Common terms and definitions (wiki) Auth.as
Prerequisites to use two-factor authentication
In a modern world, data itself is the most valuable resource, that is operated by companies. That brings higher attention to security and access control to IT systems. Most of the modern systems and applications provides remote data access for its users, that produces data leaks, credentials theft and network traffic interception in non-secured networks. New approach is needed to make remote data access truly safe. Nowadays, using second authentication factor, is the easiest and handy solution in everyday activities.
Don’t confuse with “Authorization”. In our case, it’s the procedure of user authenticity check, by compare typed username and password with its database values. There’s a real life analogue of this procedure, when a person is asked to provide his passport (ID) to identify himself, and prove, that he doesn’t cover under other’s person identity.
Don’t confuse with “Authentication”. When a person is granted with some permissions to do some actions within the system, and also, it’s a check and provision of user permissions when doing certain actions within the system. There’s a real life example, when you get a visa in your ID, it means that you authorized to visit the country of visa-issuer.
Everybody are pretty aware of what is login and password: that's user account data for an internet-bank access, a production system or just a mailbox. That data called “first authentication factor” and there’s always a risk, that these data will be known to some outsiders. Second authentication factor is the extra password, generated on a mobile device, physically and logically independent from the target system.
In our case, it's the variable passwords generator. There are 2 types of tokens:
- Hardware token – is the small token-type or calculator-look device producing variable passwords. Works independent, powered by cells, and requires additional synchronization with service.
- Software token – is the mobile application with simplified synchronization procedure and extra protection functions. Also works independent, and more preferred rather then hardware token: easier to implement, to restore, to manage and cheaper.
Types of passwords when using two-factor authentication
- SMS-messages, can be intercepted or just miss the recipient. Cost extra money;
- Scratch-cards with ote-time passwords, which are often totally scratched and stored in the PC. Also costs extra money for issue and has extra pain with delivery to end-user;
- Various USB-sticks storing keys and certificates and session calculators — more reliable, but extremely inconvenient in usage. Also cost extra money;
- Biometric authentication systems — reliable, but quite expencive, inconvenient, and very rare.
- Variable passwords generators (hardware tokens, mobile applications) — very flexible, handy, independent and common method to have second factor password. Imagine the password, which can have only 1 valid value, during a short time period, known to the server and the user only. Interception of this kind of password is impossible - it's just not being transferred, it's generated locally on the user's device using the logics, known only to the server and the user.
HOTP (Hash-based message authentication code-based One-Time Password algorithm)
One of the way to generate variable passwords, based on the shared secret key and time-independent counters (RFC4226).
TOTP (Time-based One-Time Password algorithm)
One of the way to generate variable passwords, based on the shared secret key and timestamp calculation (RFC6238). We use 30-second time period for one-time password generation.
API software interface is the most handy and flexible way of interaction with AUTH.AS service. It works via HTTP protocol with a connection encrypted by SSL (HTTPS). Main API functionality is to accept authentication requests and reply to them. Extended API functionality includes user accounts management (create, delete, suspend user). HTTPS allows secured network traffic communication without service performance drop.
RADIUS protocol is designed to authenticate, authorize and collect data about accessed resourced, and transfer collected data between core platform and endpoint equipment. It allows Cisco routers and firewalls to interact with AUTH.AS system directly. Unlike the HTTPS-API, which is programmable custom interface, RADIUS is the standard protocol, which guarantees compatibility through all RADIUS-supported devices, like Citrix, Juniper, Microsoft, VMware and many others.
Lightweight Directory Access Protocol is used to access Microsoft Active Directory services. LDAP is the relatively simple protocol, allowing to authenticate, search, compare, add, change or delete accounts in AD infrastructure. AUTH.AS service can work via LDAP protocol, to access company’s user list directly, making local company admin work easier, avoiding manual user entry into AUTH.AS console. API interaction by LDAP should be also established using SSL protocol.
Functionality, that prohibits using time-based passwords more than once. In regular systems, one-time password is valid and acceptable within certain time period, that gives more chances for outsider to use stolen credentials.
Aside from our standard event log server, there is an extra option for remote logging, which allows to send all events on remote control systems, monitoring systems and journals storages.
Get yourself an additional security and receive all authentication events of your account on your phone in a real-time. This option is valid for privilege-level users. Also can be used for self-maintenance of your token: connection, un-connection, suspend and un-suspend.
This option allows to syncronize Event-Based (HOTP) hardware tokens in background-mode (with no service delays).