Beruflich Dokumente
Kultur Dokumente
IdentityGuard 9.1
Deployment Guide
5
Deployment considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .83
Application integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Web integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Microsoft Windows integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
VPN remote access integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Wireless Access Portal integration . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Application considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Integrating with existing user management systems . . . . . . . . . . . . . 87
Using shared secrets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Selecting a repository . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Directory repositories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Database repositories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Performance and maintainability . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Performance testing strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Backing up, restoring and migrating . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
High availability and disaster recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Entrust IdentityGuard Server hot-standby or load-balancing . . . . . . . 94
Hot-standby scenario. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Load-balancing scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Repository failover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Local repository failover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Geographically-dispersed repository failover . . . . . . . . . . . . . . . 97
Radius server failover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Switching over to Entrust IdentityGuard . . . . . . . . . . . . . . . . . . . . . . . . . . 101
7
Deploying knowledge-based authentication . . . . . . . . . . . . . . . . . . . . . . . .129
Question requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Sources of questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Creating good questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Sample questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
Selecting a set of questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Challenge requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Challenge size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Challenge accuracy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Setting how many correct answers are required . . . . . . . . . . . . 135
Setting the accuracy of answers . . . . . . . . . . . . . . . . . . . . . . . . 135
Security considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
9
Microsoft Windows desktop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
Microsoft Windows desktop - evaluation . . . . . . . . . . . . . . . . . . . . 176
Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
Microsoft Windows desktop - standard . . . . . . . . . . . . . . . . . . . . . 177
Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
Microsoft Windows desktop - high availability . . . . . . . . . . . . . . . . 178
Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
Index. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .189
Note: The guide is not intended to be an exhaustive list of all the activities and
tasks required to deploy Entrust IdentityGuard. It acts as a guide for the team
responsible for deployment.
11
Documentation conventions
Table 1 contains the typographic conventions that appear in this guide:
Note: Information to help you maximize the benefits of your Entrust product.
Documentation feedback
You can rate and provide feedback about Entrust product documentation by
completing the online feedback form. You can access this form by
• clicking the Feedback on guide link located in the footer of Entrust’s PDF
documents (see bottom of this page).
• following this link: http://www.entrust.com/products/feedback/index.cfm
Feedback concerning documentation can also be directed to the Customer Support
email address.
support@entrust.com
Technical support
Entrust offers a variety of technical support programs to help you keep Entrust
products up and running. To learn more about the full range of Entrust technical
support services, visit our Web site at:
http://www.entrust.com/
If you are registered for our support programs, you can use our Web-based support
services.
Entrust TrustedCare Online offers technical resources including Entrust product
documentation, white papers and technical notes, and a comprehensive Knowledge
Base at:
https://www.entrust.com/trustedcare
If you contact Entrust Customer Support, please provide as much of the following
information as possible:
• your contact information
• product name, version, and operating system information
• your deployment scenario
• description of the problem
• copy of log files containing error messages
• description of conditions under which the error occurred
• description of troubleshooting activities you have already performed
Telephone numbers
For support assistance by telephone call one of the numbers below:
• 1-877-754-7878 in North America
• 1-613-270-3700 outside North America
Email address
The email address for Customer Support is:
support@entrust.com
17
Why use Entrust IdentityGuard?
As online fraud and compliance regulations become more prevalent, standard user
name and password authentication no longer offers sufficient security for your
organization’s sensitive resources.
Strong authentication is a tool that your organization likely uses in some form today.
Whether it is for VPN remote access, Microsoft® Windows® security, or Web-based
applications, you need to provide strong and flexible authentication to a wide range
of users and transactions, based on the risk associated with those transactions.
Entrust IdentityGuard provides multiple authentication factors (also referred to as
“methods”) which your organization can use (with or without other user name and
password authentication methods) to increase security. The various authentication
methods Entrust IdentityGuard offers allows you to adjust the strength of the
authentication to the sensitivity of the resource or transaction.
For example, as Figure 1 demonstrates, a company could apply Entrust IdentityGuard
grid authentication when a remote employee logs in using a VPN connection. The
system could include an existing user name and password authentication resource or
could use Entrust IdentityGuard to handle this first-factor authentication duty.
Company VPN
User that requires device
multifactor Entrust IdentityGuard
authentication Server
Machine authentication
Entrust IdentityGuard allows you to verify a user by comparing current properties of
the user’s machine against a previously stored copy of those same properties.
Machine authentication is also a feature of risk-based authentication.
