MP-1 / SMS Token Brochure v01 - Info-Point-Security
MP-1 / SMS Token Brochure v01 - Info-Point-Security
MP-1 / SMS Token Brochure v01 - Info-Point-Security
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>MP</strong>-1 <strong>SMS</strong> TOKENS<br />
Delivery of one-time passcodes by <strong>SMS</strong> message has quickly<br />
become a respected and accepted solution to address the<br />
risks of compromised static passwords, striking the right balance<br />
between an organization’s security needs, manageability<br />
and usability requirements along with overall cost.<br />
SECURITY<br />
One-Time Passwords (OTP) which are a combination of a secret<br />
PIN and the One-Time Passcode can be used to replace<br />
and/or augment standard static password logons, just about<br />
anywhere a static password is required.<br />
MANAGEABILITY<br />
There’s no hardware to distribute and no client software to<br />
install or maintain. The only requirement is the ability to receive<br />
<strong>SMS</strong> messages.<br />
COST<br />
<strong>SMS</strong> NO WAITING<br />
In this mode a new passcode is delivered by <strong>SMS</strong> immediately<br />
following each successful authenticated logon. The advantage<br />
is that a user always has a valid passcode (which cannot be<br />
used without their secret PIN) on their phone. This method<br />
most closely mimics a traditional logon.<br />
Eliminating hardware and client software significantly reduces<br />
the acquisition and operating costs of a strong authentication<br />
solution.<br />
WHY <strong>MP</strong>-1 <strong>SMS</strong> ONE-TIME PASSCODES?<br />
Not all <strong>SMS</strong> solutions are created equal. Consider a few of the<br />
BlackShield ID <strong>SMS</strong> solution advantages:<br />
BETTER SECURITY<br />
While most OTP systems are limited to a 6 digit passcode, the<br />
weakest form of one-time passcode, BlackShield ID can be<br />
configured to generate 8 character passcodes comprised of<br />
digits, letters and other characters. Configurability means that<br />
you can choose and change the strength of the solution to<br />
meet your security and compliance requirements.<br />
LOGON EXPERIENCE<br />
For many organizations a complete solution is not simply a<br />
question of delivering an OTP but must also optimize integration<br />
with applications, access points and user logon experience.<br />
That’s why BlackShield ID supports 4 methods of <strong>SMS</strong>/<br />
OTP authentication.<br />
<strong>SMS</strong> NO WAITING PLUS<br />
This mode differs from the above by sending up to 5 passcodes<br />
in each <strong>SMS</strong> message. This is ideal for users that are<br />
frequently in areas with sporadic or unreliable <strong>SMS</strong> delivery<br />
because they are not dependant on the <strong>SMS</strong> service until all<br />
passcodes have been consumed.<br />
<strong>SMS</strong> CHALLENGE/RESPONSE<br />
This method is ideal for organizations that want delivery of<br />
the OTP to occur during the logon process. Only after the user<br />
has submitted their valid UserID is the passcode delivered by<br />
<strong>SMS</strong>, allowing the user to submit their OTP and complete the<br />
logon process.<br />
Strong Authentication Platform
This method has the added benefit of a passcode “time-tolive”,<br />
not only limiting passcode to a single use but also requiring<br />
the passcode to be consumed within a limited period<br />
of time. If it not used within the time-to-live period, the passcode<br />
automatically expires and cannot be used for authentication.<br />
PROVISIONING<br />
As with all BlackShield ID tokens, <strong>SMS</strong> token provisioning can<br />
be automated, saving time and improving compliance. Black-<br />
Shield ID is easily configured to automatically issue, suspend<br />
or revoke tokens based on changes to a user’s Active Directory<br />
group membership, account status and time/day access<br />
restrictions.<br />
This means that every time a new user is added to a monitored<br />
Active Directory group, BlackShield ID will provision the<br />
user with an <strong>SMS</strong> token. If the account is suspended in AD,<br />
the token is automatically suspended in BlackShield ID, preventing<br />
its use for authentication until the user’s account is<br />
reactivated. If a user is removed from the monitored group<br />
the token is automatically revoked.<br />
All of this is accomplished without writing to AD, modifying or<br />
extending the schema. As a result, token management becomes<br />
a transparent, zero-administration solution.<br />
AUDIT AND REPORTING<br />
