logintc-whitepaper-design-feb26

Why it’s in danger and how to keep it safewith two-factor authentication (2FA)

YOUR BUSINESS ISUNDER ATTACK:

LoginTC 2FA Solution Guide | 2015

! !

COPYRIGHT © 2015 LOGINTCLOGINTC 2FA SOLUTION GUIDE

CONTENTS

INTRODUCTION........................................................................ 2

THE PROBLEM.......................................................................... 2

THE SOLUTION......................................................................... 4

CHOOSING A 2FA PROVIDER...................................................... 4

INTRODUCING LOGINTC............................................................ 6

BEST PRACTICES FOR IMPLEMENTATION AND DEPLOYMENT....... 8

NEXT STEPS.............................................................................. 10

CONCLUSION............................................................................ 10

1


INTRODUCTION

Watch out – your business or organization is under attack! No, perhaps not this instant. But, with

hackers lurking at every virtual corner, and with millions of hack attempts taking place each day, the

threat of cyber-warfare is ever-real and always present.

Not convinced? Take this challenge: Try to go a single day without encountering word of a cyberattack

in the news. Unfortunately – from Twitter to Sony and the New York Times – in the modern digital age,

that’s simply not possible.

Security breaches aren’t reserved for high-profile corporations, either. Cyber criminals don’t

discriminate based on size or status – they capitalize on vulnerabilities. And password-only

identification for access to corporate resources (such as a VPN, portal or web app) is a major

vulnerability.

Luckily, there’s a solution to the flimsy passwords of the past. The future of access and identity

management is a cybersecurity system called two-factor authentication (2FA). In this whitepaper, we’ll

explain what 2FA is, outline the different types of 2FA providers, and show you how to leverage 2FA to

protect your business or organization.

Just remember the bottom-line: You’ve worked hard, and that’s not worth risking. The Web, like

the real world, is full of opportunity; but it’s also full of dangers that must be taken into account.

Implementing 2FA can be simple, scalable, cost-effective, and highly secure… if you do it properly.

Keep reading and this White Paper will give you the insight you need to do just that.

THE PROBLEMYour business or organization relies on certain essential tools to function day-to-day. For instance,

maybe employees access important documents or email through a corporate portal, or work remotely

and connect to an office VPN (virtual private network). Maybe there’s an e-commerce component to

your company that runs on a content management system, such as WordPress. These resources are

necessary but they are not secure. Without proper protection, they act as points of entry, or holes in

your defensive armour. Cyber attackers are constantly scavenging the web in search of such holes –

seeking login information they can use for their own malicious purposes, maiming your company in the

process. This can result in bad PR, lost revenue, angry customers and debilitated systems.

2


Here are some examples of the ways hackers take advantage of access-related vulnerabilities in order to

break into your corporate resources and steal your digital assets.

Passwords: The “death of the password” is a hot topic right now – and rightfully so, as the public

realizes conventional username/password login systems are flawed. With so many accounts to manage,

some days it seems as though there’s less memory space in our brains than on our servers.

So, people opt for easy-to-remember passwords (believe it or not, studies show that the most

popular passwords tend to be “Password” and “123456”). However, easy passwords are easy to crack.

Users who gear toward more complex passwords may be tempted to use the same passwords across

multiple accounts, turning a single breach into a massive catastrophe. Besides, what good does a

strong password do once it’s stolen? Through these means, hackers gain the credentials they need to

compromise numerous accounts at a time.

Developments in black-hat “magic”: Black-hat (or bad guy) computer experts are growing smarter,

finding new and increasingly sophisticated methods with which to carry out online crime. Cracking

passwords is not just about brute-force (computer-generated trial and error). There are also:

• Phishing Attacks – Hackers use email, SMS and fake websites to masquerade as trustworthy

entities.

• Malware / Trojan Horse Attacks – Harmful viruses often disguised as benign files that get

downloaded onto your PC for purposes like key logging.

• Man-in-the-Middle Attacks – Session hijacking in which an unwanted impersonator

intercepts an active online session.

• And more.

BYOD / Remote Access: A rising number of businesses are adopting the BYOD (bring your own device)

model, turning smartphones and tablets into both a consumer and corporate standard. At the same

time, remote work is becoming more commonplace.

