www.tectia. com COPYRIGHT © 2011 TECTIA CORPORATION. ALL RIGHTS RESERVED. Tokenless Two-Factor Authentication for Juniper SSL VPN Appliances Vesa Tiihonen, Director Tectia Corporation 1 September 27 th 2011
Dec 31, 2015
www.tectia.comCOPYRIGHT © 2011 TECTIA CORPORATION. ALL RIGHTS RESERVED.
1
Tokenless Two-Factor Authentication for Juniper SSL VPN Appliances
Vesa Tiihonen, DirectorTectia Corporation
September 27th 2011
COPYRIGHT © 2011 TECTIA CORPORATION. ALL RIGHTS RESERVED.
Contents
2
• Tectia MobileID Introduction• Mobile Authentication – Use Cases and Benefits• Key Differentiators of Tectia MobileID• Juniper Technology Alliance• SSL VPN Login Use Cases• Tectia MobileID integration with Juniper SSL VPN• Summary
COPYRIGHT © 2011 TECTIA CORPORATION. ALL RIGHTS RESERVED.
3
Best tokenless 2FA solution available
• Tectia MobileID : a next-generation tokenless authentication solution
Multi-factor appliance designed specifically for on-demand and out-of-band authentication,
Based on high quality SMS One-Time-Password (OTP) as strong authentication technology,
Supports also other OTP delivery methods, such aspassword lists, email OTP, and any OATH compliant hardware and software tokens.
Fully customizable Operator Grade SMS Messaging Connections Out-Of-The-Box
COPYRIGHT © 2011 TECTIA CORPORATION. ALL RIGHTS RESERVED.
SMS authentication use cases
When you have geographically dispersed groups of users
When you have a mobile / remote workforce
When you provide an extranet
When you have ad-hoc login requirements
When you do not want to invest in and manage hardware
When you can’t wait weeks for a new token to be delivered
4
When to consider tokenless login
COPYRIGHT © 2011 TECTIA CORPORATION. ALL RIGHTS RESERVED.
No seed data to be compromised
No security devices to be stolen or lost
24/7 service deactivation provided by operators, not only by your company helpdesk
One-Time Password unpredictable and 100% random, unlike with tokens
Ability to detect fraudulent activity, e.g. Man-in-the-Middle (MitM/MitB) attacks
Improved user login experience
Less administration
Fewer helpdesk calls
Benefits of using Tectia MobileID
5
COPYRIGHT © 2011 TECTIA CORPORATION. ALL RIGHTS RESERVED.
Fraud prevention and password management with SMS OTP
Pro-actively lock end user accounts after N failed login attempts
Notification of locked account via SMS
Permit account re-activation via SMS
GeoIP match on Mobile device location
Permit forgotten password/PIN reset via SMS, eliminating the need for helpdesk services
6
Lock my account
Benefits of using Tectia MobileID
COPYRIGHT © 2011 TECTIA CORPORATION. ALL RIGHTS RESERVED.
Most Scalable &
Reliable
Fastest to Deploy &
Use
Most Cost Efficient
Best User Experience
7
Unique Differentiators of Tectia MobileID
COPYRIGHT © 2011 TECTIA CORPORATION. ALL RIGHTS RESERVED.
8
Unmatched scalability and reliability
• Scales to millions of concurrent users
• Operator grade SMS delivery world-wide with SLA-guaranteed throughputtimes
• Certified to work with
• In live production since 2003
• Modular architecture that provides service
provider-grade scalability,customization and control of networkconditions and business logic
COPYRIGHT © 2011 TECTIA CORPORATION. ALL RIGHTS RESERVED.
9
Unmatched TCO and ROI
• Flexible pricing models with ability to pay
based on active use
• Low TCO solution
• Practically ZERO administration;new users activated instantly
• Tokenless solution – no logistics overhead
No extra or hidden costs!
COPYRIGHT © 2011 TECTIA CORPORATION. ALL RIGHTS RESERVED.