All user authentication activity is persisted in the BlackShield<br />
ID database, so even after a user has been removed or a token<br />
revoked, a complete audit trail is preserved, satisfying<br />
privacy and security audit requirements.<br />
MIX AND MATCH<br />
OTP delivery by <strong>SMS</strong> does not always meet the needs or requirements<br />
of the entire user population. With BlackShield ID<br />
this presents no problem because any combination of <strong>SMS</strong>,<br />
hardware and software tokens can be used concurrently in<br />
your user population to meet security, budget and compliance<br />
requirements including:<br />
<strong>SMS</strong> SINGLE SIGN ON<br />
This method is a variation of <strong>SMS</strong> Challenge/Response that<br />
lets organizations take advantage of 2-stage SSO authentication<br />
supported by leading SSL VPN and on-demand computing<br />
solutions from vendors such as Juniper Networks, Fortigate,<br />
Cisco Systems , Citrix and others. In this mode users<br />
must submit their Logon ID and Active Directory password.<br />
If this is validated by Active Directory, BlackShield ID<br />
sends a time-limited passcode to the user who combines this<br />
with their PIN and submits this as the second stage of authentication.<br />
The result is all of the benefits of SSO with the added security<br />
and protection of one-time passwords and the convenience<br />
and economy of <strong>SMS</strong>.<br />
<br />
Contractors and external parties — It is not always practical<br />
to issue hardware or software tokens to temporary<br />
or occasional users. BlackShield ID <strong>SMS</strong> tokens provide an<br />
elegant and economical solution because there is nothing<br />
to distribute. In addition, BlackShield ID easily accommodates<br />
external users that are not part of your Active Directory,<br />
including assignment of individual day and time<br />
access controls.<br />
Strong Authentication Platform<br />
ktseries-brochure-<strong>v01</strong>
Lost or forgotten tokens — Issuing a temporary <strong>SMS</strong> token<br />
to regular users that have lost or forgotten their<br />
hardware token continues the protection of OTP authentication<br />
while bridging the interval until the hardware<br />
token is recovered or replaced.<br />
WHERE CAN BSID <strong>SMS</strong> TOKENS BE USED?<br />
Just about anywhere you can logon using a static password.<br />
Just a few examples:<br />
SSL and IPSec VPN solutions from a wide variety of vendors<br />
including Juniper Networks, Cisco Systems, Check<br />
<strong>Point</strong>, WatchGuard and SonicWall.<br />
Web Servers and web-based applications on Microsoft IIS<br />
or Apache servers.<br />
On-demand Computing solutions such as Citrix and Propalms.<br />
RADIUS compliant applications and network devices.<br />
PAM enabled applications.<br />
USER SELF-SERVICE<br />
STANDARDS AND CERTIFICATIONS<br />
AES 256 Encryption<br />
RoHS compliant<br />
FCC Part 15, Subpart B<br />
CE approved<br />
SECURITY<br />
Variable OTP length: 6-8 charactersDigits (0 - 9)<br />
Hexadecimal: (0 - 9, A - F)Base32 (0 - 9, A - Z)Base64: (0 -<br />
9, Aa - Zz, punctuation)<br />
Stronger passcodes<br />
Better PIN management<br />
<strong>SMS</strong> "Flash" mode<br />
AES 256 bit Encryption<br />
AUTHENTICATION SERVER CO<strong>MP</strong>ATIBILITY<br />
BlackShield ID v2.5+<br />
BlackShield ID includes user self-service, enabling users to<br />
change or update PINs or request an OTP by <strong>SMS</strong>.<br />
GATEWAYS AND MODEMS<br />
BlackShield supports a wide range of <strong>SMS</strong> gateways, letting<br />
you select a vendor that best meets your requirements. For<br />
even greater economy, an <strong>SMS</strong> modem loaded with a SIM<br />
card obtained from your preferred mobile service provider<br />
can be used by BlackShield ID to transmit OTP messages.<br />
For more information, 3rd party integration guides or a free<br />
evaluation system, visit www.cryptocard.com<br />
CRYPTOCard North America,<br />
600—340 March Road,<br />
Ottawa, Ontario. K2K 2E4 Canada<br />
Toll free: 800-307-7042<br />
Telephone: +1-613-599-2441<br />
Fax: +1-613-599-2442<br />
CRYPTOCard Europe,<br />
Aztec Centre, Aztec West, Almondsbury,<br />
Bristol BS32 4TD, England<br />
Telephone: +44 870 7077 700<br />
Fax: +44 870 7077 711<br />
Email: sales@cryptocard.com<br />
Web: www.cryptocard.com<br />
CRYPTOCard, the CRYPTOCard logo and BlackShield ID are registered trademarks of CRYPTOCard Corp. in the Canada and/or other countries. All other goods and/or<br />
services mentioned are trademarks of their respective companies.
Strong Authentication Platform