1. Next Generation Two Factor Authentication

2. Laptop Home / Other Business PC Hotel / Cyber Café / Airport Smart Phone / Blackberry 21 st Century Remote Access

3. “Social engineering” Finding written password –Post-It Notes Guessing password / pin –Dog/Kid’s name/ Birthday Shoulder surfing Keystroke logging –Can be resolved with mouse based entry Screen scraping (with Keystroke logging) Brute force password crackers –L0phtcrack Who is using your VPN Problems With Passwords

4. Two Factor Authentication Something you know Pin Password Mothers Maiden Name Something you own Keys Credit Card Token Phone Something you are Fingerprint DNA Two Factor Authentication is Two of the above Example: ATM Cash Machine Something you Know – Pin Something you Own - Cash Card (Chip)

5. Smartcards / USB Tokens End user must remember to carry the card! Smartcards need readers Both need software drivers Remote Users can’t use other PC’s or Cybercafés Smart phones, Blackberry’s, PocketPC etc are limited by size Requires certificate enrolment and replacement Deployment - Remote users must be sent a hardware device Support – Pin Management & Failed token must be managed Existing Form Factors

6. Hardware Tokens End user must remember to carry the token! Deployment - Remote users must be sent a hardware device Token may require resynchronisation Support – Pin Management & Failed token must be managed Short Term Contractors - Don’t always return the token B2B – One to many companies requires many identical tokens Existing Form Factors

7. Mobile Phone based Authentication Mobile Phones solve all the previous issues however Adding Software to a range of Phones is difficult to support SMS at peak times sometimes cause delay of several minutes The Next Generation

8. 8 Pre-Load vs. On demand SMS

9. One Time Code Each authentication (good or bad) send’s the next required code Each Code can only be used once The SecurEnvoy Approach 10 failed attempts in a row disables account and SMS messages (all modes) Passcode 573921 Day Code Each day (or set number of days) a new code is sent if used If the current day code hasn’t been used, it’s still secret and will not require updating Each day code can be reused for the current and following day The first 6 digit passcode is sent at enrolment Tmp Code A pre-agreed static code that automatically switches back to One Time or Day Code after a set number of days Passcode 347865 Passcode 347865 Passcode 198462

10. UserID: fred PIN: 3687 Passcode:435891 Microsoft Password: P0stcode PIN Management Two Factor Authentication requires something you know & something you own Why authenticate with two things you know? Traditional Approach The SecurEnvoy Approach UserID: fred Microsoft Password: P0stcode Passcode: 435891 Reuse The Microsoft or other LDAP Password as the PIN Easier end user authentication experience No PIN Administration required Can also support a PIN if required

11. Cost Vs Risk High Risk Cost / Use Low Risk Expensive / Hard Ease Of Use (Cost) Vs Risk Cheap Easy Risk Fixed Password 30 Day Password Tokens / Smartcards SecurEnvoy 7 Day Code SecurEnvoy 1 Day Code SecurEnvoy One Time Code

12. Use AD or other LDAP as the database Standard Authentication Solutions The SecurEnvoy Approach Active Directory LDAP Sync SQL Database SQL Database Replication SecurEnvoy Solution No schema change required Data Encrypted with 128 bit AES Re-enter user information

13. SecurAccess Authentication Enter 6 Digit Number from Mobile Phone Something You Know Something You Own Andyk P0stcode 234836 Passcode 573921

14. The Next Generation is Mobile Phone Based Authentication Up to 60% cheaper that Hardware Tokens No Software on the phone Must Allow for SMS Delays & Loss of Signal Must Be Easy To Use (6 Digit Display On Phone) Should Re-Use Existing Passwords (Windows) as the PIN Should Use LDAP as the Database www.SecurEnvoy.com Summary