See “Machine authentication” on page 55 for a detailed description of machine
authentication.
Risk-based authentication
Entrust IdentityGuard allows you to determine situations where second-factor
authentication is applied, based on a user’s location or machine information. For
example, second-factor authentication may not be required when users log in from
the desktop computer they use all the time. However, if users log in from remote
locations or are using computers they have never used before, you may want Entrust
IdentityGuard to send them a second-factor challenge. Using risk-based
authentication allows you to choose when second-factor authentication is applied
based on risks relevant to your company.
There are two authentication features associated with risk-based authentication:
• machine authentication
The risk is assessed based on the attributes associated with a particular
computer.
User
First-factor
authentication Entrust IdentityGuard
application Server
Repository
User Repository
Entrust IdentityGuard
Server
Repository
Client Application server
administration SOAP
(with SSL) Administration service Directory
application
Entrust Database
Web administration
IdentityGuard application
HTML/
Administration
HTTPS
interface and
Properties Authentication service
editor
Administration interface
Administrators use the Web-based Administration interface to perform system and
user administration operations that define how Entrust IdentityGuard will work in
your organization.
Properties editor
Administrators use the Properties editor to set or review the properties that govern
the behavior of Entrust IdentityGuard and its components.
Repository
Entrust IdentityGuard uses your existing repository or multiple repositories to store
user, unassigned token, and preproduced card data in an existing LDAP-compliant
directory, a JDBC-compliant database, or both. Multiple Entrust IdentityGuard servers
can access different replicas of the repositories, if required.
When a grid or other authentication data is generated for a user, sensitive data is
written in encrypted form to the repository. During second-factor authentication,
data is retrieved from the repository.
Users reside in groups. You can assign groups to one or more repositories, and those
repositories can be in databases, in directories, or both.
Each directory search base is treated as a separate repository, and has the capability
of using a different directory server and different directory user credentials. The
default configuration uses a single search base.
Client applications
Client applications use the Authentication API and the Administration API to access
Entrust IdentityGuard’s multifactor authentication abilities on behalf of your users. To
access these APIs, the client applications require appropriate administrative privileges.
Table 3 provides some examples of what client applications can do.
To create your own client applications, see the Entrust IdentityGuard Programming
Guide that applies to your programming language (Java Platform or .NET).
The Entrust IdentityGuard Administration interface, Entrust IdentityGuard Desktop
for Microsoft Windows, and the sample Web application included in the installation
package are all examples of client applications.
Web users
Web users are internal or external users to your organization who access your intranet
or Internet site by logging in through a Web browser. First-factor authentication (user
name and password) is completed by a Web access product or Entrust IdentityGuard
using password authentication. Entrust IdentityGuard can then provide additional
authentication methods as required by the sensitivity of the operation. For more
information, see “Web integration” on page 84.
Authentication methods
Entrust IdentityGuard provides authentication methods for authenticating users,
performing mutual and risk-based authentication, and registering computers.
This chapter describes the implementation considerations for each method.
Note: While reading this chapter, consider the frequency of the authentication
events to which you want to add multifactor authentication. Gather statistics
from your authentication applications and resources, and develop a usage profile
for each of the transactions. You can then find an appropriate balance between
user convenience, resistance to attack, and the administrative overhead for
managing multifactor authentication.
33
Overview of available authentication methods
This section describes and compares the authentication methods available through
Entrust IdentityGuard.
Entrust IdentityGuard divides the authentication methods into the following
categories:
• first-factor authentication
In first-factor authentication, users must identify themselves, typically by
supplying a user name and password. You can rely on a separate application
to do this, such as a Remote Authentication Dial In User Service (Radius)
server, a domain controller, a Web-based access control product, or the
Microsoft Windows Login feature. Alternatively, you can use Entrust
IdentityGuard’s password feature.
• second-factor authentication
In second-factor authentication, users verify their authenticity to your
organization, using one of the following methods:
– token authentication
– grid authentication
– passcode list authentication
– knowledge-based authentication
– one-time password authentication delivered through an out-of-band
mechanism
For added security, a personal verification number can be used with cards
(grids and passcode lists), tokens, and one-time-passwords. For more
information, see “Using personal verification numbers” on page 66.
• mutual authentication (organization authentication)
In mutual authentication, your organization proves itself as authentic.
Mutual authentication can involve different types of replay authentication.
Authentication methods 35
Feedback on guide
Figure 7: Mutual authentication methods
• machine authentication
In machine authentication, the user’s identity is verified based on various
properties of the user’s computer.
• risk-based authentication
In risk-based authentication, the authentication method presented depends
on the risk. Risk varies based on user qualities, such as
– the machine used
– the user’s geographic location
Risk can be based on the nature of the transaction. Some examples which
might qualify as high-risk transactions include:
– large money transfers
– new account creation
– large purchases
• temporary PIN authentication
In temporary PIN authentication, the user enters a temporary PIN in place of
a temporarily unavailable card (grid or passcode list) or token.
Authentication methods 37
Feedback on guide
Table 4: Comparison of available authentication methods (continued)
Password authentication
Entrust IdentityGuard administrators with the applicable role permissions can set and
manage the passwords of Entrust IdentityGuard users through the Administration
interface. For new passwords, administrators can enter passwords of their choosing
or auto-generate random passwords. Administrators can also manage policy settings
related to passwords, such as the length, composition (letters, numbers, case, and
special characters), expiry date, and reuse history. The policy settings ensure that user
passwords conform to your organization’s password requirements.
Authentication methods 39
Feedback on guide
Note: You can also configure the Radius proxy to skip first-factor authentication
entirely and present users with a second-factor authentication challenge
immediately.
External authentication
The external authentication feature, provided with Entrust IdentityGuard is useful
when deploying in a Remote Access or VPN environment. This feature lets you use
Entrust IdentityGuard to manage first-factor authentication through an LDAP
directory or Windows domain controller through Kerberos, without having to deploy
a Radius server.
Use external authentication when your users and their password information are
stored in an external resource (such as Active Directory or an LDAP-compliant
directory).
Also, in an environment where user password information is stored in an external
resource (for example, Active Directory) and Entrust IdentityGuard information
(grids, tokens, policies, and so on) is stored in a database, you can have Entrust
IdentityGuard forward first-factor authentication to the external resource if the
external authentication is through Kerberos.
Note: When using external authentication, users in the first-factor resource are
not automatically synchronized with the second-factor resource (the Entrust
IdentityGuard repository). You must manually synchronize all data between the
different resources.
For a sample architecture, see “Web access - evaluation” on page 156. Also see the
Entrust IdentityGuard Installation Guide for more information.
Token authentication
Using tokens, your users can authenticate themselves using a dynamic password after
completing first-factor authentication.
By default, Entrust IdentityGuard supports the Entrust IdentityGuard Mini Token and
the Entrust IdentityGuard Pocket Token. The Mini Token is available in an AT version
(time+event synchronous) and an OE version (OATH compliant). Entrust
IdentityGuard also supports tokens from other vendors.
In addition, you can configure the Entrust IdentityGuard APIs to use any tokens from
a supported token vendor. Different token types can be assigned to your users, and
Authentication methods 41
Feedback on guide
a user can have two tokens from different vendors, though the tokens cannot have
the same token state. For more on token states, see the Entrust IdentityGuard
Administration Guide.
Tokens represent a strong second-factor authentication method because they
combine possession (the token) and knowledge (the dynamic password or PIN).
Because the token password changes frequently, it is difficult for a hacker to record it
and use it later to log in to the system.
Entrust IdentityGuard supports tokens that use response-only mode and tokens that
use challenge-response mode.
Grid authentication
With grid authentication, you provide each user with a printed Entrust IdentityGuard
card that contains rows and columns of characters. Authentication works as follows:
1 The user completes first-factor authentication (user name and password)
successfully.
2 Entrust IdentityGuard presents the user with a challenge based on the grid on
their card, as illustrated in Figure 8.
3 The user enters the values from their grid card corresponding to the requested
cell locations in the challenge. In Figure 8, the challenge asks the user to enter the
numbers in grid coordinates B1, E4, and G5, which are “7 8 4”.
4 Entrust IdentityGuard validates the entered values and authenticates the user. By
entering the correct response, users demonstrate that they possess the grid card,
thus providing a second factor of authentication.
IGuser1
******
******
Authentication methods 43
Feedback on guide
• In two-step authentication, the user logs in as usual and is then shown a
second dialog box containing the Entrust IdentityGuard grid challenge.
Because the user has already passed first-factor authentication, the user’s
identity is known. This lets you add other Entrust IdentityGuard features,
such as serial number replay or grid location replay (see “Mutual
authentication methods” on page 52). For an example, see Figure 10.
Passcode lists
Passcode list authentication is a grid authentication that uses a list of passcodes or
transaction numbers (TANs) rather than a grid. Each passcode can be used just once.