However, this means IT administrators managing access to digital workforce assets are overseeing

more foreign users and devices than ever before. This leaves a lot of room for vulnerability due to the

introduction of unsecure environments.

3


THE SOLUTIONWhat is two-factor authentication? As its name suggests, two factor authentication (2FA) requires that

two independent factors be present in order for a login or “authentication” to take place.

The user must possess two kinds of credentials:

1. Something they know (a traditional PIN or password known only to the user)

AND

2. Something they have (an item only the user possesses, such as a token or mobile

phone)

Conclusion: When 2FA is enabled, even if passwords are cracked via an exploited vulnerability, it

would still not be possible for hackers to access unauthorized accounts because they would not be in

possession of the second factor credential, whatever the item may be. 2FA provides an added layer of

protection and security.

CHOOSING A 2FA PROVIDER

Not all two-factor authentication solutions are created equally. Here are some common methods of

deployment:

Hardware Tokens: Typically carried on a key ring as a key fob, hard tokens generally display a random

number that changes periodically at fixed intervals, known as a one-time password (OTP). The user

enters this number for access, authenticating to the server that s/he has the token therefore verifying

his/her identity. Hard tokens can also take the form of smart cards or a USB dongle.

Software Tokens / App-Based OTPs: OTPs (one-time passwords) do not always involve a hard token.

There are software versions, too, where in the dynamic authentication code is stored and displayed on a

computer or in an app on a smartphone or tablet.

SMS-Based One-Time Passwords: Mostly known as 2-step verification (as opposed to 2-factor

authentication), some 2-stage access systems operate by sending a code to a user’s phone via SMS.

4


If you are considering safeguarding your business or organization by implementing two-factor

authentication, it would be wise to start by asking yourself the following 10 questions before selecting a

2FA provider:

1. Does the solution provide a high quality of security and protection?

2. Does the solution help us achieve compliance where necessary?

3. Does the solution require that we purchase and adopt any additional hardware?

4. Would the solution integrate well with our current infrastructure and practices?

5. Does the solution offer choice – both for the end-user in terms of what device they will use

for 2FA, diminishing the adjustment period, and for the admin in terms of how s/he will

manage it?

6. If the solution is SMS-based, how is the problem of poor network coverage resolved?

7. Is the solution simple or complex (time consuming) to set-up?

8. Is the solution simple or complex (time consuming) to manage once implemented?

9. What are the costs associated with this solution and how do they compare to other

solutions?

10. Is there help and support available regarding this solution if needed?

Push Notification Alternatives: Emerging mobile 2FA alternatives use 3G/4G or wireless push

notification networks, rather than SMS or OTPs, to send access requests to a user’s mobile device

(smartphone or tablet), which the user can then approve or deny.

5


INTRODUCING LOGINTC

What happens when you take the best elements of 2 factor technology, leave out the flawed aspects,

and add enhanced security measures? You get LoginTC, which falls into the “Push Notification

Alternatives” camp. This means LoginTC provides high-security two-factor protection without

requiring any additional infrastructure. It also does away with cumbersome text messages and OTPs,

heightening security and improving user experience. Instead, LoginTC leverages something you already

have (especially in a BYOD – bring your own device – environment): a mobile phone, tablet or Google

Chrome. This makes deployment simpler for everyone involved and much less expensive.

#1 in 2-Factor AuthenticationProtect what matters with LoginTC

6


How it works:

End-users, who have been registered and provisioned by your administrator, download the LoginTC app

on the mobile device or desktop of their choice. To log in to a LoginTC protected asset (e.g. VPN), users

enter their usual information (username/password) in the usual login form. A wireless notification

is then pushed to the user’s device so the user can easily and instantly approve or deny the access

request, identifying him/herself while mitigating fraud in three simple steps: receive, decide, unlock.

The LoginTC app also acts as an identity credential manager that can be used for multiple LoginTC

credentials.

RECEIVE. DECIDE. UNLOCK.

