1 Two-Factor Authentication for the MassesRobert Gorrell – IdM Architect, Infrastructure Architecture

2 Multi-factor AuthenticationSomething you KNOW Something you ARE Something you HAVE

3 Why 2FA? Classic answer – a high value service needs greater “assurance” of the logged in user. Revised answer – attacks are evolving at a pace traditional passwords are having difficulty keeping up with.

4 Password Policies As we attempt to strengthen passwords to meet modern threats, we are simultaneously creating more frustration with users and breeding bad practices. Takeaway? Passwords as a sole factor may not be enough, even for commodity services. Bonus… A well-planned MFA strategy could simplify/ease your password policy leading to improved user satisfaction!

5 If not Passwords, what then?Username and passwords are entrenched into our computing culture. Users not ready to replace this “comfort” with stronger and unfamiliar authentication methods: x509, smartcards, etc. Solution: Evolve slowly by combining something you know with something you have for 2-factor authentication. Challenge: Scaling something you have across every credential.

6 Enter One Time Password (OTP)A password that is only valid for a single transaction. Good for security, bad for usability… Users can’t remember even one password! But, incorporating into 2FA, passcodes can be automatically generated by requiring access to something you have. Point of contention – if not carefully controlled, OTP passcodes could devolve to another something you know.

7 Nuisances… Two-Factor vs Two-Step Generally refers to the same thing, though stricter distinctions use the term “Two-Step” to argue phone based 2FA solutions are another something you know, not something you have, due to potential for attacking the information stored on it.

8 2FA Implementation Strategies“MFA for the Masses” Often user centric, self-enrollment. SSO driven = app agnostic. Purpose: to deter phishing/man-in-the middle attacks. “MFA for High Value Targets” Often service centric, forced enrollment. Direct integration = app control. Purpose: to elevate “assurance” for critical systems.

9 Identity Assurance “The level at which the credential being presented can be trusted to be a proxy for the individual to whom it was issued and not someone else”. Thought: Does MFA have value if identity assurance isn’t increase? Yes. MFA can be used as a tool for increasing assurance in an identity, but it doesn’t do so intrinsically.

10 UNCG 2FA

11 UNCG Landscape circa 2015 Long standing Google Apps deployment for faculty, staff, and student . Shibboleth SSO for web and hosted applications (including Google). AD LDAP for on premise non-web applications. Custom password synchronization across all connected systems (including Google). 90 day password age. 8 char minimum with complexity.

12 UNCG Leadership ChargeExamine MFA for enterprise services and MFA for secure compute tier separately, the former addressed first. MFA for enterprise services included but not limited to Google, Box, O365, Canvas, and Banner Self Service. Additional functional requirements: Opt-in by user with capability to self-enroll or mandate usage. Ability to exempt MFA for a period time on a known device. Multiple choices for 2nd factor, conscious of cost to end-user and University. Support logging with enterprise Splunk environment. ADA compliance.

13 MFA Evaluation ProjectEvaluated: Recommendation: SafeNet RSA SecureID RSA Adaptive Authentication Azure MFA Duo Duo (Enterprise Edition) Based on InCommon preferred provider and discounted pricing. Integration with Shibboleth SSO and existing login flows. Support for multiple second factors including phone.

14 Compromised Account MetricsIn the 2nd half of 2015: Average 0.86 phishing attacks per day. Average 6.46 compromised accounts per day. Increase in spear phishing attacks targeting several high ranking University officials. “Detecting and Dealing with Compromised Accounts in Cloud Platforms” - Thursday, Oct 6 1:45-2:30pm

15 Anti-Phishing CampaignJanuary 7, 2016 campus memorandum from Provost, VC of Business Affairs, and VC of ITS released plans for multiple anti-phishing initiatives aimed at protecting the UNCG community.

16 February Launch 2FA is available for all (including students)Added, beginning 4/4/16, 2FA is required for some employees: “high risk” data compromised >1 by supervisor directive.

