MP-1 / SMS Token Brochure v01 - Info-Point-Security

MP-1 SMS TOKENS
Delivery of one-time passcodes by SMS message has quickly
become a respected and accepted solution to address the
risks of compromised static passwords, striking the right balance
between an organization’s security needs, manageability
and usability requirements along with overall cost.
SECURITY
One-Time Passwords (OTP) which are a combination of a secret
PIN and the One-Time Passcode can be used to replace
and/or augment standard static password logons, just about
anywhere a static password is required.
MANAGEABILITY
There’s no hardware to distribute and no client software to
install or maintain. The only requirement is the ability to receive
SMS messages.
COST
SMS NO WAITING
In this mode a new passcode is delivered by SMS immediately
following each successful authenticated logon. The advantage
is that a user always has a valid passcode (which cannot be
used without their secret PIN) on their phone. This method
most closely mimics a traditional logon.
Eliminating hardware and client software significantly reduces
the acquisition and operating costs of a strong authentication
solution.
WHY MP-1 SMS ONE-TIME PASSCODES?
Not all SMS solutions are created equal. Consider a few of the
BlackShield ID SMS solution advantages:
BETTER SECURITY
While most OTP systems are limited to a 6 digit passcode, the
weakest form of one-time passcode, BlackShield ID can be
configured to generate 8 character passcodes comprised of
digits, letters and other characters. Configurability means that
you can choose and change the strength of the solution to
meet your security and compliance requirements.
LOGON EXPERIENCE
For many organizations a complete solution is not simply a
question of delivering an OTP but must also optimize integration
with applications, access points and user logon experience.
That’s why BlackShield ID supports 4 methods of SMS/
OTP authentication.
SMS NO WAITING PLUS
This mode differs from the above by sending up to 5 passcodes
in each SMS message. This is ideal for users that are
frequently in areas with sporadic or unreliable SMS delivery
because they are not dependant on the SMS service until all
passcodes have been consumed.
SMS CHALLENGE/RESPONSE
This method is ideal for organizations that want delivery of
the OTP to occur during the logon process. Only after the user
has submitted their valid UserID is the passcode delivered by
SMS, allowing the user to submit their OTP and complete the
logon process.
Strong Authentication Platform

This method has the added benefit of a passcode “time-tolive”,
not only limiting passcode to a single use but also requiring
the passcode to be consumed within a limited period
of time. If it not used within the time-to-live period, the passcode
automatically expires and cannot be used for authentication.
PROVISIONING
As with all BlackShield ID tokens, SMS token provisioning can
be automated, saving time and improving compliance. Black-
Shield ID is easily configured to automatically issue, suspend
or revoke tokens based on changes to a user’s Active Directory
group membership, account status and time/day access
restrictions.
This means that every time a new user is added to a monitored
Active Directory group, BlackShield ID will provision the
user with an SMS token. If the account is suspended in AD,
the token is automatically suspended in BlackShield ID, preventing
its use for authentication until the user’s account is
reactivated. If a user is removed from the monitored group
the token is automatically revoked.
All of this is accomplished without writing to AD, modifying or
extending the schema. As a result, token management becomes
a transparent, zero-administration solution.
AUDIT AND REPORTING
All user authentication activity is persisted in the BlackShield
ID database, so even after a user has been removed or a token
revoked, a complete audit trail is preserved, satisfying
privacy and security audit requirements.
MIX AND MATCH
OTP delivery by SMS does not always meet the needs or requirements
of the entire user population. With BlackShield ID
this presents no problem because any combination of SMS,
hardware and software tokens can be used concurrently in
your user population to meet security, budget and compliance
requirements including:
SMS SINGLE SIGN ON
This method is a variation of SMS Challenge/Response that
lets organizations take advantage of 2-stage SSO authentication
supported by leading SSL VPN and on-demand computing
solutions from vendors such as Juniper Networks, Fortigate,
Cisco Systems , Citrix and others. In this mode users
must submit their Logon ID and Active Directory password.
If this is validated by Active Directory, BlackShield ID
sends a time-limited passcode to the user who combines this
with their PIN and submits this as the second stage of authentication.
The result is all of the benefits of SSO with the added security
and protection of one-time passwords and the convenience
and economy of SMS.
Contractors and external parties — It is not always practical
to issue hardware or software tokens to temporary
or occasional users. BlackShield ID SMS tokens provide an
elegant and economical solution because there is nothing
to distribute. In addition, BlackShield ID easily accommodates
external users that are not part of your Active Directory,
including assignment of individual day and time
access controls.
Strong Authentication Platform
ktseries-brochure-v01

Lost or forgotten tokens — Issuing a temporary SMS token
to regular users that have lost or forgotten their
hardware token continues the protection of OTP authentication
while bridging the interval until the hardware
token is recovered or replaced.
WHERE CAN BSID SMS TOKENS BE USED?
Just about anywhere you can logon using a static password.
Just a few examples:
SSL and IPSec VPN solutions from a wide variety of vendors
including Juniper Networks, Cisco Systems, Check
Point, WatchGuard and SonicWall.
Web Servers and web-based applications on Microsoft IIS
or Apache servers.
On-demand Computing solutions such as Citrix and Propalms.
RADIUS compliant applications and network devices.
PAM enabled applications.
USER SELF-SERVICE
STANDARDS AND CERTIFICATIONS
AES 256 Encryption
RoHS compliant
FCC Part 15, Subpart B
CE approved
SECURITY
Variable OTP length: 6-8 charactersDigits (0 - 9)
Hexadecimal: (0 - 9, A - F)Base32 (0 - 9, A - Z)Base64: (0 -
9, Aa - Zz, punctuation)
Stronger passcodes
Better PIN management
SMS "Flash" mode
AES 256 bit Encryption
AUTHENTICATION SERVER COMPATIBILITY
BlackShield ID v2.5+
BlackShield ID includes user self-service, enabling users to
change or update PINs or request an OTP by SMS.
GATEWAYS AND MODEMS
BlackShield supports a wide range of SMS gateways, letting
you select a vendor that best meets your requirements. For
even greater economy, an SMS modem loaded with a SIM
card obtained from your preferred mobile service provider
can be used by BlackShield ID to transmit OTP messages.
For more information, 3rd party integration guides or a free
evaluation system, visit www.cryptocard.com
CRYPTOCard North America,
600—340 March Road,
Ottawa, Ontario. K2K 2E4 Canada
Toll free: 800-307-7042
Telephone: +1-613-599-2441
Fax: +1-613-599-2442
CRYPTOCard Europe,
Aztec Centre, Aztec West, Almondsbury,
Bristol BS32 4TD, England
Telephone: +44 870 7077 700
Fax: +44 870 7077 711
Email: sales@cryptocard.com
Web: www.cryptocard.com
CRYPTOCard, the CRYPTOCard logo and BlackShield ID are registered trademarks of CRYPTOCard Corp. in the Canada and/or other countries. All other goods and/or
services mentioned are trademarks of their respective companies.

Strong Authentication Platform