Two-factor authentication (2FA) resistant to phishing

    Last month, all those who feel like they write that 2FA (two-factor authentication) is in danger because of the quality of fake pages. Actually, the title of the article parodies one of these posts on Habré. Of course, 2FAs are different. In some "very advanced" European banks, you can still get hold of a leaf with disposable TAN-codes.

    But for several years the industry has not stood still, and instead of disposable TAN / PIN codes arriving by SMS or through applications like RSA Token, Steam Guard, Google Authenticator, there are other options.

    Here is the video, we are interested in the very first script. What's happening?



    In short


    1. User login to the application. The application does not perform authentication itself - it redirects the user to his access control system.
    2. The access control system (IAM - Identity & Access Management, SSO - Single Sign On) activates the application for Single Sign On on the user's smartphone.
    3. The user sees on the smartphone screen that the request has come (who, from where, etc.) is authenticated and allows access
    4. The IAM system receives a green light and returns the user to the application, attaching access permission in parallel.

    Questions


    • Q1: Where is the user entering something into his computer?
    • Q2: Where do fake pages go in a friendly manner?

    I understand that other questions may now arise, therefore

    Read more


    1. User login to the application. The application does not perform authentication itself - it redirects the user to his access control system.

    * It works not only for websites, but also for desktop and mobile applications. A typical example in a business environment: applications from MS Office 2013+ ( really, 2010+, but everything was very crooked ).

    * Standards and protocols for integration with IAM / SSO systems (SAML, OAuth, OpenID Connect) for many years, behind them are such giants as Google, Facebook and representatives of the OpenSource community. There are a bunch of libraries, SDK, etc. So it does not integrate only lazy.

    * Integration involves the exchange of certificates between SSO / IAM and the application - good luck in faking

    2. The access control system (IAM - Identity & Access Management, SSO - Single Sign On) activates the application for Single Sign On on the user's smartphone.
    * Normal and advanced systems allow you to flexibly configure 2FA parameters

    • by application (mail / finance - important, corporate gym schedule - possible without 2FA),
    • by authentication type in the authenticator application (mail - finger / PIN, finance - full long password)
    • context, etc. (The IP range is inside from the office or from the airport; from which device is the device corporate, does it comply with the Compliance Policy, etc.).

    * Thus it is possible to implement interesting scenarios. For example, the same access to a financial application:

    • Corporate laptop in the office - SSO through a certificate, the user simply comes in without questions, but only if the laptop has passed the Health Attestation check (antivirus, firewall, etc., unsubscribed that everything is OK)
    • The same laptop outside the office (at home, on the way) - 2FA
    • [optional] The same laptop outside the office in the VPN - password
    • Your laptop - access is denied, and even knowing the password and the VPN client installed will not help , because The corporate MDM system is connected to the checks.
    • But you can see the schedule of the corporate gym from your laptop / phone - but after 2FA
    • And if you want from your own and without 2FA - register the device in the corporate MDM ( with the separation of private and corporate ) and then you can and without 2FA

    3. The user sees on the smartphone screen that the request has come (who, from where, etc.) is authenticated and allows access

    * Please note that with this approach, the user, even being at a New Year's corporate party, will immediately see if someone trying to access its resources.

    But instead of tearing your hair out, you just have to reject the request for access and continue to drink cultural rest, and after IB, it will figure out the log files.

    * Also, the real user's password does not appear anywhere, and nothing is written to the web page / application - fake or real

    4. The IAM system receives a green light and returns the user to the application, simultaneously attaching permission for access.

    * The permission (SAML Assertion) is signed by the IAM system's EDS and is valid only for this session - it’s just not to

    be forged * The separation may contain additional access parameters: role, restrictions (closing certain sections of the portal), time window for reauthentication, etc.

    * And that is also very useful (but should be supported on both sides) - Just in time Provisioning - i.e. dynamic account creation in the application.

    If 10 people came to the company, and everyone needs to create 10 accounts - what is the likelihood that admins will screw up somewhere and how much will it be fixed later? With the help of JIT Provisioning, the application receives data from the IAM system and automatically creates everything. A good example is Salesforce.

    In conclusion


    The topic can be developed for a long time. There are many options. It is important that everything described above is not space, but quite real things that any organization can afford with a number from 1 to 100,000 people.

    Naturally, if there are a lot of clumsy old applications, then everything will be more difficult, but in typical scenarios implementation deadlines <1 month are real.

    An important nuance is that the IAM system must be able to work with MDM (mobile device management system, including laptops / PCs) - otherwise, the proper level of security cannot be ensured (while maintaining a reasonable level of simplicity).

    The two largest solutions (according to Gartner MQ 2018):

    * Microsoft Azure AD Premium P2 + Intune or MS 365 E3 / E5

    Fits perfectly into the format of organizations (especially large ones) implementing Office 365 or moving to the Azure cloud, there are a couple of pitfalls in licensing (such as a separate 2FA fee per authentication in separate packages), which is compensated by a bunch of various integrations with other MS and Azure products (including mobile applications), analytics, AI, etc.

    As an option, MS ADFS (Active Directory Federation Services) allows you to implement many things yourself and without a cloud (including what, Azure still does not know how, but you have to literally sew a patchwork quilt, integrating and supporting various products from different vendors

    * VMware WorkSpace ONE

    VMware bought in 2014 the absolute (to this day, including MQ 2018) AirWatch MDM / EMM market leader and expanded the functionality with its solutions.

    There are not so many tricks like Microsoft, but it works not only in the cloud, there are more opportunities for integration, more supported platforms (and often more functionality - Mac, Android) ecosystem (not sharpened by Microsoft, like Intune / AzureAD, a lot of integrations with specialized vendors) security, Threat Intelligence, Threat Management), easier licensing and, as a result, small organizations can afford “adult” chips without additional payment.

    Both solutions support Windows 10 Modern Management. The WinM MDM protocol was developed (as far as I know) using AirWatch.

    In general, it is time to round out. I think the holes in the story still remain. If you have questions - ask. With the upcoming!

    Only registered users can participate in the survey. Sign in , please.

    Write on this topic yet?


    Also popular now: