Two-factor authentication with smart cards
in operating system and applications
Replacement of passwords by two-factor authentication with digital certificates in smart cards and USB tokens for Windows and applications in Active Directory environment
The standard password authentication does not provide for security level sufficient for modern companies. The following information security risks can be associated with password usage:
The users do not utilize complex or longer passwords, as a rule, because these are difficult to devise and memorize. This allows an intruder to mine employee account passwords. The employees use one and the same password for all applications and services quite frequently. This makes the problem even worse, since, having mined the password to one of the systems, an intruder gains access to all the resources available to the compromised user.
Password disclosure and propagation
An average employee does not make point of keeping his or her passwords in secret and often writes them down immediately at his or her workplace. Besides, the employees often propagate their passwords to colleagues, asking them to do something while the password owner is out (send a report, check if there are new messages in mailbox etc.). This facilitates the task of gaining the passwords for intruder and makes it possible for him or her not to use complex technical solutions.
Using of passwords by dismissed employees
If the IT service did not block the account of dismissed employee in time or just forgot to do that, the employee can gain access to confidential information and pass it to competitors.
One of the problem solutions is using hardware cryptographic device (smart cards and USB tokens) and PKI infrastructure for user authentication.
Generally, the task of migration to authentication with smart cards can be formulated as follows:
- It is necessary to implement authentication with smart cards or USB tokens and digital certificates on PC for Active Directory users;
- It is also necessary to implement the strong and pass-through authentication mechanism for business applications at employees’ PC (Enterprise Single Sign-On).
To solve the specified tasks, combined use of Indeed Certificate Manager (Indeed CM) and Indeed Access Manager (Indeed AM) is required.
Two-factor authentication for Active Directory users on PC
In this variant, smart cards or USB tokens and digital certificates are used 2fa. This authentication type is supported in Active Directory domain structure “out of the box”, therefore, standard Windows mechanisms can be used.
This approach requires deployment and maintenance of public key infrastructure (PKI). This also creates a number of specific tasks: control of digital certificate validity periods, smart cards and certificate management (distribution, replacement, unlocking of devices, certificate issuing and updating), timely revocation of dismissed employee certificates etc. The Indeed Certificate Manager (Indeed CM) solves all the mentioned tasks and reduces the maintenance expenditures of PKI infrastructure. The Indeed CM implements the following functions:
- Smart cards and certificate llifecycle management on the basis of centralized policies
- Logging of administrator and user activities with secure device
- Provision of self-service mechanism to employees to register / issue / unlock the devices
- Sending e-mail notifications on any system events
- Key information backup
- Integration to Identity Management class systems (access rights differentiation systems) for automatic revocation of dismissed employees’ certificates
- Batch issue of smart cards using special printer (including printout at employee data cards)
The Indeed CM allows for working with several Active Directory domains as user directory and several certification authorities simultaneously. This provides for flexibility when working in distributed infrastructure.
Two-factor and pass-through authentication in business applications
The Indeed Access Manager is used for pass-through access in the systems that do not support integration to Active Directory. The Indeed AM contains Indeed AM Enterprise Single Sign-On (Indeed AM ESSO) module that provides for the required functions. The Indeed AM ESSO implements the single sign-on approach enterprise-wide. The system provides for centralized storage of user passwords to applications that require authentication and pastes them in automatically when the application requests to do so. The Indeed AM Enterprise SSO technology can be used with any application types (Windows, Web, .Net, SAP GUINet), irrespective to the architecture - be it single-tiered, two-tiered, three-tiered, thick client or terminal applications.
The Indeed AM and Indeed CM are integrated to each other. This makes it possible to register the smart cards and USB tokens issued in the Indeed CM automatically in the Indeed AM database. The registered smart cards are used for two-factor user authentication before allowing them to access target applications using Indeed AM ESSO.
The general scheme of the solution is given below.
The Indeed CM and Indeed AM ESSO features
Support of various smart card vendors
The Indeed CM is designed to work with different smart cards. All the supported cards can be used within a single infrastructure. The solution architecture is designed so that a new smart cards could be promptly supported. The following smart cards are currently supported:
Virtual smart card
The Indeed CM supports Indeed AirKey Enterprise virtual smart card. The latter is a software implementation of smart card that allows to perform all the operations available to physical secure device. The virtual card can be delivered to a user PC remotely. For example, this allows to issue a virtual duplicate of the user smart card promptly, if he or she left the hardware card behind or broke it.
Integration to IDM
The Indeed AM ESSO supports integration to the most of popular IDM systems: Microsoft FIM, IBM Tivolli IDM, Solar inRightsм. The integration has the following benefits:
- The company information security level increases due to complete automation of user password life cycle: passwords are created, entered and changed automatically, without user or administrator intervention
- The procedures are shortened to the minimum for granting and gaining access by employees. A user gains password free access to all the necessary systems immediately after registering a new user (e.g., in HR system) and automatic synchronization.
The ESSO administrator can permit a user to work in offline mode, if required, when enterprise network and ESSO server are unavailable - e.g., in case of networking problem or while being on business trip. In this mode, the user ESSO profile is temporarily stored on his or her PC. This offline profile is used, when the server cannot be connected to. The validity period of local profile is defined by the administrator. When this period expires, the local copy of the profile is deleted.