2-factor authentication for Citrix, VPN and remote access in general using any cellphone?

 

SMS PASSCODE, next step in lowering administrative costs in relations to 2-factor authentication?

First of all, let me just point out that I don’t do ordered product reviews, what I choose to write about is what I think makes sense and what could make life easier for IT Departments and in this case actually easier for the users as well.

So, SMS PASSCODE released their version 2.5 and it is looking great. A while back I did a blog post on the first version I got my hands on titled: The ”new” 2-factor authentication product SMSPasscode

So what is new since then? Well let me start out with what the concept is, I am guessing there is still quite a few out there who haven’t had the chance to use the product so far.

I think everyone working in IT knows that remote access to our companies should be secured by 2-factor authentication. Typically this means something you know like username and password, and a token, a sheet of sequenced numbers to answer a challenge, biometric(anyone uses that?) or even something like BioPassword.

In all its simplicity, this means there are two factors:

1. Something you Know
   1. Typically Username/Password
2. Something you Have
   1. Mobile-, cell phone
   2. Token(RSA, Safeword)
   3. Paper Keycard(numbers on paper to answer challenges)
   4. Eye
   5. Finger
   6. Rythm of typing

This is what I think we can all agree on right?

So what have we done traditionally? We have used tokens for the most part. And why? Well the integration was good with products like Citrix Web Interface, there were agents for Radius so we could use it with VPN and most had a solution to also support things like Outlook Web Access etc…

So all in all we had one solution for the most part that could cover our remote access needs, great!

So, when we all set this up, managers were happy, users got used to carrying the token around and we went on to more interesting projects.

But what about these tokens? They were in fact the magic key which was making sure we would not allow someone to just steal username and password off a post-it.

Well I found that people had to make a lot of administrative tasks to make sure that tokens were managed securely whenever:

• A user left the company
• A token were lost or stolen
• A token ran out of power
• A token had to be distributed to external consultants before they could work remotely
• Tokens had to be called back when the work of external consultants was done

That’s just some of the pains that I have seen on the management side of the token solution. Don’t get me wrong tokens do the job great; they just require a lot of administrative effort.

So enough with the common knowledge stuff

A new way to do this hit me a couple of years back. A few Danish guys had worked with a customer who could not make his employees work from home. The tokens were always in the other pair of pants, left at work, forgotten in the car, or out of power because the kid used it for a chew toy…

So the customer asked why he couldn’t just get his token-code on his Cell phone… it was their most important tool to do their job, therefore they always had it on. And I could totally agree. I always check my pocket for my phone when I get up, leave a room or the likes.

So they decided to give it a try, not just make a solution to send it via SMS, that had been done before but to make it a personal scalable solution.

This is what they came up with:

Corporate Credentials Registry

They decided that the best way to find username and password were by using the existing domain so they decided to support LDAP integration. This means that on basis of LDAP and group membership you can have support people adding a new user to the ‘Need external Access Group’ and adding in his cell phone number under the ‘mobile’ area of the telephones section of your active directory and within 5 minutes the user can log on remotely using only his browser and his cell phone.

Load balancing services

This is something that was added in along the way as scalability required that customers could separate the roles and load balance between them. Ex. also to make sure a SMS (text message) would not be stuck on a Modem which for some reason stopped sending out messages.

Transmitter Services

These are in charge of dispatching the passcodes via the SMS modems to the users.

Authentication Clients

Now these are the important part. These are the agents for different access types. The currently supported agents are:

• Citrix Web interface
• Radius Challenge/Response
  • Checkpoint
  • Cisco
  • Citrix Access Gateway
  • Juniper
  • Etc.
• IIS sites(by using ISAPI filters)
  • Outlook Web Access 2003
  • Outlook Web Access 2007
  • IIS web sites using integrated windows authentication
• Windows logon(by altering the GINA)
  • Terminal Services
  • Windows Servers
  • Windows Workstations
• Logon Points in Citrix Access Gateway Advanced edition.

All these together support most of the interfaces I come across in my daily work.

