Making a company resources accessible remote desktop connection increases the risk of unauthorized employee access to critical business information drastically. The required protection level can only be reached by using modern user authentication methods. The Indeed Access Manager (AM) solution makes it possible to use two-factor authentication (2FA) methods in a broad range of corporate applications. This, in turn, allows for building of unified 2FA system for accessing the resources available from outside the company’s network.
Task description
- To provide for two-factor authentication using one-time passwords in published corporate services:
- Web applications
- VPN server
- VDI
- To implement a Web Single Sign-On solution for pass through to web applications.
Solution
2FA in IIS web applications
We developed a special integration module IIS Extension for authentication in the applications that use Internet Information Services (IIS). This module provides for two-factor authentication in such applications without modifying their code. After supplying the username and password, the user is redirected to a separate authentication page to authenticate himself or herself with one-time password. IIS Extension can be used with any web application, such as Outlook Web Access, Sharepoint, Skype for Business, RD Web Access etc. For applications that do not use IIS, the integration using software interface (web API) is possible.
2FA in VPN
Integration to VPN services is carried out using the RADIUS protocol, supported by overwhelming majority of VPN security solution manufacturers, such as Cisco ISE, Citrix Netscaler etc. Two-factor authentication is implemented using the Challenge-Response mechanism, which is embedded into RADIUS: at the first stage, the user supplies his/her username and password. The RADIUS server verifies the user data, and, if correct, prompts the VPN service user for the second authentication factor - one-time password. The RADIUS server is based on the Microsoft Network Policy Server (the service is included into Windows Server) and special extension for 2FA.
2FA in VDI
To integrate into virtual desktop systems, two-factor RADIUS Challenge-Response authentication is used as well. This is supported by many VDI products, such as VMWare Horizon and Citrix XenDesktop. If using Microsoft technologies, the two-factor authentication can be added to remote computer access service at the Remote Desktop Web Access server (using IIS Extension).
2FA in Web SSO (SAML IdP)
Web single sign-on allows for significant increase of user work efficiency by making it possible to access employee to web applications after single authentication. 2FA provides for retaining the high level of information security without compromising the convenience of use. To integrate it into target solutions, the SAML 2.0 international authentication standard is used to provide for compatibility with wide range of various systems. The WebSSO and 2FA loop might include not only corporate on-premise applications, but also the cloud services, such as Office 365 and G Suite (former Google Apps).
2FA in ADFS
The ADFS authentication support allows for both increasing the target system security by using 2FA, and building of Single Sign-On (SSO) solution, sparing the users from muliple authentication during a single session. A combination of 2FA and SSO approaches increases the information security level significantly and employee efficiency at the same time.
The general scheme of the solution is given below.
Indeed AM features
Higher security level
Two-factor authentication increases the protection level of a company corporate resources significantly. The AK Cloud technology provides for convenient and secure user authentication method based on cryptographically protected push notifications.
Solution flexibility
Any HOTP and TOTP compatible one-time password generators can be used. No restriction on application or device vendor is placed. You can use all supported OTP authentication technologies within one infrastructure: mobile applications, OTP-keys from various vendors, SMS and Email messages, AirKey Cloud. The support of various mechanisms of integration into target systems (RADIUS, SAML, ADFS, IIS Extension, Web API) makes it possible to create a unified authentication environment in all the required applications.
Quick implementation
Sending OTP via SMS and email does not require registering or any other actions on the user part. Therefore, you can start using two-factor authentication immediately after the server infrastructure is installed and set up. The 2FA system uses existing user directories (AD, LDAP, SQL etc.), which facilitates both the deployment and management.
Various authentication technologies
Online and offline authentication
Indeed Access Manager supports authentication both in online mode, when SMS message, email message or push notification with one-time password is sent to a user, and in offline mode, when a user can generate one-time password at his/her side using the corresponding application or hardware key.
Support of TOTP and HOTP OATH authentication standards.
The Time-based One-time Password Algorithm (TOTP) and HMAC-based one-time password (HOTP) standard algorithms are used to generate and verify the one-time passwords. These algorithms are widely used in the industry and provide for required level of security and compatibility for 2FA systems. This allows for using of any application or device compatible with TOTP or HOTP for authentication via Indeed Access Manager.
Push notifications
The Indeed AirKey Cloud technology can be used for user authentication. It provides for sending push notifications to a user smartphone in order to confirm login operation. The technology is based on asymmetric cryptography using private and public keys. This approach makes it possible to provide the users with customary and convenient authentication confirmation method, as well as higher information security of client-server communication.
User self-service
The users are provided with self-service web application that can be used to register and to manage authentication technologies available. Thus, it is possible to provide users with convenient mechanism of authentication management, available from any PC.
