The document discusses multifactor authentication solutions from ARX to provide secure access in a work from home environment due to COVID-19. It summarizes the business challenges of passwords being vulnerable to theft and the need for authentication beyond passwords. It then describes ARX's multifactor authentication solution which provides various authentication factors like one-time passwords, soft/hardware tokens, biometrics, and risk-based authentication. It offers centralized policy management and integration with third-party multifactor solutions. ARX provides an advanced multifactor authentication solution for both security and usability for users and administrators.
2. Latest technologies give people the power to work wherever and whenever
they choose. Access from anywhere everywhere results in spectacular gains
in productivity and employee satisfaction, but enterprises that use simple
passwords to protect that access also risk financial loss, data theft, and
worse.
However, these security systems were put in place long
before the world was impacted by COVID-19 and the
consequent need virtually the entire world to go into
lockdown mode. As ‘work from home’ becomes the
norm, employers and employees have had to rapidly
adapt and search for new solutions across functions.
Passwords are the primary reason for many of the
infamous security breaches that happen across the
globe. According to the Data Breach Investigations
Report 2019, over 70% of employees reuse passwords at
work. The report finds a staggering “81% of
hacking-related breaches leveraged either stolen and/or
weak passwords.”
Why is the venerable password such a colossal security
failure?
The root cause, not surprisingly, is us: we are too trusting and too lazy.
Successful cybercriminals are expert social engineers who design attacks
that capitalize on these all-too-human weaknesses. They use techniques like
phishing or brute force to get access to such vulnerable systems. Employee
education and safe password practices for business can mitigate these
attacks to some extent, but an effective solution lies in using multifactor
authentication.
This paper discusses authentication in general and multifactor authentication
solutions from ARX that combine ease of use with effectiveness – more so, in
a world battling the Coronavirus pandemic.
INTRODUCTION
81% of
hacking-related
breaches leveraged
either stolen and/or
weak passwords.
3. AN OVERVIEW OF AUTHENTICATION
Multifactor Authentication (MFA) or Two-Factor Authentication (2FA)
requires an user to authenticate via two or more authentication factors
(‘something you know’ combined with a ‘something you have’ for example).
Since the chances of both factors being compromised are very low, MFA
results in a higher level of assurance that the individual attempting to
authenticate is actually the individual in question.
Authentication mechanisms can also be distinguished by whether they use
the same channel where the user accesses the application, or a separate
channel that is dedicated for authentication.
Authentication mechanisms can be
categorized as either:
Something you know
(a password or a PIN for
example).
Something you have
(a token or mobile phone
for example).
Something you are
(a fingerprint or other
biometric data for example).
4. BUSINESS CHALLENGES
The advent of mobility and remote access (triggered by a global lockdown
because of COVID-19) offers a rich array of benefits for both workers and
companies, including substantial increases in productivity and reductions
in costs. But it isn’t all good news. The growing remote workforce has
created some very serious security challenges for companies, both large
and small. There is an urgent need to authenticate and manage the
identities of users attempting to acquire access to companies’
proprietary data and systems.
For many organizations, a simple query-password system remains the
primary means of user authentication. But it is an unfortunate irony that
the most effective passwords are the most difficult to remember. As a
result, many users resort to an easy-to-remember, easy-to-hack password.
And more complex passwords are far more likely to be written down
somewhere instead of trusted to memory, rendering them more
susceptible to theft. But even the most complex password stored only in a
user’s memory provides no more than a very primitive level of security,
easily foiled by today’s technologically sophisticated cybercriminals.
Advanced password theft techniques such as phishing provide
cybercriminals with the means to steal passwords away from
unsuspecting users.
Moreover, in today’s world, it is not just important to consider security
during initial login, but also while users execute certain critical or high
value transactions. An MFA is a perfect solution to protect such high
value transactions by presenting the user with an additional challenge like
a OTP, smart OTP or token system, security questions or biometric
authentication.
Authentication Mechanisms – Top Features to
Consider in a Two-Factor Authentication
Solution
Maximizing the potential of a multifactor authentication methodology
requires the installation of a system that delivers a full range of key
capabilities and usability features. The following, in particular, should be
considered as must have features for multifactor authentication
solutions:
Passwords
A password is a shared secret known by the user and presented to the
server to authenticate him/her. Passwords are the default authentication
mechanism on the web today. However, poor usability and vulnerability to
large-scale breaches and phishing attacks make passwords an
unacceptable authentication mechanism in isolation.