10
Tectia MobileID – Fast deployment and activation
ADDING NEW RSA USER REMOVING A RSA USER1. Admin creates token user account and delivers the
account details i.e. via e-mail
2. Admin adds token serial number to the new account and synchronizes the token.
3. Admin packages the token, user instructions and letter on the token terms of use and mails it to the user.
4. Admin informs the new user that token will be delivered within a few days.
5. User eventually receives the token and reads the instructions and terms of use.
6. Assuming that token has not become out-of-synch, or has not broken during delivery, and that user knows how to use token, etc., user successfully logs in using the token.
1. Admin removes / disables the account
2. Admin notifies the user that the token should be returned via courier.
3. If user fails to return the token, or it's lost then admin must initiate cost recovery procedures or the company must pay for a replacement token.
4. Admin eventually receives the token.
5. If the token is damaged then admin must initiate cost recovery procedures or the company must pay for a replacement token.
6. Admin notifies the user that token was correctly received and intact.
7. Admin marks the token as ”returned” and adds the token serial to a pool of free tokens
ADDING NEW MOBILEID USER REMOVING A MOBILEID USER1. User successfully logs in. 1. Admin removes / disables the account.
Add/remove traditional token user vs. MobileID:
ADDING NEW TOKEN USER REMOVING A TOKEN USER1. Admin creates token user account and delivers the
account details i.e. via e-mail
2. Admin adds token serial number to the new account and synchronizes the token.
3. Admin packages the token, user instructions and letter on the token terms of use and mails it to the user.
4. Admin informs the new user that token will be delivered within a few days.
5. User eventually receives the token and reads the instructions and terms of use.
6. Assuming that token has not become out-of-synch, or has not been damaged during delivery, and that user knows how to use token, user successfully logs in using the token.
1. Admin removes / disables the account
2. Admin notifies the user that the token should be returned via courier.
3. If user fails to return the token, or it's lost then admin must initiate cost recovery procedures or the company must pay for a replacement token.
4. Admin eventually receives the token.
5. If the token is damaged then admin must initiate cost recovery procedures or the company must pay for a replacement token.
6. Admin notifies the user that token was correctly received and intact.
7. Admin marks the token as ”returned” and adds the token serial to a pool of free tokens
ADDING NEW MOBILEID USER REMOVING A MOBILEID USER1. User successfully logs in. 1. Admin removes / disables the account.
COPYRIGHT © 2011 TECTIA CORPORATION. ALL RIGHTS RESERVED.
11
Tectia MobileID – Superior end-user experience
• No end-user training needed
- Usage 100% intuitive
• No changes to existing login process
• Works on any phone, andanywhere in the world
So easy it makes your
customers smile – guaranteed!
COPYRIGHT © 2011 TECTIA CORPORATION. ALL RIGHTS RESERVED.
12
Tectia MobileID – multi-use authentication platform
Tectia MobileID can solve ANY ad-hoc multi-factor authentication problem:
• 2-factor authentication for SSL VPN access (RADIUS)
• 2-factor authentication for Web Services and portals (SOAP)
• Solving Man-in-the-Browser / Man-in-the-Middle threats withOut-Of-Band authentication
• Multi-domain (LDAP) support
• MS Outlook Web Access
• Instant Messaging OTP
• Any custom ad-hoc on-demand multi-factor authentication use case
• 2-factor SMS OTP for MS Windows logins
• Supports ALL OTP techniques: email, lists, OATH tokens, Voice, etc.
• Cloud-based SMS OTP available Out-Of-The-Box
• OTP and business logic for online banking transaction verification
COPYRIGHT © 2011 TECTIA CORPORATION. ALL RIGHTS RESERVED.
Tectia MobileID mRules framework
Custom business logic for Authentication, Authorization and Access (AAA)• New authentication methods can be added and the existing ones extended
• Authentication methods can be chained, triggered, scheduled, etc.
• Network packets (i.e. RADIUS) can be re-written, routed, scheduled, etc.
Sample custom access rule
13
COPYRIGHT © 2011 TECTIA CORPORATION. ALL RIGHTS RESERVED.