So how does it work for the user?

The logon procedure is the same for all the authentication clients,

the user logs in using his username and password, if this is done correctly and Active Directory, Novell or whatever replies with OK, a passcode is sent to the phone number registered with the user and the user is presented for a field to ‘enter passcode’. When the user enters the passcode and it is done from the same session that initiated the request the user is validated and allowed inside. This method is by the way called challenge- and sessions based 2-factor authentication and is a more secure method than ex. regular hardware based tokens since it prevents phishing.

I have found the integrations that have been made so far have been done quite nicely, let me try to take you through a couple of examples.

Citrix Web interface

The log in page we all know.

If the username and password is validated, in this case in active directory, a passcode is sent to the cell number registered on the user in active directory. The user is then presented with a field to enter the passcode, with information on the status of the SMS

and how long the passcode is valid.

If the passcode is valid users gets approved and are allowed into the applications.

Cisco VPN client, using Radius challenge/response

As normally the user logs on with his Cisco VPN client

And after validation of username and password using radius a challenge is sent in shape of a text message to the cell phone and the use is presented with a passcode response field

After the passcode has been validated the user is allowed access.

Windows logon

And my last example in this post will be the Gina. I have spoken to quite a few customers who would like to publish a terminal server directly on the internet using just RDP. One way of making this kind of solution a bit safer is to integrate 2-factor authentification into the GINA of the terminal server.

Before I show how this works, let me just point out that it is possible to make local groups with people who are not prompted for passcode when they log on.

So… you log on to your terminal server using whatever URL in your remote desktop client.

And in the same manner as I showed earlier in the article it then ships a passcode to the users cell phone and prompts the user for the passcode.

The supported platforms at the moment for the GINA agent is

• Windows XP pro
• Windows Server 2003
• Windows Server 2003 x64
• Terminal Server running 2003 or 2003 x64

Is SMS PASSCODE the only way to go?

For sure no SMS PASSCODE provides a great way to deliver passcodes to the mobile work force. And luckily there is support for side-by-side functionality with SMS PASSCODE and RSA, Safeword so that you can use the best solution for the individual user.

So why is it that I am using SMS PASSCODE more and more?

Well for me SMS PASSCODE provides a stable, secure and scalable 2-factor authentication platform. It integrates in to most of the products I come across and on top of this it solves one of the main issues that my customers experience today.

On the administrative side of the token issue SMS PASSCODE solves quite a few of the pains for me.

• A user left the company
  • User is disabled in Active directory my helpdesk and thereby loses all remote access
• A token ran out of power
  • The cell phone is simply recharged on a regular basis
• A token had to be distributed to external consultants before they could work remotely
  • Users and cell numbers are simply added and the users gain remote access.
• Tokens had to be called back when the work of external consultants was done
  • Whenever the user is deleted or the cell number is removed, the license is freed up and can be used for another user.

We considered SMS before, but there is no QoS on SMS…

This is true but I will have to say that I have heard about problems when sending a SMS from a “western” SIM-card to a Chinese SIM-card. Sending a SMS from a Danish SIM-card to another Danish SIM-card in China is not a problem. The same seems to be the case in Slovakia. In these two cases I have had customers which have not been able to have the passcodes delivered in time, and for those users we have just raised the time limit of the OTP.

Besides that I have a lot of customers sending all their SMS’s from Denmark to users all over and the general opinion seems to be that this solves some of the token-pains for a large group of their users.

Conclusion

Everybody is using SMS today, everybody has a cell phone(how else would we vote in next episode of Idols?), why not use a device which is already found almost everywhere?

On the security and administrative side of things, I have heard of users where their token has been misplaced for weeks, months without them taking action. But whether it is a private cell phone or company cell phone, I have heard of only a few who has been able to live without it for more than a few days. And the users can even call their own Service provider and have their phone(token) locked out, saving the it-department the hassle of having a 24-7 phone support to help people who lose their tokens.

I want to become even more mobile and I think this product could help a lot of people to ease the troubles of having a secure remote access strategy.

/Rene Vester