SecurAccess

SecurEnvoy integrates with your existing ADS or Radius and provides a dual authentication option for your enterprise

Friday, October 03, 2008

Print

Comment

Email

Digg

Del.icio.us

Reddit

Twitter

TWhen it comes to authenticating a user, first thing that comes to mind is how secure is the channel over which the user is connecting. And is there any possibility that his/her password could be stolen and used by any unauthorized person to get into the system. Even today, most of the authentications are done on pass code basis, which means if someone gets to know your pass code, he/she can get into any of your systems with that password. Another example could be a credit card; if someone gets to know your card's number with the cvv number then he/she can easily do online shopping using your card. And knowing a card number is not that difficult. Just remember how many times someone has asked to provide the front and back side photocopy of your credit card for some kind of verification.

Two factor authentication and Biometric authentication such as, finger print and retina scanner are already there in the industry to provide an added layer on top of the standard password based authentication, but their usage is not so widespread because of the deployment hassles. Just image how difficult it would be to deploy a two factor authentication for a bank. First of all the bank has to dispatch the two factor token to all its customers, and once they are received it has to be verified that the correct person has received it or not. Then, if the token is lost or stolen, blocking its unauthenticated use and reissuing a new token could take time while the customer will not be able to use his/her account. But, token is something which really increases your security, while you have to carry the token wherever you go to use the secured system. Take an example where authentication is based on digital certificates. This solves the problem of carrying a token or smartcard. But there are number of roaming users in your organization, who also requires a digital certificate to log in. Now if they are using a shared computer, they need to import the digital certificate and if they by mistake leave their certificate undeleted, then it can be a serious issue.

So, here is a solution for you, SecurEnvoy's SecurAccess provide you an efficient and easy way to harden the authentication process by deploying dual authentication within your IT infrastructure. And which can solve above issues to a greater extent. Integrating this feature into your login process provides an extra layer of security.

If the phone number is not entered in ADS or RADIUS, then you have to explicitly mention the no in SecurEnvoy.

This is a dual authentication mechanism but isnted of using a token, it uses mobile phones and SMSs. Instead of getting the new pin every time on a token, by using SecureEnvoy you can get it on your mobile phone. And the beauty of the product is that it can be very easily be integrated with most of the Directory Services and applications.

To understand it, let's take an example. you want to login to your head office over VPN, along with your username and passcode, while using SecureEnvoy you have a option for one more pin that you need to append to your existing passcode (or in some cases, needs to be entered separately). This could be upto 8 character numerical figure. This pin is sent to you via an SMS gateway defined in SecurEnvoy or via an email depending on your requirements. The generation and sending of new passcode can be customized to a great level. It can be either set to change each time the user logs in, once in nth number of days, or could be set to real time. The major advantage of this solution over the token is that here is no need to provide any tokens to the user and hence it saves a lot of cost and deployment time.

From this window you can set the type of directory service you want to connect with.

How it works?
When a user is first added to the SecurEnvoy, immediately a SMS or email is sent across to the user, which contents a passcode and that needs to be put entered, while logging into the system. Now, as soon as the user logs in with the passcode, a new passcode is generated at real time and is sent across to the user immediately.

SecurEnvoy provides an easy deployment wizard to deploy the solution in your enterprise.

This passcode is for the next time, when you require logging in, which means that each time you login, your passcode is different. So even if someone knows your ADS or Radius passcode, he still doesn't have access to the SecurEnvoy passcode. Another advantage of this is that, if someone wants to hack your passcode and tries to get access to the system, it automatically sends a SMS or email to you containing a new passcode. Hence you get to know that someone is trying to have unauthorized access to your system. One more good thing about this is that, the passcode SMS is always overwritten by the new passcode SMS, which reduces number of SecurEnvoy SMS in your SMS inbox. One thing which could be asked here is that, SMSs are by default plane text and if the passcode is sent to you via a SMS then it's pretty much possible for someone in between SMS transaction path, could intercept the SMS. But taking the point into consideration, that the code in the SMS in going to be near realtime and its life is just a single login, it's not feasible for a hacker to capture the pin and reach to the authentication server and provide the authentication and that to without the knowledge of the actual user. Now say for instance, the registered mobile device is lost which means the passcode generated will be sent to the lost mobile device which again could be a security threat. To overcome this issue, SecurEnvoy provides a challenge response mechanism which asks you certain number of questions defined by you.

You just need to answer the questions correctly and it automatically emails you the new code or it asks you to update the new phone number on which it should send the passcode. Again, all this is completely customizable and could be used in different ways, such as where company don't wants the user to reset the phone number, rather that right only remains to the admin. We tested this solution by integrating it with multiple services such as IIS,VPN, etc and also tried it with ADS and OpenLDAP directory services. The deployment was very smooth and didn't require a huge amount of technical expertise to perform.

Bottomline: A brilliant solution with very simple deployment features that provides great integration with all Directory Services.

Page(s)   1