Juniper Technology Alliance
• Protect against unauthorized access to your critical business information
• Reduce your IT administrative workload and hard costs,• Easily scale with tokenless, one time use passcodes
delivered via SMS,• Be up an running in hours, not weeks or months!
Juniper SSL VPN with Tectia MobileID: Full turnkey 2FA solution without the challenges of
first generation two-factor authentication!
14
+
COPYRIGHT © 2011 TECTIA CORPORATION. ALL RIGHTS RESERVED.
Juniper Technology Alliance
1515
Direct integration to existing corporate infrastructure
AD/ LDAP
Hello Jane,Your SMS passwordis 949372
Third party Gateway orIntegrated TectiaMessaging service
958482
SSL VPN
Remote user
Internet
Firewall
Operator grade global 3G network
One-time password
COPYRIGHT © 2011 TECTIA CORPORATION. ALL RIGHTS RESERVED.
16
Authenticating using SMS One-Time Password
Scenario 1 – SSL VPN login
COPYRIGHT © 2011 TECTIA CORPORATION. ALL RIGHTS RESERVED.
On-demand SMS password for two-factor authentication
17
Authenticating using SMS One-Time Password
COPYRIGHT © 2011 TECTIA CORPORATION. ALL RIGHTS RESERVED.
And you’re logged in!
18
Authenticating using SMS One-Time Password
COPYRIGHT © 2011 TECTIA CORPORATION. ALL RIGHTS RESERVED.
19
Authenticating using SMS One-Time Password
Scenario 2 – Login with pre-distributed SMS
COPYRIGHT © 2011 TECTIA CORPORATION. ALL RIGHTS RESERVED.
And you’re logged in!
20
Authenticating using SMS One-Time Password
COPYRIGHT © 2011 TECTIA CORPORATION. ALL RIGHTS RESERVED.
21
Technical integration with Juniper SSL VPN
Adding a new RADIUS Server to VPN appliance
COPYRIGHT © 2011 TECTIA CORPORATION. ALL RIGHTS RESERVED.
22
Technical integration with Juniper SSL VPN
Adding a new RADIUS Client to MobileID appliance
COPYRIGHT © 2011 TECTIA CORPORATION. ALL RIGHTS RESERVED.
23
Technical integration with Juniper SSL VPN
Connecting Tectia MobileID to AD / LDAP
COPYRIGHT © 2011 TECTIA CORPORATION. ALL RIGHTS RESERVED.
24
Technical integration with Juniper SSL VPN
MobileID is LIVE – Start using it!
COPYRIGHT © 2011 TECTIA CORPORATION. ALL RIGHTS RESERVED.
25
Tectia MobileID Web Admin Interface
Administer the Virtual Appliance
COPYRIGHT © 2011 TECTIA CORPORATION. ALL RIGHTS RESERVED.
26
Viewing Tectia MobileID Logs in Real-Time
Viewing Tectia MobileID Logs in Real-Time
COPYRIGHT © 2011 TECTIA CORPORATION. ALL RIGHTS RESERVED.
27
Try Tectia MobileID Live Today!
• Live VPN demonstration for anybody, anywhere, free-of-charge:• Juniper SSL VPN login:
- Register here: http://mobileiddemo.ssh.com/pub/index.php?plugin=register&app=juniper
- Login and demo here: http://mobileiddemo.ssh.com/pub/index.php?plugin=testing&app=juniper
COPYRIGHT © 2011 TECTIA CORPORATION. ALL RIGHTS RESERVED.
Summary
28
Tectia MobileID
Operator grade messaging capabilities
Integrated HA messaging Allows ad-hoc use Highly scalable Framework for customized
login methodsCertified for Juniper SSL
VPN
Competitive Solutions
Typically no operator messaging support
No High Availability (HA), requires purchasing and configuring 3rd party messaging service or product
Accounts must be registered and provisioned to work
Typically for SME use only Typically only few pre-defined
methods available
COPYRIGHT © 2011 TECTIA CORPORATION. ALL RIGHTS RESERVED.
29
Your People. Your Secrets. Protected.
Thank You!