Adding an extra
layer of security in
the form of
two-factor
authentication
certainly helps to
slow cybercriminals
by validating a
second factor —
such as a user’s
fingerprint or their
possession of a
trusted device –
access security
becomes far more
robust
5. These are small hardware devices that the owner carries to authorize
access to a network service. The device may be in the form of a smart card,
or it may be embedded in an easily-carried object such as a keychain or USB
drive. The device itself contains an algorithm (a clock or a counter), and a
seed record used to calculate the pseudo-random number. Users enter this
number to prove that they have the token. The server that is authenticating
the user must also have a copy of each key chain’s seed record, the
algorithm used and the correct time.
Hardware Tokens
These are software-based security token applications, typically running on a
smartphone, that generate an OTP for signing on. Software tokens have
some significant advantages over hardware tokens. Users are less likely to
forget their phones at home than lose a single-use hardware token. When
they do lose a phone, users are more likely to report the loss, and the soft
token can be disabled. Soft tokens are also easier and less expensive to
distribute than hardware tokens, which need to be shipped – a major
challenge when supply-chain logistics are interrupted as has happened
globally with the Coronavirus lockdown.
Soft Tokens
Passwords that reside in a user’s memory (or on a sticky note attached to
their desk or computer monitor) and are used over and over with each login
attempt are constantly exposed to theft. But one-time passwords are
another matter. Generated randomly, specifically and uniquely for each login
attempt, OTPs are used only once and then never again. So even if somehow
intercepted by a cybercriminal, an OTP will be useless in later attempting an
unlawful login attempt.
One-Time Password (OTP)
6. Biometric authentication offers an unbeatable combination of security and
convenience. Many biometric applications, for example, require only that
the user press a fingertip to a scanner. Biometric verification is typically very
easy and convenient for users, and yet provides a very effective defense
against illicit login attempts. Similarly, push authentication also offers an
extra layer of security with minimal inconvenience to the user. Response to
a push authentication requires no more than a tap of the fingertip to the
user’s phone. A multifactor authentication solution should offer either
biometric or push authentication, with the best solutions offering a choice
of one or the other to accommodate the user’s preference.
Biometric and Push Authentication
This process uses contextual information, such as geo-location, IP address,
time of day and device identifiers to determine whether a user’s identity is
authentic or not. Typically, a user’s current context is compared to a
previously recorded context in order to spot inconsistencies and identify
potential fraud. These checks are invisible to the authorized user so there are
no usability issues, but they can create a significant barrier to an attacker.
Contextual Authentication
The ultimate goal of any security solution should be to maximize protection
while minimizing user inconvenience. While second-factor authentication
provides a substantial boost in security, that extra factor of authentication
isn’t always needed. The best two-factor solutions have the ability to
determine when and if an explicit second factor of authentication is
required. The solution might determine, for example, that a login attempt
from a registered device perfectly mirrors that user’s behavioral history,
making it safe to drop the second factor requirement. The ability to
intelligently apply the security policy assures that the protection potential of
a two-factor solution is fully realized, and yet customizes each login
experience to minimize inconvenience to the user.
Risk-Based Authentication and User
Behavior Analytics
7. ARX provides an enterprise grade identity and access management solution. ARX is an
integrated suite of security services, providing end-to-end security with regard to user
identification, authentication, single sign-on, authorization and entitlements. Its secure,
flexible multifactor authentication comes included as part of the identity and access
management suite. Designed to protect against today’s phishing attacks, stolen passwords,
and shared credentials, ARX’s MFA solution provides high security and easy, centralized
administration. The solution also integrates with existing third-party multifactor solutions
such as RSA.
Flexible, Secure Verification Options
Organizations can choose from a variety of second factor options in addition to password,
balancing the needs of their user base, the sensitivity of the applications they are protecting,
and overall ease of use.
• Support integration with Third Party Token System like RSA, Vasco, Safeword, Entrust and
I-Sprint, etc, for dynamic soft and hard token-based authentication.
THE ARX SOLUTION
Dynamic Password/Token-Based authentication
• Inbuilt OTP generation and validation engine, which can be integrated with an enterprise’s
messaging centre to send OTP over SMS to the user. An OTP is generated, based on the
policy defined in the system.
• Supports configurations based on transaction type for OTP length, OTP characters type,
OTP validity and OTP message template; can be configured based on transaction type,
multiple usage of OTP, resend OTP, time blocking for resent or regeneration of OTP,
blocking of OTP after exceeding invalid attempts.
