Implement two-factor
authentication based
on smart cards

Corporate IT infrastructure today may include various services and information systems with their own user account directories, which requires the use of multiple credentials for system authentication. Some services may support authentication via digital certificates issued by both in-house and third-party certificate authorities. These certificates can also be used in electronic document management.

Certain password requirements are usually in place to ensure adequate security of password-based authentication. The list of requirements may include mandatory characters, password length, update frequency, forbidden popular sequences, such as «admin» and «123456», etc. Even with a single password, meeting all of these requirements may prove a real challenge, let alone multiple usernames and passwords. Likewise, it’s not uncommon when routine password updates in different systems and services are scheduled at different times (without synchronization or control dates).

Your personnel may also need to use multiple hardware devices for secure storage of keys and electronic signature certificates, for example, different tokens or smart cards for each qualified certificate.

According to internal regulations and administrative documents, your employees are expected to maintain the security of storage and use of their passwords and authentication devices on their own. But this only looks good on paper; in real life, you may encounter the following issues:

• If the relevant policies have not been properly set up, your employees may choose to ignore the security requirements for passwords to corporate systems and services.
• Your employees may intentionally or unintentionally fail to regularly update their passwords if this process has not been properly automated.
• Despite meeting all password security requirements, your employees may use a physical medium or a text file for storing their passwords.
• Your employees may forget their passwords and keep asking your IT/IS team to reset them (they may even forget to create a new password if this is not enforced by default after the first login).
• In case your employees use multiple devices, they may mix up their passwords or store them in unsafe places.

On top of that, each new secure hardware device requires additional investments − you need to buy (or replace) it every time. And if you have more than one authentication device, your expenses are bound to increase, not to mention the challenges associated with keeping all tokens and smart cards on file and duly managed.

Unsolved issues related to password use and administration, as well as digital certificate and token management, can make your IT infrastructure less manageable and adversely affect your information security. A first-choice solution in this case is to use a combination of specialized software suites that rely on Public Key Infrastructure Management, Authentication Management, Access Management, and Two-Factor Authentication (2FA) technology.

Multi-factor authentication solutions can help you not only manage your authenticators (more than just passwords) and PKI infrastructure more effectively, but also upgrade your overall cyber security framework.

Two-factor authentication

Password-based authentication technologies may be easy to use, but they have some major flaws. You can overcome those flaws by using secure hardware devices and digital certificates for user authentication:

• Your devices and certificates are much less likely to be compromised.
• If they do get compromised (for example, if a device has been lost), you will learn about it immediately, and your information security administrator can take appropriate measures to block the affected device.
• The device PIN code is usually easy to remember, but the PIN code alone is useless without physical access to the token.
• Users can easily change their PIN code and do not need to remember multiple PIN codes since all certificates and authentication data for all corporate services are stored on a single device.
• Authentication requires a hardware device, and even if this device is compromised, it will be hard to use it from a workstation that has not been expressly set up for access to corporate resources (except for public web resources).

If Axidian Access is used together with Axidian CertiFlow, you will get a special hardware tool enabling two-factor authentication in the target services of your corporate IT infrastructure.

Certificate-based authentication for Windows

The Axidian CertiFlow platform supports integration with your in-house certificate authorities based on the Windows CA functionality. Out-of-the-box authentication based on certificates issued by Windows CA is also supported in the Active Directory domain infrastructure.

Axidian CertiFlow can help you centrally manage how the digital certificates get issued by Microsoft CA and are subsequently handled. These certificates can be stored on a protected device containing all other certificates.

This way, the device can also be used for Windows authentication.

Smart cards and digital certificates for app authentication

Even today, the default authentication mechanism in many information systems and services is simple password protection. Some systems may not support any other authentication scenarios or protocols (RADIUS, SAML, ADFS, Active Directory, X.509, etc.).

On the same note, applications that do support digital certificate authentication may require certificates issued by a third-party certificate authority. This is a standard situation in the case of document flow between various state departments or public procurement.

Axidian CertiFlow can help you monitor and control the use of all your digital certificates, even those issued by third-party certificate authorities (including accredited CAs).

