Tectia MobileID –Tokenless 2-Factor Authentication forJuniper SSL VPN Appliances

Vesa Tiihonen, Director, SSHDecember 30th 2011

Founded 1995

• The Inventor of Secure Shell (SSH) protocol

• NASDAQ OMX enlisted public company

Tectia Managed Security solution

• Replacement for unsecured protocols

• Managed File Transfer

Worldwide customer base:

• 7 out of top 10 Fortune 500

• 40% of Fortune 500

2

Redwood, USABoston, USA

Helsinki, Finland (HQ)

Hong Kong,China

Kloten, Switzerland

ContentsContents

3

• Tectia MobileID Introduction• Use Cases and Benefits of Tectia MobileID• Key Differentiators of Tectia MobileID• Juniper Technology Alliance• SSL VPN Login Use Cases• Tectia MobileID integration with Juniper SSL VPN• Summary

4

The Best 2-FA Solution in the Market The Best 2-FA Solution in the Market

: The Next Generation Authentication Platform

• Multi-factor appliance designed specifically for on-demand andout-of-band authentication,

• Based on high quality SMS One-Time-Password (OTP) as the main strong authentication delivery method,

• Supports also ALL OTP delivery methods, such aspassword lists, email OTP, Voice OTP, Instant Messaging OTP, and any OATH compliant hardware and software tokens(e.g. Google Authenticator),

• Fully customizable,

• Operator Grade SMS Messaging Connections Out-Of-The-Box.

SMS authentication use casesSMS authentication use cases

5

When to consider tokenless login

Benefits of using Tectia MobileIDBenefits of using Tectia MobileID

6

Fraud prevention and password management with SMS OTP

• Pro-actively lock end user accounts after N failed login attempts

• Notification of locked account via SMS

• Permit account re-activation via SMS

• GeoIP match on Mobile device location

• Permit forgotten password/PIN reset via SMS, eliminating the need for helpdesk services

7

Lock my account

Benefits of using Tectia MobileIDBenefits of using Tectia MobileID

Unique Differentiators of Tectia MobileIDUnique Differentiators of Tectia MobileID

8

9

Unmatched scalability and reliabilityUnmatched scalability and reliability

• Scales to millions of concurrent users

• Operator grade SMS delivery world-wide with SLA-guaranteed throughputtimes

• Certified to work with

• In live production since 2003

• Modular architecture that provides service • provider-grade scalability,

customization and control of networkconditions and business logic

Unmatched TCO and ROIUnmatched TCO and ROI

• Flexible pricing models with pay-per-active-users

on a monthly basis

• Low TCO

- Example 5-year TCO:- for 250 RSA SecurID users: $140,000 (RSA Whitepaper)

- for 250 MobileID users: $38,000 (excluding SMS traffic; 0.04-0.09€ per message)

• Practically ZERO administration;new users activated instantly

• Tokenless solution – No logistics overhead

No extra or hidden costs!

10

11

Tectia MobileID – Fast deployment and activationTectia MobileID – Fast deployment and activation

ADDING NEW RSA USER REMOVING A RSA USER1. Admin creates token user account and delivers the

account details i.e. via e-mail

2. Admin adds token serial number to the new account and synchronizes the token.

3. Admin packages the token, user instructions and letter on the token terms of use and mails it to the user.

4. Admin informs the new user that token will be delivered within a few days.

5. User eventually receives the token and reads the instructions and terms of use.

6. Assuming that token has not become out-of-synch, or has not broken during delivery, and that user knows how to use token, etc., user successfully logs in using the token.

1. Admin removes / disables the account

2. Admin notifies the user that the token should be returned via courier.

3. If user fails to return the token, or it's lost then admin must initiate cost recovery procedures or the company must pay for a replacement token.

4. Admin eventually receives the token.

5. If the token is damaged then admin must initiate cost recovery procedures or the company must pay for a replacement token.

6. Admin notifies the user that token was correctly received and intact.

7. Admin marks the token as ”returned” and adds the token serial to a pool of free tokens

ADDING NEW MOBILEID USER REMOVING A MOBILEID USER1. User successfully logs in. 1. Admin removes / disables the account.

Add/remove traditional token user vs. MobileID:

ADDING NEW TOKEN USER REMOVING A TOKEN USER1. Admin creates token user account and delivers the

account details i.e. via e-mail

2. Admin adds token serial number to the new account and synchronizes the token.

3. Admin packages the token, user instructions and letter on the token terms of use and mails it to the user.

4. Admin informs the new user that token will be delivered within a few days.

5. User eventually receives the token and reads the instructions and terms of use.

6. Assuming that token has not become out-of-synch, or has not been damaged during delivery, and that user knows how to use token, user successfully logs in using the token.

1. Admin removes / disables the account

2. Admin notifies the user that the token should be returned via courier.

3. If user fails to return the token, or it's lost then admin must initiate cost recovery procedures or the company must pay for a replacement token.

4. Admin eventually receives the token.

5. If the token is damaged then admin must initiate cost recovery procedures or the company must pay for a replacement token.

6. Admin notifies the user that token was correctly received and intact.

7. Admin marks the token as ”returned” and adds the token serial to a pool of free tokens

ADDING NEW MOBILEID USER REMOVING A MOBILEID USER1. User successfully logs in. 1. Admin removes / disables the account.

12

Tectia MobileID – Superior end-user experienceTectia MobileID – Superior end-user experience

• No end-user training needed• Use 100% intuitive with Flash SMS

• No changes to existing login process

• Works on any phone,anywhere in the world

So easy it makes your

customers smile – guaranteed!

13

Tectia MobileID – multi-use authentication platformTectia MobileID – multi-use authentication platform

Tectia MobileID can solve ANY ad-hoc multi-factor authentication problem:

• 2-factor authentication for SSL VPN access (RADIUS)

• 2-factor authentication for Web Services and portals (SOAP)

• Solving Man-in-the-Browser / Man-in-the-Middle threats withOut-Of-Band authentication

• Multi-domain (LDAP) support

• MS Outlook Web Access

• Instant Messaging OTP

• Any custom ad-hoc on-demand multi-factor authentication use case

• 2-factor SMS OTP for MS Windows logins

• Supports ALL OTP techniques: email, lists, OATH tokens, Voice, etc.

• Cloud-based SMS OTP available Out-Of-The-Box

• OTP and business logic for online banking transaction verification

Tectia MobileID mRules frameworkTectia MobileID mRules framework

Custom business logic for Authentication, Authorization and Access (AAA)

• New authentication methods can be added and the existing ones extended

• Authentication methods can be chained, triggered, scheduled, etc.

• Network packets (i.e. RADIUS) can be re-written, routed, scheduled, etc.

Sample custom access rule

14

Juniper Technology AllianceJuniper Technology Alliance

• Protect against unauthorized access to your critical business information

• Reduce your IT administrative workload and hard costs,

• Easily scale with tokenless One-Time-Passwords delivered via SMS,

• Be up and running in hours, not weeks or months!

Juniper SSL VPN with SSH’s MobileID:

Full turnkey 2FA solution without the challenges of first generation two-factor authentication!

15

Juniper Technology AllianceJuniper Technology Alliance

16

16

Direct integration to existing corporate infrastructure

AD/ LDAP

Hello Jane,Your SMS passwordis 949372

Third party Gateway orIntegrated TectiaMessaging service

958482

SSL VPN

Remote user

Internet

Firewall

Operator grade global 3G network

One-time password

17

Authenticating using SMS One-Time PasswordAuthenticating using SMS One-Time Password

Scenario 1 – SSL VPN login

On-demand SMS password for two-factor authentication

18

Authenticating using SMS One-Time PasswordAuthenticating using SMS One-Time Password

And you’re logged in!

19

Authenticating using SMS One-Time PasswordAuthenticating using SMS One-Time Password

20

Authenticating using SMS One-Time PasswordAuthenticating using SMS One-Time Password

Scenario 2 – Login with pre-distributed SMS

And you’re logged in!

21

Authenticating using SMS One-Time PasswordAuthenticating using SMS One-Time Password

22

Technical integration with Juniper SSL VPNTechnical integration with Juniper SSL VPN

Adding a new RADIUS Server to Juniper SA VPN

23

Technical integration with Juniper SSL VPNTechnical integration with Juniper SSL VPN

Adding a new RADIUS Client to MobileID

24

Technical integration with Juniper SSL VPNTechnical integration with Juniper SSL VPN

Connecting MobileID to AD / LDAP

25

Technical integration with Juniper SSL VPNTechnical integration with Juniper SSL VPN

MobileID is LIVE – Start using it!

26

Tectia MobileID Web Admin InterfaceTectia MobileID Web Admin Interface

Administer the Virtual Appliance

27

Viewing Tectia MobileID Logs in Real-TimeViewing Tectia MobileID Logs in Real-Time

Viewing Tectia MobileID Logs in Real-Time

28

Try Tectia MobileID Live Today!Try Tectia MobileID Live Today!

• Live VPN demonstration for anyone, anywhere, free-of-charge:

• Juniper SSL VPN login:• Register here:

http://mobileiddemo.ssh.com/pub/index.php?plugin=register&app=juniper

• Login and demo here: http://mobileiddemo.ssh.com/pub/index.php?plugin=testing&app=juniper

SummarySummary

29

Tectia MobileID

Operator grade messaging capabilities

Integrated HA messaging Allows ad-hoc use Highly scalable Framework for customized

login methodsCertified for Juniper SSL VPN

Competitive Solutions

Typically no operator messaging support

No High Availability (HA), requires purchasing and configuring 3rd party messaging service or product

Accounts must be registered and provisioned to work

Typically for SME use only Typically only few pre-defined

methods available

Vesa TiihonenDirector

Vesa.Tiihonen@ssh.com

www.ssh.com

Thank You!