Protection of published
corporate resources

2FA in web applications, VPN and VDI

access manager

Making a company resources accessible remotely increases the risk of unauthorized access to critical business information drastically. The required protection level can only be reached by using modern user authentication methods. The Indeed Access Manager (AM) solution makes it possible to use two-factor authentication (2FA) methods in a broad range of corporate applications. This, in turn, allows for building of unified 2FA system for accessing the resources available from outside the company’s network.

Task description

  1. To provide for two-factor authentication using one-time passwords in published corporate services:
    • Web applications
    • VPN server
    • VDI
  2. To implement a Web Single Sign-On solution for pass through to web applications.

Solution

2FA in IIS web applications

We developed a special integration module IIS Extension for authentication in the applications that use Internet Information Services (IIS). This module provides for two-factor authentication in such applications without modifying their code. After supplying the username and password, the user is redirected to a separate authentication page to authenticate himself or herself with one-time password. IIS Extension can be used with any web application, such as Outlook Web Access, Sharepoint, Skype for Business, RD Web Access etc. For applications that do not use IIS, the integration using software interface (web API) is possible.

2FA in VPN

Integration to VPN services is carried out using the RADIUS protocol, supported by overwhelming majority of VPN solution manufacturers, such as Cisco ISE, Citrix Netscaler etc. Two-factor authentication is implemented using the Challenge-Response mechanism, which is embedded into RADIUS: at the first stage, the user supplies his/her username and password. The RADIUS server verifies the user data, and, if correct, prompts the VPN service user for the second authentication factor - one-time password. The RADIUS server is based on the Microsoft Network Policy Server (the service is included into Windows Server) and special extension for 2FA.

2FA in VDI

To integrate into virtual desktop systems, two-factor RADIUS Challenge-Response authentication is used as well. This is supported by many VDI products, such as VMWare Horizon and Citrix XenDesktop. If using Microsoft technologies, the two-factor authentication can be added to remote access service at the Remote Desktop Web Access server (using IIS Extension).

2FA in Web SSO (SAML IdP)

Web single sign-on allows for significant increase of user work efficiency by making it possible to access web applications after single authentication. 2FA provides for retaining the high level of information security without compromising the convenience of use. To integrate it into target solutions, the SAML 2.0 international authentication standard is used to provide for compatibility with wide range of various systems. The WebSSO and 2FA loop might include not only corporate on-premise applications, but also the cloud services, such as Office 365 and G Suite (former Google Apps).

2FA in ADFS

The ADFS authentication support allows for both increasing the target system security by using 2FA, and building of Single Sign-On (SSO) solution, sparing the users from muliple authentication during a single session. A combination of 2FA and SSO approaches increases the information security level significantly and employee efficiency at the same time.

The general scheme of the solution is given below.

Two-factor authentication scheme

Indeed AM features

Higher security level

Two-factor authentication increases the protection level of a company corporate resources significantly. The AK Cloud technology provides for convenient and secure user authentication method based on cryptographically protected push notifications.

Solution flexibility

Any HOTP and TOTP compatible one-time password generators can be used. No restriction on application or device vendor is placed. You can use all supported OTP authentication technologies within one infrastructure: mobile applications, OTP-keys from various vendors, SMS and Email messages, AirKey Cloud. The support of various mechanisms of integration into target systems (RADIUS, SAML, ADFS, IIS Extension, Web API) makes it possible to create a unified authentication environment in all the required applications.

Quick implementation

Sending OTP via SMS and email does not require registering or any other actions on the user part. Therefore, you can start using two-factor authentication immediately after the server infrastructure is installed and set up. The 2FA system uses existing user directories (AD, LDAP, SQL etc.), which facilitates both the deployment and management.

Various authentication technologies

Online and offline authentication

Indeed Access Manager supports authentication both in online mode, when SMS message, email message or push notification with one-time password is sent to a user, and in offline mode, when a user can generate one-time password at his/her side using the corresponding application or hardware key.

Support of TOTP and HOTP OATH authentication standards.

The Time-based One-time Password Algorithm (TOTP) and HMAC-based one-time password (HOTP) standard algorithms are used to generate and verify the one-time passwords. These algorithms are widely used in the industry and provide for required level of security and compatibility for 2FA systems. This allows for using of any application or device compatible with TOTP or HOTP for authentication via Indeed Access Manager.

Push notifications

The Indeed AirKey Cloud technology can be used for user authentication. It provides for sending push notifications to a user smartphone in order to confirm login operation. The technology is based on asymmetric cryptography using private and public keys. This approach makes it possible to provide the users with customary and convenient authentication confirmation method, as well as higher information security of client-server communication.

User self-service

The users are provided with self-service web application that can be used to register and to manage authentication technologies available. Thus, it is possible to provide users with convenient mechanism of authentication management, available from any PC.

LEARN MORE
ASK A QUESTION IN A LIVE CHAT ON OUR WEBSITE
  • about implemented projects
  • about comparison with competitors
  • about prices and licensing
  • about required hardware
Indeed chat
industry about us
In the report from March 21, 2016 by KuppingerCole Indeed Identity was mentioned as “a specialist vendor” in access management market segment that delivers solutions for authenticating users, encrypting messages, and securing information on mobile phones.
KuppingerCole
Europe’s leading Analysts on the topics of Information Security in the era of Digital Transformation
"Indeed Identity is the company of professionals in the field of information security. They provide top-level solutions for PKI management and access control to corporate resources. We recommend this company as a reliable partner."
Sergey Yeliseyev
X-Infotech Owner, Business Development Director, Government eID solutions
Indeed Identity has been the Softline important partner for a very long time. Together, we realized a number of successful projects in many economic spheres. International corporations choose Indeed ID due to reliable software, competitive prices and great service.
Michael Lisnevsky
Softline group, Head of regional promotion of information security