IBM Multi-Factor Authentication for Z/OS

Total Page:16

File Type:pdf, Size:1020Kb

IBM Multi-Factor Authentication for Z/OS Multi Factor Authentication for Linux on IBM Z using a centralized z/OS LDAP infrastructure Dr. Manfred Gnirss Thomas Wienert Z ATS IBM Systems IBM Germany R & D Boeblingen, 18.7.2018 © 2018 IBM Corporation 2 Trademarks The following are trademarks of the International Business Machines Corporation in the United States, other countries, or both. Not all common law marks used by IBM are listed on this page. Failure of a mark to appear does not mean that IBM does not use the mark nor does it mean that the product is not actively marketed or is not significant within its relevant market. Those trademarks followed by ® are registered trademarks of IBM in the United States; all others are trademarks or common law marks of IBM in the United States. For a complete list of IBM Trademarks, see www.ibm.com/legal/copytrade.shtml: *BladeCenter®, DB2®, e business(logo)®, DataPower®, ESCON, eServer, FICON, IBM®, IBM (logo)®, MVS, OS/390®, POWER6®, POWER6+, POWER7®, Power Architecture®, PowerVM®, S/390®, System p®, System p5, System x®, System z®, System z9®, System z10®, WebSphere®, X-Architecture®, zEnterprise, z9®, z10, z/Architecture®, z/OS®, z/VM®, z/VSE®, zSeries® The following are trademearks or registered trademarks of other companies. Adobe, the Adobe logo, PostScript, and the PostScript logo are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, and/or other countries. Cell Broadband Engine is a trademark of Sony Computer Entertainment, Inc. in the United States, other countries, or both and is used under license therefrom. Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both. Microsoft, Windows, Windows NT, and the Windows logo are registered trademarks of Microsoft Corporation in the United States, other countries, or both. Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. UNIX is a registered trademark of The Open Group in the United States and other countries. Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both. ITIL is a registered trademark, and a registered community trademark of the Office of Government Commerce, and is registered in the U.S. Patent and Trademark Office. IT Infrastructure Library is a registered trademark of the Central Computer and Telecommunications Agency, which is now part of the Office of Government Commerce. * All other products may be trademarks or registered trademarks of their respective companies. Notes: Performance is in Internal Throughput Rate (ITR) ratio based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput that any user will experience will vary depending upon considerations such as the amount of multiprogramming in the user's job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve throughput improvements equivalent to the performance ratios stated here. IBM hardware products are manufactured from new parts, or new and serviceable used parts. Regardless, our warranty terms apply. All customer examples cited or described in this presentation are presented as illustrations of the manner in which some customers have used IBM products and the results they may have achieved. Actual environmental costs and performance characteristics will vary depending on individual customer configurations and conditions. This publication was produced in the United States. IBM may not offer the products, services or features discussed in this document in other countries, and the information may be subject to change without notice. Consult your local IBM business contact for information on the product or services available in your area. All statements regarding IBM's future direction and intent are subject to change or withdrawal without notice, and represent goals and objectives only. Information about non-IBM products is obtained from the manufacturers of those products or their published announcements. IBM has not tested those products and cannot confirm the performance, compatibility, or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. Prices subject to change without notice. Contact your IBM representative or Business Partner for the most current pricing in your geography. © 2018 IBM Corporation 3 Acknowledgement Our very best thanks belong to Florian Warband – Fiducia & GAD IT AG Christian Tatz – Fiducia & GAD IT AG Pascal Meyer – Fiducia & GAD IT AG Andreas Geiss – Fiducia & GAD IT AG Karsten Rohrbach – ABK Systeme GmbH Uwe Denneler – IBM Günter Weber – IBM Richard Young - IBM and all the others who contributed to this session. © 2018 IBM Corporation Current Security Landscape 1,935 81% Number of security incidents Number of breaches in 2015 with confirmed data due to stolen and/or disclosure as a result of weak passwords.1 stolen credentials.1 (18% worse than prior year) (506 worse than prior year) 60% $4 million Number of security The average total cost incidents that are from 2 of a data breach. insider threats. 