• (949) 777-6959
Chris

Intelligent Browser Support

Written on March 28, 2012 at 3:55 pm, by Chris

If HTML5 doesn’t work you’re probably using IE.  Sounds like a biased joke doesn’t it?  Well in some aspects it’s 100% correct.

Adrian Bateman, a program manager at Microsoft’s ID group stated once that they flat out don’t want to conform to the HTML5 <keygen> specification.    As a matter of fact, they want it removed (REFERENCE)

Basically it boils down to this, they think that if you use your browser to enroll for a certificate through HTML5 it’s somehow not secure.  Better to just log into a domain and get a cert pushed down to your PC behind the scenes?  We’ve been though this argument many times, if you get a certificate pushed down to your PC from your CA by just logging into the domain it’s really good for nothing more than device identification.  This shouldn’t be used for validation of a user, ever.

Why does the fact that Microsoft doesn’t conform to the HTML5 spec bother us?  Well it doesn’t really because we’re typically using Chrome, or Firefox, or sending letters via the USPS even but what is ironic is this, you can get a certificate using Chrome and then use that same certificate in IE as user authentication.  Are you seeing the humor here?

So, the main argument from Adrian is that it’s too insecure to allow users to enroll for a certificate in IE, sounds like the reason the domain admin didn’t want to allow iPads on the network right?  Well SecureAuth is now able to walk users through an enrollment process that not only ensures a users identity via the information they have in Active Directory but we can now create certificates in your browsers store via HTML5, that is as long as you’re using a intelligent browser like Chrome, Firefox or Safari.  If you still want to use IE you’ll still have to utilize the ActiveX controls, until Microsoft brings IE into 2012 and beyond.

 

Comments: 0 l Leave a Comment

Categories: Blog

Author:

Chris

Easy 2-Factor F5 APM deployment with an iAPP

Written on March 22, 2012 at 8:40 pm, by Chris

SecureAuth is please to release the first enterprise grade variable authentication service that’s deployable with an iApp.

What’s a Variable Authentication Service?  It’s SSO & or 2-Factor to your SaaS applications, VPN or whatever you’d like!  It’s easy to use & deploy 2-Factor authentication for users trying to access your Sharepoint, Citrix or webtop deployment.  It’s also something that can consume authentication from inside of the F5 APM to preform SSO to cloud applications.  Let’s just say, it’s the yin to the F5 yang.

What’s so great about an iApp?  The iApp is a concept created by F5 that allows you to quickly deploy something.  Why spend hard earned cash that you might or might not have trying to recreate the wheel?  F5 has iApps for just about anything you’d care to deploy, Citrix, Sharepoint, Exchange, Oracle, SAP, Peoplesoft & many more. (REFERENCE)  Now you can use an iApp that’s been co-developed with some of the brightest minds at F5 to quickly secure your applications with 2-Factor authentication.  Basically, these iApps are there to make you look like a superstar.  Look for a video soon demonstrating how to install and use the iApp!

F5 iApp on DevCentral

SecureAuth hosted iApp

Comments: 0 l Leave a Comment

Categories: Blog

Author:

BYOD to All Apps! F5 and SecureAuth

Written on March 22, 2012 at 2:00 pm, by client

03/22/2012 – BYOD – “Bring Your Own Device!” 2012 is the year of iPhone, iPad, Android, Amazon Kindle, Barnes & Noble Nook, etc! SecureAuth and F5 show how to secure all your apps, cloud and web, to these devices!

Comments: 0 l Leave a Comment

Categories: Webinar Videos

Author:

Garret

One Year After “The RSA Hack” – Where Are We Now?

Written on March 17, 2012 at 9:19 am, by Garret

A year ago, March 18th, 2011 – RSA announced that a hack occured on their facilities that compromised the security of the RSA SecurID tokens. RSA’s executive chairman, Art Coviello released an open letter which confirmed the breach of their security systems and revealed that the breach had been an attack on the SecurID authentication system, deployed at over 25,000 customers.

Image #1: RSA revealed on March 18th, 2011, that information concerning the SecurID authentication products had been attacked.

 

A year later: Where Are We Now?