Authentication methods 45
Feedback on guide
With this approach, you provide users with a list of randomly generated passcodes
for second-factor authentication.
Some organizations view passcode lists as easier for their users to use than grid cards,
though our usability study proved that grid card use is quick to learn. (See “Grid card
usability study” on page 181.)
Typically, you distribute these lists to users on a printed sheet of paper similar to
Figure 11. You can also distribute scratch-off grid cards that make it easy for users to
see what codes they have already used.
Then, when a passcode is required, you prompt for the passcode next to a number in
the list as in Figure 12.
The user types the passcode printed on the paper next to the requested number. To
reduce susceptibility to phishing or malware attacks, each passcode is used just once.
This renders the entered passcode useless should it be captured by an attacker.
Knowledge-based authentication
A simple mechanism for identifying users is to challenge them to provide information
that an attacker likely cannot provide. The organization can present questions to the
user based on information (referred to as authentication secrets) that was supplied by
the user at registration or based on previous transactions or relationships.
In turn, the users recognize the secret questions they set up during registration and
they know that they have reached a legitimate site.
Authentication methods 47
Feedback on guide
During enrollment the user may select and provide answers to easily-remembered
questions, such as What year did you buy your first car?, Which historical figure do
you most admire?, Name your most memorable cartoon character?, and so on.
Questions can be drawn from previous user interactions with the organization. For
example: What was the balance on your last statement?. It is difficult for attackers to
harvest answers to these questions through other information sources.
Entrust IdentityGuard allows organizations to select a number of such authentication
secrets or facts for each user and prompt for all answers or just a subset of them to
increase second-factor authentication strength.
Advantages • There are no physical requirements for users (such as grid cards or
tokens).
• You can leverage previous interactions between the user and your
organization.
Authentication methods 49
Feedback on guide
You can send one-time passwords directly using email, text message (SMS), or voice
to a preregistered phone number. The user gets the one-time password by one of
these means, enters it into the application, and the transaction is approved.
To decide how to send the one-time password, consider the following:
• What information is already stored about the user and is the information
reliable? For example, a cell phone service provider would likely use SMS
with its digital cell service users. This way, the service provider can manage
any service level agreement (SLA).
• If previously collected information is not reliable enough for one-time
password authentication, you can register users. The online registration
process allows authenticated users to enter, validate, and correct their
delivery information (email address, voice phone number, and cell phone
number), and out-of-band authentication preferences. This also allows users
to personalize the way their one-time password is delivered to them.
• If you are using email delivery of one-time passwords, you can also send
details of the requested transaction with the OTP. This allows the user to
confirm the transaction details before authenticating. You can configure
Entrust IdentityGuard so that, when the user authenticates, a transaction
receipt is returned. The returned transaction receipt may be signed,
depending on how the policies are set.
Authentication methods 51
Feedback on guide
Mutual authentication methods
Your organization needs to have confidence in the user’s identity. Likewise, users must
be confident that they are transacting with their organization or intended online site,
and not a fraudulent organization or spoofed site. Mutual authentication provides a
way for your organization and your users to prove themselves as legitimate. Entrust
IdentityGuard provides several mutual authentication methods.
Mutual authentication works as follows:
1 The user completes first-factor authentication successfully.
2 Entrust IdentityGuard presents the user with an authentication challenge.
3 The challenge presents an image or information to the user that only the valid
site could have.
4 The user recognizes the image or information, and responds to the challenge.
5 Entrust IdentityGuard validates the entered values and authenticates the user.
Mutual authentication is also called organization authentication. The following
options are available:
• “Grid serial number or grid location replay” on page 52
• “Image and message replay” on page 53
Table 10: Grid serial number and location replay authentication advantages and
considerations
Advantages • Helps users determine if they are at a valid site before they
provide sensitive authentication data.
• Easy to use when grid authentication is enabled.
Authentication methods 53
Feedback on guide
You can provide your own collection of images for users to choose from, you can
allow users to upload their own images, or you can make use of the image collection
available from Entrust TrustedCare website.
Whatever source users choose their image from, it will be familiar to them. Image and
text replay makes it easy for users to know they are on a legitimate site.
Table 11: Image and text replay authentication advantages and considerations
Note: If the application does not generate a machine nonce, then the
application must provide machine fingerprint data.
Authentication methods 55
Feedback on guide
this case, it is strongly recommended that you use persistent objects such as cookies
to uniquely identify the user logging in.