3 Criminals are identifying key employees at organizations and exploiting them with savvy phishing attacks to gain initial access to the employees’ system and steal their account credentials. This puts emphasis on the need for tighter restrictions on access privileges to key data repositories.1 1 2017 Verizon Data Breach Investigations Report 2 Ponemon: 2016 Cost of Data Breach Study: Global Analysis © 2018 IBM Corporation 4 3 IBM X-Force 2016 Cyber Security Intelligence Index Current Security Landscape . •“81% of hacking-related breaches leveraged either stolen and/or weak passwords.” Source: Verizon Data Breach Investigations Report, 2017 •In 2014, 2 in 5 people − Received notice that their personal information was breached − Had an account hacked − Had a password stolen • 73% of online accounts are guarded by duplicate passwords • 47% of people use passwords that are at least 5 years old • 21% of people use passwords that are over 10 years old Source: https://www.entrepreneur.com/article/246902 •“59% of employees steal proprietary corporate data when they quit or are fired.” •“In 93% of breaches, attackers take minutes or less to compromise.” Source: https://www.bitsighttech.com/blog/data-breach-statistics • According to Symantec’s 2016 Internet Security Threat Report, 80% of breaches can be prevented by using multi-factor authentication. Source https://www.lexology.com/library/detail.aspx?g=5df10dbf-54fa-40dd-9f3f-2d08d275bf75 5 © 2018 IBM Corporation User Authentication Today • Users can authenticate with: ‒ Passwords ‒ Password phrases ‒ Digital Certificates ‒ via Kerberos • Problems with passwords: ‒ Common passwords ‒ Employees are selling their passwords ‒ Password reuse ‒ People write down passwords ‒ Malware ‒ Key log ‒ Password cracking ‒ . 6 © 2018 IBM Corporation Compliance PCI DSS v3.2 8.3 Secure all individual non-console administrative access and all remote access to the CDE using multi-factor authentication. 8.3.1 Incorporate multi-factor authentication for all non-console access into the Cardholder Data Environment (CDE) for personnel with administrative access. Note: This requirement is a best practice until January 31, 2018, after which it becomes a requirement. NIST SP 800-171 3.5.3 Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts. Note: Network access is any access to an information system by a user (or a process acting on behalf of a user) communicating through a network (e.g., local area network, wide area network, Internet). Note: This requirement is effective December 31, 2017. 7 © 2018 IBM Corporation Why MFA is needed • We need to be sure the person logging in is you! A single factor alone is more susceptible to unauthorized use. • To better secure your systems, application, and data, by thwarting attacks of only a single factor. • Payment Card Industry (PCI) requires it for things such as remote access and administrative access to the card data environment • Requirements for access to Federal Government systems • Possibly to follow your own corporate security policy • MFA is especially important for privileged administrative accounts. • To be smart and secure your data! 8 © 2018 IBM Corporation Authentication is a journey Moving to stronger, easier authentication Capture SOMETHING THAT YOU KNOW SOMETHING THAT YOU HAVE SOMETHING THAT YOU ARE - Usernames and passwords - ID Badge - Biometrics - PIN Code - One time passwords - Knowledge questions - Time-based - Email / SMS 9 © 2018 IBM Corporation What is multi-factor authentication (MFA) • Authentication with more than one factor such as a password or a key to gain access • A factor could be something only you know (ie password), something only you have (ie key fob), or something only you are (i.e. biometrics) • ATM Card and PIN – Something you have and something you know • More factors generally mean more security, as if one factor is compromised such as a password, more factors are still required to successfully authentication • There is a distinction between multi-factor authentication
Recommended publications
  • SANS Spearphishing Survival Guide
    SANS Spearphishing Survival Guide A SANS Whitepaper Written by Jerry Shenk December 2015 Sponsored by Proofpoint ©2015 SANS™ Institute Executive Summary Organizations are constantly under attack. Nearly every week comes a news headline of another breach affecting millions of people. Organizations that experience “small” breaches spend hundreds of thousands of dollars on forensic examinations, infrastructure upgrades and identity monitoring. Those that get hit by a large breach spend millions. The majority of those threats still arrive by email in the form of weaponized file attachments, malicious links, wire-transfer fraud and credential phishing. In most cases, attackers deploy email-borne attacks that target specific individuals and fool them into believing they are from someone they do business with or someone in authority who knows them. Often, attackers gather the information they need to pull off these sorts of phishing attacks over social media, where employees share significant amounts of personal and contextual information. Just as often, employees leak information over mobile applications that make it easier for criminals to target their attacks. While most antivirus, anti-malware and email security systems are good at catching traditional mass email phishing attacks with known malicious attachments, links and content, they are not catching the most sophisticated targeted attacks on email recipients. These types of attacks, called spearphishing, gather information on high- value targets who have direct access to company financial or customer information.1 Using social media, mobile apps and other sources of information (such as a company website), criminals can make connections between business associates and third parties in order to craft emails that look like they come from someone the targets work with—and neither network-based nor email-based security tools are catching them consistently.