Seriously.  Many of the articles after the hack revealed what security types had already been saying for years (Bruce Schneier in lead) – the basic underlying premise of sending OTP codes for 2-Factor authentication is susceptible to simple Internet attacks, including Man-in-the-Middle attacks.

(After the attack – I even demonstrated to an assembled team of one of the largest security firms in America -FishNet Security- how easy it is to set up a Man-In-The-Middle (MITM) attack on RSA SecurID tokens. FishNet was so impressed by what was shown, they began to not only sell SecureAuth, but also use SecureAuth as a more secure and easier to use way of providing 2-factor authentication for their own remote access).

SecurID Does NOT Protect Against Modern Internet Attacks

SecureID, and other OTP token methods, do NOT protect against modern hacker mechanisms such as man-in-the-middle attacks. Modern hackers know that methods such as hard tokens (and OTP mechanisms like phone delivery systems) are just sending identity information without validating the authenticity of the relying party into which users are trying to access (EG. – unless a person can guarantee that they are sending the OTP, the password or even a RETINA scan to the correct server that’s supposed to be receiving this information, that user might as well be handing the hacker his username/password, because simply using SecurID or any OTP-type of security will not protect him from a hacker taking his credentials from his web session).

 

What has been known to elevate internet security is a system that is capable of:
  • Authenticating the veracity of the user
  • Authenticating the veracity of the authentication party
E.G.: bi-lateral authentication. (See image #2)

 

Image #2: RSA SecurID , and all the hard and soft token solutions, never addressed the issue of bilateral authentication – or who am I passing my credentials to?

 

So What Does Solve the Client-Internet-Server Security Issue?
The industry has known how to solve the client-server authentication issue since the 80′s with PKI ( e.g. the exchanging of key information for the purpose of bilateral (client/server) authentication). With bilateral authentication, a user is assured of the veracity of the authentication party with a cryptographically non-refutable request/response sequence between the client and the server. The actual exchange is handled under the precept of cryptographic hexadecimal numbers stored as public and private keys.

And…

The systems were never implemented in mass markets because they were too difficult to scale. I know this for a fact because Iworked for RSA in the 90′s. When we were explained how PKI worked and why it was imperative for secure Internet commerce, the “too difficult” response was always cited as the reason why PKI was not accepted in the mass market.

 

It was a simple business decision. When things are too costly, Industry looks for alternative ways that are not as good. In response, the industry bought technology like SecurID when companies wanted to “be secure” – or at least show they were trying to be secure. (Like the public facing financial internet site that uses RSA SecureID – that we showed can be hacked by a simple MITM proxy.)

 

And what has happened?

 

Well, now the world is nothing but client-server authentication across the internet, most of which is done over public channels (e.g. a browser to a public facing web server). The move to the cloud, intelligent as it may be for cost-savings and efficiency, has greatly advanced this type of communication.

…And the hackers – are having a field day. (See image #3)

Image #3: Hackers have taken advantage of the fact that most authentication (UserID/Password, SecurID and other tokens mechanisms) are unilateral – and thus susceptible to Man-in-the-middle (MITM) attacks.

 

So What Can Be Done?
The problem remains the same, regardless of what new pieces we add to the puzzle: (In image #2, Mobile devices on the left side and “Cloud resources” on the right hand side). We need a mechanism to ensure the veracity of both:

 

  • The Client (Desktop, Mobile, Tablet)
  • The Server (Enterprise, Cloud, SaaS, PaaS)
And now more than ever, a browser-based solution.

 

This is exactly what SecureAuth has developed:
  • SecureAuth is: A bilateral, browser-based authentication system that validates the LEFT (Client) and Right (Server) side of the authentication – BEFORE passing a “Green Light” signal to the relying party (Enterprise and/or Cloud-based resources). (See image #4)
The SecureAuth solution solves this authentication problem by:

 

  • Automatically issuing a cryptographic credential to the user
    • For Desktop
    • For Mobile
  • Authenticating by the SecureAuth Solution
    • On Premise or
    • In the Cloud
  • Passing the identity
    • To an on-premise resource (web, VPN)
    • Cloud Resource (Google, Salesforce, Workday, SuccessFactors, Amazon, etc)

SecureAuth: Bi-Lateral Authentication that Solves MITM Attacks

Image #4: SecureAuth addresses the issue of bi-lateral authentication by conducting a client AND server authentication during the authentication process.