17 Marketing Informational flyer for new student orientation packetsWebsite: its.uncg.edu/2fa Promotion as part of: password resetting page compromised account dialogue security awareness training

18 Duo

19 Implementation at a glance…Self service user opt-in licensed for all faculty, staff and students. Initial purchase 50,000 telephony credits. Focus on two integrations: SSO (Shibboleth IDP v2.4.5) Citrix Web Store (mycloud.uncg.edu) Policy decisions: Allow unenrolled users to pass through without two-factor authentication. Users may choose to remember their device for 15 days. Duo Push, Mobile & SMS passcodes, U2F token. (No Phone Callback) Duo Mobile is the preferred 2nd factor. Hardware tokens will be made available optionally (and for a cost).

20 Enrollment ChallengesWhat info do we required for enrollment? Duo AD Directory Sync – only runs once a day, not sufficient for a self opt-in program. No reliable source of phone number/device information. Chicken and egg – with Google SSO’d, can’t send activation s as 2FA would be required to retrieve them. Solution: Custom Enrollment App, but leverage Duo’s in-line self-service portal for device registration.

21 Custom Enrollment App SSO app, thereby requiring 2FA to revisit once enrolled. API call to Duo cloud immediately creating the user. Adds user to Duo_selfenroll AD group via GrouperWS for ongoing management via AD Directory Sync. API call to Duo cloud to retrieve 5 one-time-use codes the user can save/print for backup purposes. Inform user to close/reopen browser and access an SSO service to complete device registration.

22 Device Registration (Self-service portal)Lets users remove devices, add new devices, and reactivate Duo Mobile. Can be confusing… Double authentication Automatic Push Remember me Alternative? Write your own

23 Duo Active Directory SyncLoads users from on premise AD into Duo cloud through use of a Duo Authentication Proxy. Can important phone numbers directly from AD or send enrollment s if desired. Sync is performed daily at 18:00 and is non customizable. It however can be initiated manually from the Portal. Once a user becomes managed, they cannot be modified through the Admin Portal or API. Useful for managing group synchronization (Enable, Disable, Bypass)

24 AD Groups Duo_active Duo_bypassDuo_compromised + Duo_mandate + Duo_selfenroll Duo_bypass Duo_selfunenroll complement Duo_active Managed by Grouper, groups sync’ed to Active Directory where they are consumed by Duo’s AD Directory Sync. Followup Session: “Using Grouper to power cloud services” Friday Oct 7, 10:00 – 11:00am.

25 Duo Policy & Controls Duo Policy Integration Settings Scope SettingsGlobal Application (overrides Global) Settings New User (enrollment) Trusted Devices Trusted Networks Authentication Methods Duo Push Name Enable self-service portal Username normalization Voice greeting Only permit authentication from certain Duo user groups.

26 Duo Integrations Rely on an unique integration key, secret key, and a API hostname. Duo Web Integrations Iframe is invoked to handle 2nd factor. Non-Web (RADIUS, LDAP, etc). Duo passcode is collected as a separate field or by appending onto your 1st factor password with a comma. The words “push”, “sms”, “phone” are then typed in place of a passcode to invoke the appropriate response.

27 Duo Mobile App Free in Google Play, iTunes, Windows Store. Also available for Apple Watch and Android Wear. Duo Push 2FA request is “pushed” to users device for acknowledgement. Requires stable Internet connectivity (wifi or cellular). Mobile Passcodes App can act as a “soft token” generating passcodes. Once installed, no data or cell service is required to generate passcodes offering a completely offline option.

28 1st Tier Support Roles All support staff have the ability to view 2FA enrollment groups via Grouper. Additionally, all have the “Help Desk” role in Duo Admin Portal to view devices associated with users. Using our existing vetting process, can issue 24-hr 2FA bypass code directly over the phone, 24x7. Cannot unenroll users from 2FA.

