Entrust IdentityGuard - functioning | Entrust IdentityGuard - components

Entrust IdentityGuard - authenication

		INFO & KNOWLEGDE

Knowledge based Authentications

Username & Password: most widely accepted and understood authentication method available

One of the most common, yet widely accepted and understood, authentication methods is the use of usernames and passwords. As a central authentication service, Entrust IdentityGuard may be called upon to validate all authentication requests, including the validation of username and passwords. Entrust IdentityGuard includes not only validation of a user's password, but also enforcement of password composition, as well as password change policies. This authentication capability can help remove the need for any application to require the native implementation of username and password.

Knowledge Based authentication

One of the simplest mechanisms for gaining additional confidence in a user's identity, knowledge-based authentication challenges users to provide information that an attacker is unlikely to know (e.g., place of birth, mother's maiden name, first car). Based on "shared secrets," this allows the organization to question the user when appropriate to confirm information that is already known about the user through a registration process or based on previous transactions. (configurable tolerance for misspelling and abbreviations)

Physical 2nd Factor Authentications

Grid Authentication: a physical challenge and response to random grid coordinates

Grid authentication provides organizations a means to implement simple, effective, two-factor authentication by leveraging a security grid card. Users receive a security grid that contains a series of numbers and letters in easily marked columns and rows. These security grids can be delivered to users as credit card-sized cards, or printed on the backs of access badges, credit or ATM cards, or even printed on billing statements and other confidential communications.

To perform strong user authentication with a security grid, in addition to existing usernames and passwords (something you know), users would be required to respond to random Entrust IdentityGuard challenges requesting information that they would locate on their security grids (something you have).

Grid Authentication source: Entrust Inc.

Scratch Pad Authentication: a one-time password list that is revealed by the user at the time of use

One-time-password lists, or OTP-lists, are an alternative to deploying a security grid for user authentication. With this approach, end-users are provisioned with a list of randomly generated passwords that are typically printed on a sheet of paper, or hidden under "scratch cards" that are distributed to and carried by end-users.

When stronger user authentication is required, users are prompted to enter one of the passwords from their OTP-list. This can be done during account login in addition to the user's normal user name and password, or when performing a specific transaction.

To reduce susceptibility from phishing, man-in-the-middle or malware attacks, which OTP to be prompted for is randomly generated and is used only one time. This renders the OTP useless should it be captured by an attacker.

OTP-Tokens: time-synchronous hardware tokens randomly generate one-time passwords

The Entrust IdentityGuard Mini Token is a high-quality, one-time-password device designed to help provide strong, versatile authentication to enterprises, governments and consumers. The token offers easy-to-use, time- and event-synchronous capabilities that can be deployed alone, or in a layered strategy, in combination with other authentication methods as part of the Entrust IdentityGuard versatile authentication platform.

Multichannel Authentication

Mobile Out-Of-Band Authentication: transmission of a shared secret through out-of-band voice, SMS, email or text message channels (Voice or SMS Gateway required)

A security measure that takes advantage of alternate channels of communication, out-of-band authentication leverages an independent means to communicate with the user to defend against attacks that have compromised the primary channel. This is a very effective means of guarding against man-in-the-middle attacks where a legitimate online session may be used to piggy-back fraudulent transactions.

Out-of-band user authentication is also very convenient because it can leverage channels that already exist and are easy to access for customers, including voice calls to a telephone, SMS to a mobile phone, or email to a computer or mobile device.

Entrust IdentityGuard supports this user authentication capability by allowing the generation of one-time confirmation numbers that can be transmitted along with a transaction summary to the user.

Mutual Authentication

Mutual Authentication: two-way authentication that leverages existing shared secrets to confirm user identities, this can be done easily by users SSL EV (enhanced validation) certificates, or using the Grid Card, grid authentication not only provides a secure, cost-effective and easy way to authenticate users — it also provides built-in mechanisms for mutual authentication, or via Message & Image Replay: an unique, personalized shared secret is presented to the user — along with an image that was selected by the user — as a method of authenticating the validity of the communication

Mutual Authentication Pictures source: Entrust Inc.

Image Replay

If security grid authentication is not being used for two-factor authentication, Entrust IdentityGuard provides flexible options to achieve mutual authentication using image and message replay techniques. In this scenario, as part of the user registration process, a user selects or shares an image and message that is later shown to them during login. By personalizing the login with the selected image and message, the user recognizes that this information is only known to the legitimate site.

Whether the user chooses a picture from an online collection or uploads one of their own, it will be familiar and, thus, easier to recognize when it is not present.

Grid Card Serial Replay

The Entrust IdentityGuard security grid cards provide different options for mutual authentication. The first mutual authentication option is based on the serial number of the grid itself. Each grid has a unique serial number that is known only to the issuer (your organization) and the user. As such, during login, this serial number can be displayed to the user before prompting for user authentication.

Before entering their password or grid challenge response, the user simply confirms that the serial number displayed on the Web site matches the one on their grid card. If it does, the user can be confident she is on your legitimate web site.

Grid Card Location Replay

Another mutual authentication method that can be leveraged with the grid card is for the replay of the data within specific grid coordinates. When displayed to the user, this coordinate information confirms that the site has specific knowledge of the contents of the user's grid and, therefore, must be legitimate.

Additional security measures can be taken to ensure that this information is difficult to harvest by fraudsters such as ensuring that the entries being replayed are obfuscated with non-machine readable characters.

Security grid serial number replay and grid location relay mutual authentication methods can also be used across channels including email communications or in printed literature.

Machine identification

IP-Geolocation Authentication: identifies the geographic location of the device being used to access applications and systems

Entrust IdentityGuard delivers the ability to assess a user's identity, in conjunction with another of the platform's authenticators, based on IP-geolocation technology. The platform enables organizations to define white and black lists of Internet protocol (IP) addresses that can be used in an assessment of whether the authentication should proceed or require a stronger form (i.e., step-up) of authentication.

It also includes the ability to profile users intelligently, storing a history of not just what machine the user logs in from, but also their typical geographic location. Leveraging the Entrust Open Fraud Intelligence Network (OFIN) for feeding regular updates of IP data into the product, Entrust IdentityGuard's IP-geolocation capabilities can strengthen authentication and help to better assess the risk of a transaction being undertaken by a user.

Although typically thought of in consumer environments, Entrust IdentityGuard also provides IP-geolocation authentication for use with remote access environments, allowing a unique way of strongly authenticating users without having to deploy a physical component.

Machine Authentication: transparent identification of device being used to access applications and systems

This method provides validation of the user's computer — via a specific machine "fingerprint" — in a transparent manner that defends against a variety of threats in a low-impact manner. This is an especially effective method of strengthening user authentication where users typically access their account from a regular set of machines, allowing for stronger authentication to be performed without any significant impact to the user experience.

Entrust IdentityGuard - benefits What do companies gain from the usage of Entrust Identity Guard?

Entrust IdentityGuard Entrust IdentitiyGuard is a versatile authentication platform, which is offering different authentication methods covering most different requirements regarding security and convencience.