPNs such as Juniper, and with F5's BIG-IP Local Traffic Manager, which offers advanced client authentication as an add-on module. Integration enables organizations to couple strong authentication with single sign-on.

"By integrating SecureAuth with, say, the F5 LTM device, applications throughout the enterprise can be set up to accept the certificate in lieu of other credentials. Once the user is authenticated with SecureAuth, he doesn't have to sign on to other applications within the infrastructure," said Olson. "SecureAuth brings both strong authentication and single sign-on to internal & external applications. It enables secure remote access, as well as access to cloud applications, without the expense and headaches associated with hardware tokens."

If SecureAuth sounds like it might reduce your authentication costs while improving your network security, talk to Tom Johnson of Milestone Systems, Inc. (toll-free) at 877-771-9510 or ask@milestonesystems.com.