    [Show full text]
  • The Rise of Cyber-Espionage
    Case Study: THE RISE OF CYBER-ESPIONAGE 5HFUXLWPHQW3ODQ CounterTh e 20 7KH&RXQWHU7HUURULVW ~ June/July 2012 ©istockphoto/loops7 By Chris Mark At a Hopkinton, Massachusetts, offi ce, an executive received an email that appeared to be from a coworker on March 1, 2011. Attached to the email was an Excel spreadsheet titled “2011 Recruitment Plan.” The man opened the spreadsheet. The email was not from a coworker, it was a carefully crafted attack known as ”spearfi shing” in which a fraudulent email is sent to a specifi c person. he spearfi shing email contained an system, SecurID. SecurID is used by an Excel spreadsheet with a zero- estimated 250 million people worldwide. Tday exploit and a version of the Poison Th e attack was believed to have been ini- Ivy RAT (remote administration tool) tiated using a zero-day exploit created by payload embedded. Th e RAT enabled a Chinese hacker. Evidence suggests the a hacker to gain privileged access to the possibility of Chinese-sponsored cyber- network of RSA Security (an American espionage.1 RSA’s CEO, Art Coviello, computer and network security com- stated the stolen SecurID information pany). Th e company had been founded “could potentially be used to reduce by Ron Rivest, Adi Shamir, and Leonard the eff ectiveness of a current two-factor Adleman, the inventors of the RSA public authentication implementation as part key cryptographic algorithm. Th is single of a broader attack (italics added).”2 Th is The US government event initiated an attack that would result proved to be an ominous prediction.
    [Show full text]
  • Security Features
    Security Features SL1 version 10.1.0 Table of Contents Introduction 4 Who Should Read This Manual? 4 Built-In Security for Appliances and Data 5 Hardened Operating System 6 Limited Open Ports 6 Firewalls and White Lists 6 Hardened Configuration on Each Appliance 7 Root Access 7 API 7 All-In-One 7 Administration Portal 8 Database Server 8 Data Collectors and Message Collectors 8 Multiple Tenancy and Segregation of Duties 9 Account Types 9 Access Keys 9 Segregation by Organization 10 Credential Management 10 User Policies 11 Protection Against Injections and Cross-Site Scripting 12 Operating System Scan 12 Data Integrity 12 Backups 13 Disaster Recovery and High Availability 13 Audit Logs 13 Manage the Security of Your Network 15 Monitoring IDS, Firewalls, and Security Hardware 16 Security Events 16 Monitoring Changes to Device Configuration 16 Monitoring for Illicit Behavior 17 Blueprinting Windows Services 17 Blueprinting System Processes 17 Blueprinting DNS 18 Monitoring Open Ports 18 Monitoring Bandwidth Usage 18 Monitoring Hardware Performance 19 Managing Patches and Hot Fixes 21 Using Standard Deviation To Calculate "Normal" Conditions and Abnormal Conditions 21 Using Run Book Automation to Automate Responses to Security Events 21 Reports 22 Proxied Web Services 23 Security Settings 24 Access Control 25 Authentication 30 Multiple Tenancy and Segregation of Duties 31 Protection of Shared Content 33 Data Integrity 33 Security Events 34 Monitoring Changes to Device Configuration 35 Monitoring for Illicit Behavior 35 Blueprinting DNS, System Processes, and Windows Services 36 Monitoring Open Ports 37 Monitoring Bandwidth Usage 37 Monitoring Hardware Performance 39 Monitoring Patches and Hot Fixes 40 Using Run Book Automation to Automate Responses to Security Events 41 Reports 41 Proxied Web Services 41 Audit Logs 42 Chapter 1 Introduction Overview SL1 addresses two major aspects of system and network security: l SL1 appliances are lean, hardened, and configured for maximum security.