7


BEST PRACTICES FOR IMPLEMENTATION AND DEPLOYMENTWe wish we could say transitioning to a new security system is as straightforward as re-booting a

PC, but we can’t. It involves planning and maintenance. However, there are things that can make

the process as quick and painless as possible. That’s especially true with LoginTC:

LoginTC Advantages:

• Enterprise grade

• Cloud-based (no additional hardware)

• Leverages your pre-existing infrastructure, virtualization and mobile investments

• Highly scalable (yes – even for millions of users)

• Leverages 3G/4G or Wi-Fi push networks to send push notifications (rather than SMS or

OTP)

• More secure and reliable then SMS networks

• More convenient (single-screen elegance, no race against the clock)

• Works worldwide without possibility of incurring charges

• No SMS codes or OTPs which can be copied to other devices

• Mobile devices much less likely to be lost than hard tokens

• Cuts cost of replacing tokens

• No need to keep extra stock in inventory

• Reduces administrative headaches

• No expiry

• Secure Remote Password (SRP) protocol

• Pads SSL/TLS for further protection

• 1:1 correlation between LoginTC and the mobile device to mitigate phone cloning

• No Personally Identifiable Information (PII) required

• Can integrate with your current fraud detection system

• Provides dynamic contextual information for real-time threat alerts

• PCI DSS, HIPAA and FFIEC compliant

• Customers range from SMB to enterprise (including LTG Federal, Infostrada and Harlequin)

as well as important government organizations

8


Choice: With LoginTC, everyone has a choice. End-users decide whether to utilize their smartphone

(iOS, Android or BlackBerry) or their desktop via Google Chrome. Administrators decide whether to

provision a PIN or passcode, what pictogram and contextual information will be displayed alongside

access requests, and what method of user enrollment works best for them.

Easy Installation/Configuration: There is detailed documentation on the LoginTC website, which

provides step-by-step instructions on how to best install and configure LoginTC 2FA, including specific

instructions customized for popular platforms such as Cisco ASA, OpenVPN, WatchGuard, SiteMinder,

OpenAM, Unix SSH, Drupal, WordPress, Joomla, and more.

Web-based Graphical User Interface (GUI): LoginTC recently made the installation/configuration

process even simpler for administrators by eliminating the need for flat configuration files and text-

based commands, replacing them instead with a dynamic web interface for browsers. This reduces the

time commitment required by admins for set-up by 80%.

Painless Integration & Management: User management is made easy through the cloud-based LoginTC

Admin Panel. There are several options for enrollment so that LoginTC best integrates with your

existent practices, including: self-registration, bulk uploads, syncing with LDAP/AD active directories,

or using REST API. LoginTC supports federation systems.

Cost-Effective: No hefty annual software license renewal fees, per-token fees or overhead costs.

LoginTC keeps it under $1.50/a month (per user), is free under 10 users, and offers substantial volume

discounts.

Customer Service: If all else fails, the LoginTC team is available by phone and by email to provide

support. Email [email protected] and expect a speedy reply!

9


NEXT STEPS

CONCLUSION

Get started today. Try a free demo by visiting https://www.logintc.com/demo/ or begin a free trial right

away: https://cloud.logintc.com/panel/register.

Password-only protection is no longer enough! Choose a two-factor authentication solution that’s

simple-to-use, scalable, cost-effective and highly secure.

Whatever your infrastructure – whether your digital assets / corporate resources are accessed via virtual

private network (VPN), web access management system (WAM), identity and access management

system (IAM), or content management system (CMS) – we believe LoginTC is the answer. LoginTC

is readily available to begin working with you to provide top-of-the-line cloud-based two-factor

authentication for mobile or desktop that meets all of your needs.

10

LoginTC is developed by Cyphercor Inc., which develops and delivers mobile and browser security solutions that

enable two-factor authentication credentials. Cyphercor’s strong authentication approach offers unprecedented

capabilities to smartphone, tablet, and browser users and security conscious organizations.

Cyphercor helps users and organizations meet or exceed their security and business goals by providing mobile and

browser solutions that:

• protect digital identities with encryption and safe transactions

• deliver free and easy to use apps to access cloud and business applications

• deploy and enable in minutes

For more information, visit www.logintc.com or email [email protected]

Copyright © 2015 Cyphercor Inc. All rights reserved. LoginTC and its families of related marks, images, and symbols

are the exclusive properties of Cyphercor Inc.

logintc-whitepaper-design-feb26

Documents