 

Why this is more relevant than ever in 2012?
The world is moving to a pure browser-server world, with the browser being the client of choice regardless of the device being used for access. (Google is adding over 5,000 customers A DAY in 2012 on its browser-pure Google Apps cloud system.)

 

The world is in need of a new authentication system. A system that can deliver strong authentication that meets today’s regulations (PCI DSS, NCUA, FFIEC, HIPAA/HITECH) despite the fact that users are not necessarily part of any domain, can request access from any location, can use any device, and will access not just internal enterprise resources, but also cloud-based resources.

 

The world needs SecureAuth. Contact us – and we will tell you more!

 

Technical Explanation of  SecureAuth  2-Factor Bilateral Authentication

Garret Grajek is CTO and a co-founder of SecureAuth. SecureAuth is a single appliance solution that delivers configurable 2-Factor and SSO authentication for Web, VPN and SaaS based solutions.

Comments: 0 l Leave a Comment

Categories: Blog

Author:

Garret

Cloud Access is Great – What about that Password?

Written on March 11, 2012 at 12:25 pm, by Garret

 

Having put together over 100 webinars for SecureAuth – I also take the time to listen to other firms webinars.   (And yes – I am e-mailing and IM’ing through theirs – like others do to mine – all’s fair.)

What’s relevant about the other product webinars I listen to – is NOT what is included – but what is omitted.

There is not question that consolidating your SaaS/Web access to a single portal – is the right answer.   And it’s also the right answer to consolidate access to an ID that your users already know.  (E.G. “Federated the identity from your Active Directory – or other known idenity.)

But what is OFTEN omitted – is, well, how do you do all that boring stuff around the password???  E.G.:

  • User Self Password Reset
  • 2-Factor Self-Password Reset that meets Regulatory Compliance
  • User Password Lock-Out and Unlock
  • Password Synch to Cloud like Google
  • Enforcing Password Strength across
    • On-Premise Web Applications
    • Cloud Applications

Well – this is exactly what the “SecureAuth 2-Factor IdP” is able to do. (See figure #1)

Image #1: SecureAuth becomes the centralized 2-Factor Password Mechanism for your user data resource (AD, LDAP, SQL, etc).

The SecureAuth solution is the 2-Factor “Instant IdP” that allows you to convert your present user store into a fully functional IdP for the modern enterprise deployment of applications.  (On-premise and SaaS web deployments.)

Enterprises today, need to provide:

Check out the full SecureAuth Password Functionalities here.     Contact us – and we will tell you more!

Garret Grajek is CTO and a co-founder of SecureAuth. SecureAuth is a single appliance solution that delivers configurable 2-Factor and SSO authentication for Web, VPN and SaaS based solutions.

Comments: 0 l Leave a Comment

Categories: Blog

Author:

Garret

F5 “Gets It” – Comes by SecureAuth Booth for BYOD Story

Written on March 3, 2012 at 1:47 pm, by Garret

Had the pleasure of F5′s (wonderful) Peter Silva come by the SecureAuth booth @ RSA and record our BYOD (“Bring Your Own Device”) Story.

 

Video Blog:    RSA 2012 Spotlight – SecureAuth

The SecureAuth BYOD story is what the IT world is clammoring for: 

As been will be detailed in our upcoming webinar with F5  (F5 APM and SecureAuth and FishNet Webinar – BYOD security for Web and Cloud Apps) – we will point out the importance of allowing any device access to your apps.

And this is what came out during the RSA show.   The attendees:  IT directors,  security engineers, consultants – where  looking for solutions on how to:

This is the SecureAuth story – and specifically the SecureAuth/F5 APM story.   Contact us – and we will tell you more!

F5 APM and SecureAuth and FishNet Webinar – BYOD security for Web and Cloud Apps
Thursday, March 22nd,  10am PST

Garret Grajek is CTO and a co-founder of SecureAuth. SecureAuth is a single appliance solution that delivers configurable 2-Factor and SSO authentication for Web, VPN and SaaS based solutions.

 

Comments: 0 l Leave a Comment

Categories: Blog

Author:

Entries

Blog Categories

Recent Posts

Blogging Team:

click on an author to read their posts

Archives