29 Hardware tokens

30 Why Hardware Tokens? Perception – “2FA *IS* hardware tokens!”Security - “Hardware tokens are more secure.” Religion - “I have a phone, but I’m not going to use it.” Necessity - “I don’t own a phone.” Backup - “I don’t want to be locked out of my account if something happens to my phone.” Accessibility – “I can’t operate a phone.”

31 Universal 2 Factor (U2F) An open authentication standard launched in 2014 that simplifies use of 2FA through a USB hardware device (Yubikey) without special drivers. Requires admin to globally enable this “Labs Feature” before users can use. Supported by Chrome (> v38) and Opera (> v40). U2F Support Add-on for Firefox. Not supported by non-web based applications. Benefit: Bring-Your-Own-Token… allows for users to purchase, pay, and enroll their own U2F token.

32 HMAC-based vs Time-based OTPHOTP (RFC 4226) – An algorithm based on an increasing counter value and a static symmetric key known only to the token and the validation service. HOTP(K,C) = Truncate(HMAC-SHA-1(K,C)) A new value is produced with every increasing counter.   TOTP (RFC 6238) – An implementation of HOTP where the counter is derived from the current time minus start time divided by the time refresh interval TOTP = HOTP(K, T), where T is an integer and represents the number of time steps between the initial counter time T0 and the current Unix time. More specifically, T = (Current Unix time - T0) / X, where the default floor function is used in the computation. default OATH time step X=30 seconds. A new value is produced only after each time step.

33 Token De-sync HOTP tokens can generate ~20 consecutive unused events before Duo will stop accepting codes and resynchronization needs to occur. <1000 events, the end-user can resync themselves by attempting login with 3 consecutive codes, the server will silently resync. Otherwise, an admin can perform a resync from the Duo Admin Portal with 3 consecutive codes from the token. There is no resync/clock skew for TOTP tokens!

34 Duo D-100 Token Currently a rebrand of VASCO DIGIPASS GO-6 token in HOTP mode. Pricing: $20ea + $10 shipping fee (0-100 in quantities of 10, in quantities of 50) Ordered through Duo Admin Portal, charged to your account’s payment info, no alternative payment option or end user storefront. Benefit: 1-click ordering. Tokens arrived already imported and ready for assignment. No exposure or handling of secrets.

35 Third Party Token ProcurementGemalto/Safenet IDProve-100 and VASCO GO-6 tokens resold by Duo can be programmed either HOTP or TOTP. Suppliers typically deliver secrets via less than ideal methods File format may not be directly importable to Duo Benefit: If you’re willing to take on extra work in handling secrets, hardware cost can drive down to $7-8 a token.

36 A note about Yubikey Yubikey 4/NEO are both U2F and OTP capable.Duo supports Yubico OTP… a 44-char code vs a 6-digit code. Registering a Yubikey as an OTP hardware token requires configuration using Yubico software. Benefit: user’s find Yubikeys convenient to use and they provide an option for meeting 2FA accessibility.

37 UNCG Hardware Tokens The only “bring your own” tokens are U2F.Tokens are available for purchase through partnership with ID Card Center. Require in person with photo ID. Tokens can not be reused for outside purposes. The same token may be linked to multiple accounts, but only where the owner is the same. Tokens can be reassigned/redistributed.

38 Next Steps/Futures Mandated usage for employeesAdditional integrations Citrix Receiver Cisco SSL VPN Sysadmin access (Linux/pam Windows/rdp) Windows Desktops (HIPAA) Splunk Shibboleth IdPv3 upgrade Secure Compute Tier – “MFA for High Value Targets” Drive up student enrollment Develop enrollment application into a 2FA management tool. Duo vs Unicon vs IdPv3.3 Step-Up Authentication Mandatory student MFA – northwestern.edu, nyu.edu (one school), emory.edu (off campus), princeton.edu, uth.tmc.edu (application basis), vt.edu, Miami.edu

39 Questions? Robert Gorrell Join the InCommon discussion: