Tip:
Highlight text to annotate it
X
welcome and thank you for your interest in PortalGuard's Flexible Two-factor
Authentication options for cloud and web-based applications.
By the end of this tutorial you will be able to define PortalGuard,
understand the need for two-factor authentication,
learn about PortalGuard’s two-factor authentication options,
see the step-by-step
authentication process,
and know the technical requirements of the PortalGuard software.
So what is PortalGuard?
The PortalGuard software is a Contextual Authentication platform
which is focused on enhancing usability,
while maintaining a balance between security, auditing and compliance
for your web, desktop and mobile applications.
Developed and supported by authentication experts,
PortalGuard is easy to deploy,
enterprise ready and tailored for an exact fit to your requirements.
To provide you with flexible options,
PortalGuard offers multiple authentication methods
which offer increased usability, such as single sign-on and password
synchronization,
and increased security,
with two-factor or contextual authentication.
Before going into the details I wanted to highlight some of the unique offerings
of PortalGuard’s two-factor authentication.
This way if you already understand the concept of two-factor authentication,
you can understand exactly what it is that makes PortalGuard different.
I’d like to first call out the flexibility that PortalGuard offers
because you are able to configure the authentication methods
for each user, group or application.
Also PortalGuard not only focuses on strengthening authentication around the
basic login, basic login
but also provides two-factor authentication as a method for users to perform
self-service password resets, recoveries and account unlocks.
Keeping your needs in mind,
PortalGuard is cost effective
and can be tailored it to your exact requirements with our tailored
authentication,
where we extend the product framework
to give you an exact fit, and deliver it as a fully supported product, not custom
code.
Cloud or web-based applications contain functionality to read, edit and search
data
at all levels of sensitivity across multiple industries.
The access point for these applications is the login screen
where you typically provide a username and password to prove your identity.
This is normally sufficient to prove you are authorized and therefore granted access to
company applications and data.
Although an integral part of authentication,
passwords are inadequate for today's web-based applications. They are easily
exploited by unauthorized users who find new methods of stealing passwords
and impersonating authorized users.
Two-factor authentication is used to increase security by requiring you to provide
"something you know"
(a password) such as the password
and "something you have" (laptop, mobile phone).
The use of two distinct authentication factors
helps eliminate an organization's security concerns
around granting access based on a single, knowledge-based factor.
Many choices in the market strengthen your authentication, to prevent unauthorized
access, by providing two-factor authentication.
Two-factor is an acceptable way to increase security;
however,
inflexibility and low usability
have proven to be barriers for many organizations with the primary barrier
being high total cost of ownership
in today’s economic climate.
Token-based approaches are expensive and problematic when hardware is forgotten,
needs repair or replacement.
PortalGuard avoids these barriers by providing a flexible and cost-effective
approach
which is easily accepted by users.
Increasing in popularity, a one-time password (OTP)
is a password that is valid for only one login session or transaction.
OTPs avoid a number of shortcomings with static passwords, including being
unsusceptible to replay attacks.
If a potential intruder manages to record an OTP that was already used to
log into a server,
he or she will not be able to reuse it since it will no longer be valid.
The traditional method of delivering an OTP via a hard token or key fob
has fallen out of favor due to cost and usability issues.
Use of "soft tokens", like mobile phones,
has supplanted it.
PortalGuard not only leverages the user’s mobile device,
but with its unique offering of transparent tokens,
leverages the user’s laptop as well.
A transparent token can be made up of several different types of parameters,
including a random number, device serial numbers
and/or Active Directory identifiers.
Together these will make up the OTP
which is then encrypted and passed from the client machine to the PortalGuard server.
With PortalGuard you can deliver an OTP via SMS, email, printer or
transparent token to achieve two-factor authentication.
For SMS delivery, PortalGuard leverages telephone companies’ SMTP-to- SMS
gateways.
These gateways are a free service maintained by the telephone companies
to allow an email sent via SMTP to be delivered to a user's phone as SMS.
Leveraging these services allows PortalGuard to be deployed quickly and
cost effectively.
When evaluating which delivery method or methods are best for your organization
it is important to consider the following,
how well does this method prevent passive and active attacks?
What’s this going to cost? The initial cost, device cost and cost per transaction?
Is support and maintenance required and if so how much?
Does it require client-side software?
And how easy to use and portable is the delivery device?
All methods have both their strengths and weaknesses
and asking these questions will help you determine what's best for your
organization. 0:05:55.839,0:05:59.459 PortalGuard’s flexibility, unique features and options around two-factor
authentication
gives you tangible benefits which include: Increased security by adding an extra
layer of authentication to application access
Reduce risk and prevent attacks by leveraging credentials which expire
after one use
Increase usability by leveraging hardware a user already has for increased
user adoption
Eliminate forgotten passwords by leveraging a username and OTP only as
credentials
PortalGuard is also configurable down to the user, group or application levels
Flexibility is key with PortalGuard as it provides many OTP delivery
methods and authentication options
Once two-factor authentication becomes a requirement,
the user will be prompted to enroll their mobile phone.
PortalGuard provides flexibility around this process
by allowing you to configure whether the enrollment will be forced or able to be
postponed "x" number of times by the user.
This increases the usability for users, giving them options around a process
many find intrusive and blocking.
Phone enrollment can also be automated by importing the data from any current corporate
data source.
As seen in the dialog box
the user is required to provide their username, password, phone number
and provider
to complete the enrollment process.
Let’s step through the two-factor authentication process for the end-user.
PortalGuard’s login screen is presented when a user visits the web-application.
This login screen can be fully customized to match your organization’s
branding,
creating a seamless experience for the user.
The user enters their username and clicks "Continue."
The PortalGuard server sends the OTP to the user’s mobile phone
within 5-10 seconds, in the form of an SMS.
NOTE: PortalGuard can send the OTP via SMS, email,
printer
or transparent token.
The user is prompted for a password and OTP.
The user then enters in the OTP they received
and clicks "Log On." 0:08:01.699,0:08:06.689 Now the user gains access to the web-application and data.
This is an example
of a user attempting to use an expired OTP that was never used.
Once the expired OTP is entered,
the user is denied access and prompted to cancel the process
or request a valid OTP.
However if the user attempts to reuse a used OTP
or an unauthorized user is attempting to perform a replay attack,
PortalGuard will display a dialog showing
"Incorrect OTP Provided"
if strikeouts are disabled.
All the following settings are policy specific, so you can have different
values for different users/groups/ hierarchies.
Features that are Configurable through the PortalGuard Configuration Utility
include:
expiration,
aka "time-to-live" (TTL)
length, format
Including uppercase, lowercase,
numeric and symbol characters
Also the... Delivery format is configurable, including From, Subject and Body Fields 0:09:04.850,0:09:08.780 Implementation of the PortalGuard platform is seamless and requires no changes to
Active Directory/
LDAP schema.
A server-side software installation is required on each IIS server for which
PortalGuard’s authentication functionality
is desired.
Additional client-side software is required for use of contextual authentication
and/or transparent tokens.
A MSI is used to install PortalGuard on IIS 6 or 7 versions.
The MSI is a wizard-based install which will quickly guide you through the
installation.
This version of PortalGuard supports direct access and authentication to cloud/
browser-based applications, only.
PortalGuard can be installed directly on the following web servers,
most commonly on IIS.
The PortalGuard Web server also has the following requirements on Windows
operating systems.
PortalGuard is fully supported for installation on virtual machines
and can currently be installed on the following platforms.
Thank you for taking the time to learn more about PortalGuard’s Flexible Two-factor
Authentication Options.
Please click the Attachments button
at the top of this tutorial for a copy of this content in PDF.
For more information please visit PortalGuard.com.