If I remember correctly the problem I will highlight today started at Massachusetts Institute of Technology in the 60s when they created world’s first multiuser environment – and the need to separate users with accounts and passwords. This phenomena that separate the intended users of protected data from the ”others”. But let’s face it. How secure are static passwords that hardly never change. Passwords written down on notes placed in the office or under the laptop? Now also with GDPR around the corner we have another good reason and whip of securing data. This must change and this is where Verisec’s product Freja ID enters the scene.

Freja ID provides two-factor authentication by verifying one-time passwords. The users are read from for example Active Directory via RADIUS or SOAP protocol and the passwords are provided through tokens combined with a static password or PIN. The tokens are soft, virtual or hardware tokens. Google and Microsoft authenticator can for example be used which adds no extra cost and these software tokens can get their challenge through QR code. Virtual tokens send out OTP through SMS or mail. Hardware are.. well small physical hardware tokens. Maybe the most common way today to distribute OTP to users.

One time passwords (OTP) is only valid, as the name says, once for a single login or session. When the password is used it’s useless if someone would somehow get his or hers hands on it. Since OTP always are combined with another password or PIN the token itself is useless if lost. It’s also extremely important to secure your software token and phone with a code or thumbprint. Note that biometric login is less secure than a code. Both thumb print and facial recognition can be used while you are a sleep! The tokens display only a serial of numbers that change in what seems a random pattern. There is of course an algorithm and moving factor behind this series of numbers and it is synced with the service providing the secure login. How this all works is far too complicated to be explained in this article but might be something to write about another time. This picture explains the scheme of the way Freja ID runs.

Freja ID on the server side is either a physical appliance or a virtual machine. All depending on your organisations security demands and what you prefer. The physical appliance can add an extra layer of security by including Thales nShield PCIe HSM for cryptographic operations. There is also an alternative to integrate Freja ID with a standalone network HSM for your appliance boxes or virtual machines. The OS that Freja ID runs on top is Linux Ubuntu. So no need for expensive OS license to run Freja.

Through the Self-Service Portal (SSP) the enrolment of tokens is executed. It is designed so that the end-users can provision their tokens themselves and they can also unlock token if they have got locked for some reason and also change or reset PIN among other things. Since SSP must be located on the organisations DMZ (at least you want to enable service through Internet) to publish these services to end users it is of course an extra attack surface for hackers or others that might want to do harm. Therefore, no end user data is stored on the SSP itself. It relies on an LDAP directory for this purpose. Communication between all components in the Freja ID infrastructure is secured through encryption (TLS/ SSL), including of course between the SSP and organisation LDAP directory. Freja ID is bundled with a self-signed certificate but the recommendation is to change this with a server SSL certificate issued by globally recognised certificate authority. I would even say it is a must for any production environment. Beside using TLS/ SSL to secure the communication Freja ID use additional techniques to avoid attacks. Channel separation, SSL certificate validation and pinning, OCRA algorithm for one-time password generation and it also detects if devices are jailbreaked or rooted.

So Freja ID is “just” a one time password service that generates numbers? Well – no. It can also be used in Sign Mode. In Sign Mode the Freja ID application on your mobile device display more information about what the end user is about to approve or execute. It can be login to a service or signing an agreement. But the biggest difference is that in Sign the process is more automatic than in OTP mode. In Sign Mode the end user isn’t required to transfer a one-time password manually. When a transaction is started on the organisation’s application, user receives a description of that action waiting for approval on Freja Mobile. The user then enters the PIN or biometrics to approve the action and this request is then automatically processed. The OTP is taken care of in the background by the Freja mobile app and validated on the server side.

So just as the topic state – the old way or should I say the current way passwords are used should be eradicated as soon as possible. Static passwords are not secure. Especially the ones that don’t demand to be changed every 60 days or so. One time passwords aren’t the new kid on the block either but a solution like Freja ID from Verisec make it really straight forward to implement OTP with a well-designed and well packaged solution. The GUI of Freja ID can also be modified with your organisation colours, logo etc. Licensing and cost? Straight forward licensing to an affordable price for a mid-size company.

 

Contact us and we’ll tell you more on how you can implement a mythologic god in your business!

 

Juha Nikumaa
Project Manager & Information Security Consultant