    [Show full text]
  • Produktinformation
    MULTI-FACTOR AUTHENTICATION DESKTOP-INTEGRATION TOKEN SELF SERVICE & SUPPORT LinOTP Produktinformation DIE MODULARE LinOTP ist eine innovative und fl exibel einsetzbare OTP Plattform zur AUTHENTISIERUNGS-LÖSUNG starken Benutzerauthentisierung. Dank der hochmodularen Architektur arbeitet LinOTP herstellerunabhängig und unterstützt verschiedene Au- thentisierungsprotokolle, Token und Verzeichnisdienste. Die Software ist mandantenfähig, leicht skalierbar, bedienerfreundlichund lässt sich schnell und einfach implementieren. Mit Hilfe von LinOTP können unsere Kunden höchste Sicherheitsstandards mühelos durchsetzen. BASISTECHNOLOGIE OTP LinOTP verwendet bevorzugt Einmalpasswörter (OTP = One Time Pass- word), um die Sicherheit bei beliebigen Anmeldeverfahren zu erhöhen. Einmalpasswörter bieten den Vorteil, dass sie keine clientseitigen Treiber erfordern. Das modulare Konzept ermöglicht die Unterstützung von OTP-To- ken, die unterschiedliche OTP-Algorithmen verwenden. Neben den offenen Algorithmen HOTP (ereignisbasiert), TOTP (zeitbasiert), OCRA (challenge-re- sponse basiert) und mOTP unterstützt LinOTP auch proprietäre Token wie Vasco DIGIPASS-Token, die Versendung von Einmalpasswörtern mittels SMS und die Nutzung von Tagespasswörtern. Dabei spielt es keine Rolle ob es sich um Soft- oder Hardware-Token handelt. Die optionale Verwendung von Hardware-Token, welche für die Benutzer das Einmalpasswort berechnen, kann dazu beitragen die Sicherheit weiter zu erhöhen. OPTIMALE ANPASSUNG Dank des modularen Aufbaus von LinOTP entscheiden Sie selbst, welches
    [Show full text]
  • VULNERABLE by DESIGN: MITIGATING DESIGN FLAWS in HARDWARE and SOFTWARE Konoth, R.K
    VU Research Portal VULNERABLE BY DESIGN: MITIGATING DESIGN FLAWS IN HARDWARE AND SOFTWARE Konoth, R.K. 2020 document version Publisher's PDF, also known as Version of record Link to publication in VU Research Portal citation for published version (APA) Konoth, R. K. (2020). VULNERABLE BY DESIGN: MITIGATING DESIGN FLAWS IN HARDWARE AND SOFTWARE. General rights Copyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright owners and it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights. • Users may download and print one copy of any publication from the public portal for the purpose of private study or research. • You may not further distribute the material or use it for any profit-making activity or commercial gain • You may freely distribute the URL identifying the publication in the public portal ? Take down policy If you believe that this document breaches copyright please contact us providing details, and we will remove access to the work immediately and investigate your claim. E-mail address: [email protected] Download date: 07. Oct. 2021 VULNERABLE BY DESIGN: MITIGATING DESIGN FLAWS IN HARDWARE AND SOFTWARE PH.D. THESIS RADHESH KRISHNAN KONOTH VRIJE UNIVERSITEIT AMSTERDAM, 2020 Faculty of Science The research reported in this dissertation was conducted at the Faculty of Science — at the Department of Computer Science — of the Vrije Universiteit Amsterdam This work was supported by the MALPAY consortium, consisting of the Dutch national police, ING, ABN AMRO, Rabobank, Fox-IT, and TNO.
    [Show full text]
  • Progettazione E Implementazione Di Un Servizio Di Autenticazione a Più Fattori Per I Servizi Dell’Ateneo
    ALMA MATER STUDIORUM - UNIVERSITÀ DI BOLOGNA SCUOLA DI SCIENZE Corso di Laurea Specialistica in Scienze di Internet PROGETTAZIONE E IMPLEMENTAZIONE DI UN SERVIZIO DI AUTENTICAZIONE A PIÙ FATTORI PER I SERVIZI DELL’ATENEO Relatore: Chiar.mo Prof. VITTORIO GHINI Presentata da: CRISTIAN MEZZETTI II SESSIONE ANNO ACCADEMICO 2014/2015 1 Glossario ........................................................................................................................... 6 2 Introduzione ...................................................................................................................... 8 3 Identità digitale .............................................................................................................. 12 3.1 Tecnologie di autenticazione .............................................................................................. 14 3.1.1 Form/Basic Authentication .......................................................................................... 15 3.1.2 Kerberos ........................................................................................................................ 16 3.1.3 Smart card e token USB ............................................................................................. 17 3.1.4 RADIUS ......................................................................................................................... 20 3.1.5 CAS ................................................................................................................................ 21 3.1.6 OpenID e SAML
    [Show full text]
  • EC-Council Certified Security Specialist Course Outline (Version 9)
    EC-Council Certified Security Specialist Exam ECSS Course Outline EC-Council Certified Security Specialist Course Outline (Version 9) Module 01: Information Security Fundamentals . Data Breach Statistics . Data Loss Statistics . The Global State of Information Security Survey 2016 . Information Security . Need for Security . Elements of Information Security . The Security, Functionality, and Usability Triangle . Security Challenges . Information Security Attack Vectors . Information Security Threat Categories . Types of Attacks on a System . Trends in Security . Information Security Laws and Regulations Module 02: Networking Fundamentals . Introduction . Types of Networks . OSI (Open Systems Interconnection) Reference Model o OSI Reference Model: Diagram Page | 1 EC-Council Certified Security Specialist Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council Certified Security Specialist Exam ECSS Course Outline o Application Layer o Presentation Layer o Session Layer o Transport Layer o Network Layer o Data Link Layer o Physical Layer . OSI Layers and Device Mapping . Protocols . TCP/IP Model . Comparing OSI and TCP/IP . Network Security . Essentials of Network Security . Data Security Threats over a Network . Basic Network Security Procedures . Network Security Policies . Types of Network Security Policies o Data Policy: Example o Computer Usage Policy: Example o E-mail Policy Module 03: Secure Network Protocols . Introduction . Terminology . Secure Network Protocols o E-mail Security Protocol – S/MIME o E-mail Security Protocol – PGP o Web Security Protocol – SSL Steps to Establish Connection Between Browser and Web server using SSL o Web Security Protocol – SSH (Secure Shell) o Web Security Protocol – HTTPS Page | 2 EC-Council Certified Security Specialist Copyright © by EC-Council All Rights Reserved.