Thanks to the Axidian Access platform, you can use hardware secure storage devices for end-to-end authentication in any password-protected application or web application. You can do this by using:

• the supported authentication protocols (ADFS, SAML, etc.) or
• the Enterprise Single Sign-On (ESSO) module

ESSO can intercept GUI password entry forms and map it to the back-end credentials. This single sign-on solution also supports secure storage of the above credentials and takes care of the routine updates (new passwords are added in the same way − through interception of GUI password entry forms).

This way, one and the same device can be used for secure authentication across all corporate applications and web applications.

A single device for storing identification and authentication data

The Axidian Access platform enables all authentication scenarios involving a secure hardware device in all target resources (via appropriate integration modules). It also supports integration with the AMCS; in this case, the same hardware devices can be used both for authentication and gaining physical access to the AMCS-protected premises.

If your company chooses to use both products, you can opt to have all digital certificates available to a given end user stored on one smart card; the same device can also be used as an authenticator for all Windows-based workstations, as well as target applications and web applications.

Using a single device for identification and authentication can help you not only make your access certification in all corporate resources much more effective, but also strengthen the loyalty of your end users, not to mention that the overall information security at your company will improve, thanks to a thorough monitoring of all authentication events in particular.

Encryption and electronic signature

The Axidian CertiFlow platform can help you take under control not only your internal digital certificates, but also certificates issued by third-party certificate authorities, including accredited CAs.

Digital certificates stored on a single device can be used for other tasks in addition to user authentication in the target systems:

• Encrypt and sign your emails
• Encrypt and sign your electronic documents
• Sign your business transactions (for example, transfers to bank accounts)
• Encrypt your files and drives
• Set up a VPN connection

Qualified digital certificates confer legal value to your electronic signature. This means that you can use it to arrange legally binding electronic document flow, take part in public procurement, and receive other electronic public services.

Corporate ID

When your IT infrastructure incorporates both Axidian Access and Axidian CertiFlow, you can opt to assign multiple functions to a single protected device, such as user identification, authentication, and other business tasks:

• Authenticate on Windows-based workstations
• Authenticate in enterprise applications and web applications
• Authenticate in public web services
• Electronically sign documents
• Encryption for messages, files, and drives
• Connect to a VPN
• AMCS identification
• Have a debit card linked to a bank account

The final list of available features depends on the technical parameters of a specific hardware device, i.e. its form factor, whether or not it has an RFID chip, a secure certificate storage space, a magnetic stripe, or a chip for linking it to a bank account, etc.

The resulting device can also serve as a corporate ID (or card). Your employees can use this ID to receive all the services offered by your company, as well as gain access to all corporate resources.

Warding off the risk of loss or damage of the device

On the one hand, using a single device for gaining access to all corporate services and performing other business tasks can have its perks both for the end users and the entire company:

• You can significantly boost the efficiency of your corporate resource usage
• You can enhance the labor productivity of your personnel in terms of access to resources
• The use of a protected device containing all user identification and authentication data can improve your company’s information security

On the other hand, having one device fit for various tasks may pose security threats should the token be lost or stolen. Things can get even worse if the device supports remote access to corporate resources, and the attacker resorts to blatantly stealing the device from your employee.

Our products allow for centralized monitoring of the device usage. Should a compromised smart card be detected, you can use Axidian Access and Axidian CertiFlow to promptly block the device and revoke the certificates. As both platforms support integration with SIEM software, you will immediately learn about all security incidents and compromised devices, even without involving end users.

• Сertificate authorities: Microsoft Windows CA, CAmelot
• Removable hardware tokens: eToken (SafeNet), ESMART (SafeNetISBC), Yubikey (Yubico), ID Prime (Gemalto), and ePass (Feitian).
• Authentication protocols: RADIUS, SAML, ADFS, OpenID Connect, Kerberos (Active Directory)
• Authentication in the target systems: Microsoft Windows Logon, Microsoft RDS, MS IIS, VPN, Web Application, and Desktop Application
• Integration with access security tools, smart card printers, authentication management tools (Axidian Access), and identity management tools − IdM (via API)