Authentication solution - SXSSxS

www.asseco.com/see

.

SxS Single Point of AuthenticationSolution

Key business benefits

Asseco Authentication Server (SxS) is a two-factor authentication solution specifically designed to meet the regulatory and business requirements of any enterprise (financial institutions, managed service providers, and other organizations). Asseco SxS enables the use of multi-vendor and different types of end-user devices as well as OTP standards, simplifies user experience, increases security, and reduces cost by enabling organizations to apply consistent strong authentication and authorization over multiple service channels, including web and mobile.

Compliance with the EU Directive on Payment Services (PSD2) – SxS is a two-factor authentication solution which supports transaction signing (Sign-What-You-See).

Advanced two factor authentication – based on biometry technologies (TouchID, FaceID, Fingerprint Scan) with state-of-the-art user experience

Proven authentication solution – more than fifteen years of development, improvements and deploy-ments.

Agnostic to token manufacturers – SxS supports end-user devices from different vendors.

Multitenancy - SxS server is able to serve multiple client-organizations (tenants) in a single instance (headquarters serves its subsidiaries).

SxS SaaS – the SxS complete authentication solution functionalities available and deployed in data center which complies with the highest industry standards.

End-user experience high on the priority list – SxS supports Login by QR code, QR code and Push notification authentication.

Prepared to meet the demands of millions of online users – solution modularity as well as high availability and scalability allow meeting the demands for millions of online users (e.g. retail banking).

System flexibility – the system is completely configu-rable and allows you to combine different authentica-tion schemes with different authentication devices.

Easy user acceptance – reliance on mechanisms familiar to customers - ‘now and tomorrow’ - which means less investment in training campaigns, registra-tion and help desk support.

Return on investment – a single point of authentication service, consolidated across separate business units into a single solution supporting different types of token devices, is a cost-effective solution on the operational level.

Lower deployment costs – supports the OATH standard, supports different combinations of targeted hardware and software platforms.

Key technical advantages

Black box concept – the solution acts as a “black box” towards 3rd-party applications, thus enabling smooth integration and limiting modifications on 3rd party systems in the environment.

Multi-Token support – support for Gemalto, Vasco, ActivIdentity (HID), RSA, Ireth, SmartDisplayer, Feitan, NegraID, EMV CAP.

Authentication methods – One-time Passwords, Challenge/Response (CR), Message Authentication Codes (MAC), Multiple Data Signature (MDS), Host Verification (HV), Login by QR code, QR code authentication, Push notification authentication for the OATH standard. Mode1, Mode2, Mode2 with TDS, Mode 3 and Mode3 with TDS for MasterCard CAP (Chip Authentication Program) and PLA (Perso/PIN less), and VISA DPA (Dynamic Passcode Authentication) support.

Support for the latest MasterCard’s AA4C (Advanced Authentication for Chip) PLA 2010 and CTGS 2010 specification.

Mobile token support – support for iPhones, Android mobile phones.

Administration – rich-featured administration enables easy personalization and monitoring, as well as card profile setups, HSM keys management, detailed transaction history, token synchronization, etc.

Auditing – all transactions are logged, both authentication requests and results, as well as administrator activities; and each log is tamper-proof, digitally signed and time-stamped.

High availability – the solution architecture enables clustering and load-balancing, resulting in high reliability and authentication request workloads.

Platform independency – Java development toolkits provide support for multiple server platforms and Operating Systems.

DeviceAuthentication

Channel / Application / System

Internet banking

Mobile bankingPhone banking

e-CommerceBroakerage

Government servicesEnterprise application and system

User & device administration

SxS Web services

Authentication

User managament

Device managament

Administrators managament

Statistics and Reporting

Hardware SecurityModule

Risk-Based authentication and fraud

detection solutions

SxS WS - Authentication service• Validates authentication requests (OTP, C/R, MAC,MDS, Host Verification, QR code authentication, Pushnotification),• Digitally signs and stores authentication - Audit Log,• Attack Notification (OTP Brute-Force Attack, UserBehavior Monitoring).

SxS Admin - Administration web application• Authentication properties configuration (Authentica-tion types, HSM configuration, Key management,Authentication parameters),• Authentication device management (Initialization,Enrolment, Status tracking / Blocking, Unlocking,Synchronizing),• User management (Enrolment, Authentication deviceassigning, Initial PIN printing, Status tracking/Blocking),• Administrator management (Roles, Access rights),• Statistics & Reporting..

Product components

SxS Importer• Used for importing token files and licensesinto the SxS database.

SxS Print component• Used for printing secret PINs and activationcodes.

SxS Integration• Integration API:

• XML/SOAP,• C#,• Java,

• SxS MQ connector,• SxS File Importer.

SxS Provisioning• Mobile token: application distribution (OTA),activation code generation, application activation,• Hardware tokens: token import, token,personalization.

01 Kerberos agent

Pluggable AuthenticationModule02

03 Credential provider

04 Pluggable Authentication and Authorization service

05 RADIUS module

Cisco: ASA, PIX, ISR Routers (1800,2800,2900), VPNFortinet: Fortigate 60C, 100DOpenVPN ServerMikrotik v4, v5Checkpoint

Access to corporate domain on Windows OS workstation.

Authentication to Linux/Unix systems

Kerberos module – native support on theWindows platform (Citrix, OWA, CRM, ERP)

Microsoft VDI – secure access to virtual desktops and applications

Extension modules

SxS enables smooth integration and implementation of strong authentication services, to enhance security of the clients existing infrastructure with the Asseco SxS extension modules:

SxS

Technical detailsOperating systems:• Redhat Enterprise Linux ver. 6, 7• MS Windows 2008/2012 Server• IBM AIX ver. 7.0

Hardware Security Module:• Thales payShield 9000• Thales nShield Connect• SafeNet Payment HSM

Application Server:• JBoss AS 7• Oracle WebLogic ver. 12c (EE7)

Databases:• Oracle ver. 11, 12• MS SQL ver. 2012• PostgreSQL ver 9+

Devices:• Asseco Mobile token (event & time based)• Vasco Digipass tokens• ActivIdentity (HID) OTP tokens• Gemalto OATH tokens• Feitian OATH tokens• SmartDisplayer OATH display cards• Ireth HW tokens and Display cards• RSA Secure ID• Gemalto and Vasco PCRs• CAP/DPA compliant EMV smart card

Authentication framework is extendable to support:• Other token vendors• ODBC/JDBC data stores• Remote RADIUS servers

Administration features:• Device management• Synchronize• Unlock• Assign/un-assign• Redistribute (mToken)• Import• Credential management• Status (enable/disable)• Usage statistics• User and permission management• User management• Role management• Secure audit• Digitally signed tamper-evident log• Audit log queries• Archive and purge• History validation

sales@asseco-see.com www.asseco.com/see

HighlightsTwo-factor authentication solution.

Wide range of authentication methods and standards: OTP, C/R, MAC, MDS, HV, QR code, Push noti�cation.

Hardware tokens (OATH based devices: ActivIdentity (HID), Vasco, Gemalto, RSA, Ireth, Feitan),EMV CAP/DPA card based authentication (PCRs: Vasco, Gemalto),Mobile token application– Android, iPhoneDisplay Cards (CAP and OATH based: HID, SmartDisplayer, NagraID, Ireth),SMS OTP, SMS C/R, SMS MAC.

Prevention of client-side attacks: the use of two-factor user & transaction authentication prevents Trojan horse attacks, Phishing, Man-in-the-middle attacks, inside attacks (Man-in-the-browser).

Fully centralized lifecycle management: User credentials management (ID, PIN),Physical device management (token, card reader),Mobile application single point of management.

Multiple banking channels: Internet banking, Mobile banking, Phone banking, e-commerce, ATM using a single authentication platform, Enterprise applications and systems: Windows and Linux logon, Microsoft VDI, Kerberos, Radius module for network access components.

Easy to integrate and maintain: service-oriented architecture integration with 3rd-party applications and modular system administration.