    [Show full text]
  • Protecting Merchant Point of Sale Systems During the Holiday Season
    Protecting Merchant Point of Sale Systems during the Holiday Season November 7, 2014 Executive Summary This advisory was prepared in collaboration with the Financial Services Information Sharing and Analysis Center (FS-ISAC), the United States Secret Service (USSS), and the Retail Cyber Intelligence Sharing Center (R-CISC), and is directed towards retailers or companies which are processing financial transactions and managing customer personally identifiable information (PII) during the upcoming holiday season and beyond. This advisory serves to provide information on and recommends possible mitigations for common cyber exploitation tactics, techniques and procedures (TTPs) consistently and successfully leveraged by attackers in the past year. Many of these TTPs have been observed by the FS- ISAC, through its members, and identified in Secret Service investigations. The TTPs discussed in this report include: • Exploiting commercial application vulnerabilities • Unauthorized access via remote access • Email phishing • Unsafe web browsing from computer systems used to collect, process, store or transmit customer information This document provides recommended security controls in these four commonly observed areas to protect customer data and also provides recommendations to smaller merchants who should work with their vendors to implement these recommendations (see Appendix A). This advisory is not intended to be a robust, all-inclusive list of procedures as attackers will modify TTPs depending upon the target’s network and vulnerabilities. This report does not contain detailed information about memory scraping Point of Sale (PoS) malware that has been used in recent high- profile data breaches. Secret Service investigations of many of the recent PoS data breaches have identified customized malware only being used once per target.
    [Show full text]
  • Bachelor Thesis Sommersemester 2010
    Development of an Android App for One-Time Password Generation & Management Bachelor Thesis Sommersemester 2010 Bearbeitet von: Michael Barth (Matrikelnummer: 26206) Betreuer: Prof. Dr. Christoph Karg Hochschule f¨urTechnik und Wirtschaft Aalen Fakult¨atElektronik und Informatik Studiengang Informatik Abstract This work covers the development of an Application for the Android platform for One-Time Password Management and Creation, including all fundamentals that are necessary to do this. One-Time Passwords are introduced in general. Their benefits and drawbacks are discussed and their usage is illustrated with a practical example. Concluding, a specific OTP implementation (OTPW) is introduced. Following is an introduction on the topic of Random Number Generation in the context of cryptography. An overview over attacks on Pseudo Random Number Generators (PRNGs) is given, as well as some design guidelines to prevent them. The Android platform is introduced in detail to establish a basic understanding of the target platform, describing its architecture and application framework. An extensive introduction to development for Android is given in the next chapter, including installation and setup, general guidelines on developing for mobile devices and practical examples of the most important components with source code. The application developed over the course of this thesis will then be described in detail, including its architecture, design decisions and an elaboration on the imple- mentation details. A conclusion, including an evaluation of the Android platform and the application, summarises this work. This work was done within the scope of the Hochschule f¨urTechnik und Wirtschaft Aalen, Germany, as a bachelor thesis over the course of the 8th semester.
    [Show full text]
  • One Time Passwords