OTP Authentication
8. TOTP/Soft Token Authentication
Security Question
ARX Authenticator is a
smartphone application
that implements
two-step verification
using the Time-based
One-time Password for
authenticating users of
software applications.
During TOPT
provisioning in ARX, a
secret seed is
generated for each user.
This seed is delivered to
a user as base32 string
or QR code.
User registers in ARX
Authenticator using the
seed, which generates
six digits TOPT and is
valid for 30 seconds.
Supports security question
authentication for ‘forgot
password’ option, user is forced
to answer configured number of
security question (s) on first-time
login, from questions configured
in the system.
Security question
authentication can be
used as 2FA at the time
of login or transaction
authorization in
integrated application.
Supports configuration
for random display of
security question(s) at
the time of
authentication.
9. Biometric Authentication
Grid Authentication
Fingerprint-based
biometric authentication
for back office users.
Supports integration with
fingerprint scanner and
reader.
Grid Authentication to support
grid number generation and
validation, available at the
back of cards.
Grid Value is randomly
generated and hashed using
SHA256 or SHA512 before
storing database.
PIN-based
authentication support
for user authentication
for mobile banking
application, instead of
user id and password.
PIN binding is done
with device identifier
at the time of
registration.
Supports configuration
for PIN length, PIN
history, PIN expiry,
locking user after
exceeding the invalid
PIN authentication
attempts.
PIN Authentication
10. Step-up authentication
(whether CAPTCHA or
OTP or security
question or any other
mechanism supported
by ARX) will be
performed, based on
risk score calculation
as per configuration in
ARX.
Site Key Authentication
Risk-based Authentication
Site Key web-based
security system can be
configured on login
screen to prevent
phishing vulnerability.
User identifies (not authenticates)
himself to ARX by entering his user id
(but not his password) and ARX
authenticates itself to the user by
displaying an image and an
accompanying phrase which the user
had earlier configured.
Detects browser/device and
performs step-up
authentication if it has not
been carried out in previous
audit history of user as per
count configured.
Detects customer country
basis IP address and
performs step-up
authentication if the country
is in a grey or blacklist.
Detects invalid attempts
count and performs
step-up authentication if
it exceeds the threshold
configuration.
11. Centralized Policy Management
ARX’s security policy controls access to all applications, whether cloud-based or
on-premises. ARX provides administrators with centralized option to enable Multi-factor
Authentication (MFA). MFA can be configured at the channel level, application level, or at
the user level. Intelligent MFA policies can be based on geo-location and/or based on
device and IP addresses. Contextualisation of these policies is also possible and can be
configured for employees and customers separately.
Integration with Third-Party MFA Solutions
In addition to native ARX MFA support, it also integrates with a variety of existing MFA
solutions such as RSA, Vasco, Safeword. Customers have the option of using ARX’s native
MFA features or using it in conjunction with existing MFA products.
Conclusion
ARX provides an advanced multi-factor authentication solution for your cloud and
on-premises applications with an architecture designed for both, higher levels of security
and ease of use for users and administrators. ARX's MFA solution supports combining
various authentication types like OTP/token/biometric/risk-based etc. It also supports
integration with existing MFA solutions and protects business-critical data from the most
prevalent attacks on the Internet today regardless of where users access it in a COVID-19
lockdown environment.
In today’s dynamic digital environment, cybersecurity challenges pose a grave risk.
Ransomware attacks and identity thefts are making headlines every day, pressing on
organisations to safeguard their important data. Data breaches are potentially damaging
for companies, resulting in financial loss and disrepute. Privacy management and data
security are vital components of every organisation’s infrastructure.
ARX, an integrated suite of security services, which provides end-to-end security with
regard to user identification, authentication, single sign-on and entitlements, has been
launched to ensure protection of your proprietary information and customer data, from
those who can abuse it. Built on the robust principles of Design Thinking at the R&D
Innovation Lab of Intellect, it is trusted by over 200 institutions worldwide and for the first
time, it is being offered as a standalone product for corporates.
ARX will give businesses the security they need to secure digital identities of users and
restrain unauthorised access. It's an enterprise-grade service, built for on-premise, but
compatible with any cloud deployment. With ARX, IT can manage any employees’ /
customers’ access to any application from any device.
This next-generation security solution, which is all set to redefine security with modern
identity, improves accuracy and real-time digital identity management.
About ARX
12. www.arxsuite.com
To know more, contact:
Ramanan Venkata
CEO, India & South Asia
Intellect Design Arena Limited
Ramanan.venkata@intellectdesign.com