    One Time Passwords fhLUG, Hagenberg, 2016-03-08 One Time Passwords fhLUG, Hagenberg, 2016-03-08 User: jdoe Password: s3cr3t User: jdoe Password: s3cr3t User: jdoe Password: s3cr3t User: jdoe Password: s3cr3t User: jdoe User: jdoe Password: s3cr3t Password: s3cr3t User: jdoe User: jdoe Password: s3cr3t Password: s3cr3t User: jdoe User: jdoe Password: s3cr3t Password: s3cr3t User: jdoe Password: s3cr3t User: jdoe Password: s3cr3t User: jdoe Password: s3cr3t Beweis für Nilpferd User: jdoe Password: s3cr3t Beweis für Nilpferd User: jdoe Password: s3cr3t Beweis für Nilpferd User: jdoe User: jdoe Password: s3cr3t Password: s3cr3t Beweis für Nilpferd User: jdoe User: jdoe Password: s3cr3t Password: s3cr3t Beweis für Nilpferd User: jdoe User: jdoe Password: s3cr3t Password: s3cr3t Beweis für Nilpferd User: jdoe User: jdoe Password: s3cr3t Password: s3cr3t Beweis für Nilpferd User: jdoe User: jdoe Password: s3cr3t Password: s3cr3t Beweis für Nilpferd * Bankomatkarte User: jdoe User: jdoe Password: s3cr3t Password: s3cr3t Beweis für Nilpferd * Bankomatkarte * Fingerabdruck User: jdoe User: jdoe Password: s3cr3t Password: s3cr3t Beweis für Nilpferd * Bankomatkarte * Fingerabdruck * Gerät, das Zahlenreihe ausspuckt otpauth://totp/Google%3A my.email.address%40example.com ?secret=3po4swfazf65e6dkbrlha5lc65fmsh76 &issuer=Google Prominent Open OTP Variants ● S/KEY – 1995, MD4 (MD5, SHA1) – RFC 1760, RFC 1938, RFC 2289 ● mOTP – 2003, MD5 – motp.sourceforge.net ● OATH HOTP – 2005, HMAC SHA1, Counter based – RFC 4226 ● OATH TOTP – 2011, HMAC SHA1 (SHA256),
    [Show full text]
  • Product Information
    MULTI-FACTOR-ATUHENTICATION DESKTOP-INTEGRATION TOKEN SELF SERVICE & SUPPORT LinOTP Product Information ADAPTIVE MFA / LinOTP is an open source, adaptive multi-factor solution for enterprise 2FA AUTHENTICATION environments. LinOTP is vendor independent and provides a wide variety of solutions which allow for an easy integration. Due to its highly modular architecture LinOTP works vendor-independent and supports different aut- hentication protocols, token and user repositories. The software supports multi tenancy, it is easily scalable, user friendly and can quickly and simply be implemented. With the help of LinOTP the highest security standards can effortlessly be achieved by our customers. BASIC TECHNOLOGY OTP LinOTP mainly uses one time passwords (OTP) to increase the security of all types of logon processes. One time passwords offer the advantage that they do not require a driver from the client side. The modular concept allows for the support of OTP-Tokens using different algorithms. LinOTP supports the open algorithms HOTP (event based), TOTP (time based), OCRA (challenge response based) and mOTP. Besides these proprietary tokens like e.g. Vasco DIGIPASS, the sending of one time passwords via SMS and daily passwords can be used. It is irrelevant whether a customer wants to use softtokens or hardware-tokens. The optional use of hardware tokens, which calculate the one time password for the user, can also contribute to increasing the security. Innovations of the OATH-certifi ed version LinOTP 2.8 include features such as FIDO U2F support, registration of FIDO U2F, preparing email and SMS tokens in a self-service por- tal, temporary email and SMS tokens, multiple challenge response tokens per user with identical token PINs and optimized troubleshooting.
    [Show full text]
  • Deploying Low-Cost, Open-Source Multi-Factor Authentication at Scale
    Securing HPC: Deploying Low-cost, Open-source Multi-factor Authentication at Scale Patrick Storm, Cyrus Proctor, Nathaniel Mendoza http://tinyurl.com/tacc-mfa-i2 October 17, 2017 What We’ve Done I Built an infrastructure to offer multi-factor authentication (MFA) to HPC users I Took open-source components that worked and built the rest I Six months to assess; 6 months to build; 1 year in production I Deployed across eight production HPC clusters with 10,000 active SSH accounts TACC MFA | October 17, 2017 | 2 | Storm, Proctor, Mendoza Why We’re Here I Orchestrating a transition to MFA is a challenging enterprise I Cost, licensing, user support, and infrastructure deployment decisions are critical I We’ve created and combined the tools to provide MFA at scale for pennies per user I Details of this low-cost, open-source infrastructure are presented as an information resource to those institutions interested in their own deployments TACC MFA | October 17, 2017 | 3 | Storm, Proctor, Mendoza Why We Did It I Extra layer of security which is beneficial for users and service provider I Most common security breaches are compromised accounts I Password reuse, or poor cyber “hygiene” I We see over 500,000 SSH brute-force attempts per day I Costs associated with security response and system downtime are rising I Widely adopted as good practice TACC MFA | October 17, 2017 | 4 | Storm, Proctor, Mendoza For Us, MFA Needed to… I Be cost effective I Provide increased levels of assurance I Enhance overall service reliability I Allow for opt-in support during
    [Show full text]