The recommended algorithm for the use of machine secrets is to use persistent data
whenever possible, and machine fingerprints when storing cookies or flash objects is
not possible is:
• If cookies are enabled, then store cookies
• If cookies are not enabled, then store flash objects
• If cookies and flash objects are not enabled, then provide fingerprint data
Authentication methods 57
Feedback on guide
Note: The properties in Table 12 were collected using JavaScript on an Internet
Explorer browser running on Windows. Similar properties are available on other
browsers, but the names and values may be different.
Property Value
navigator.appCodeName Mozilla
navigator.appName Microsoft Internet Explorer
navigator.appMinorVersion ;SP2;
navigator.cpuClass x86
navigator.platform Win32
navigator.systemLanguage en-us
navigator.userLanguage en-us
navigator.appVersion 4.0 (compatible; MSIE 6.0; Windows NT 5.1;
SV1; .NET CLR 1.1.4322; .NET CLR
2.0.50727)
navigator.userAgent Mozilla/4.0 (compatible; MSIE 6.0; Windows
NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR
2.0.50727)
navigator.onLine true
navigator.cookieEnabled true
screen.availHeight 1170
screen.availWidth 1600
screen.bufferDepth 0
screen.colorDepth 32
screen.deviceXDPI 96
screen.deviceYDPI 96
screen.fontSmoothingEnabled true
screen.height 1200
screen.logicalXDPI 96
screen.logicalYDPI 96
screen.updateInterval 0
Property Value
screen.width 1600
Note: The properties in Table 13 and Table 14 show just a portion of the MIME
and plug-in information available. They were collected using JavaScript on a
Firefox browser running on Microsoft Windows. Similar properties are available
on other browsers, but the names and values may be different.
Property Value
navigator.mimeTypes[0].description Mozilla Default Plug-in
navigator.mimeTypes[0].suffixes *
navigator.mimeTypes[0].type *
navigator.mimeTypes[1].description Java
navigator.mimeTypes[1].enabledPlugin. NPOJI610.dll
filename
Property Value
navigator.plugins[0].description Default Plug-in
navigator.plugins[0].filename npnul32.dll
navigator.plugins[0].length 1
navigator.plugins[0].name Mozilla Default Plug-in
navigator.plugins[1].description Java Plug-in 1.5.0 for Netscape
Navigator (DLL Helper)
Given the wide range of information available, some of which may be too common
to be useful, it is recommended that organizations consider the use of a combination
of elements gathered through JavaScript such as:
• browser version
• browser plug-ins present
• browser language being used
Authentication methods 59
Feedback on guide
• browser platform (user’s operating system)
• screen size of user’s computer (height and width)
• screen color depth
Authentication methods 61
Feedback on guide
Risk-based authentication
There are situations in which you want to present users with an extra authentication
challenge or reject the users outright for security reasons. Alternatively, you may want
to automatically authenticate users who pose no risk.
IP geolocation
Entrust IdentityGuard includes a mechanism to determine the approximate
geographical location of the IP address of any user who attempts to access your site.
The location data consists of the country, region, city, Internet service provider (ISP),
latitude, and longitude.
With this data, Entrust IdentityGuard determines if the user passes your risk and
authentication policies.
• Compare the current location with the list of expected locations. If there is a
match, the user passes the expected location test.
• Compare the current location with the list of locations previously associated
with the user. If that location matches one on the list, the user passes the
location history test.
• Compare the current location with the last location associated with the user.
If the user changes locations faster than physically possible, the user fails the
velocity test. For example, if the user logs in from Toronto at 10:00 a.m. and
then logs in from New York a few minutes later, it is likely that one of the
logins is not legitimate.
• Compare the current location with all locations on the IP and country
blacklists. If a user's location is on a blacklist, the user is rejected.
Blacklists
Through the Administration interface or the master user shell, you can review and
update blacklists containing country codes and IP addresses.
You can have multiple country blacklists. This way, you can apply different lists to
different groups of users. A country blacklist consists of the two-character Internet
domain codes assigned to each country. The default list included with Entrust
IdentityGuard contains A1 codes, which are addresses that belong to anonymous
proxy services, and A2 codes, which relate to satellite-based Internet providers that
conceal the country of origin.
You can have a single, system-wide IP blacklist that applies to all users. To keep the
list compact and easy to maintain, each entry you add to the blacklist can specify a
range of IP addresses. For example the entry “100.1.1.1 100.1.1.10” represents 10
Authentication methods 63
Feedback on guide
IP addresses. (The blacklist supports only version 4 IP addresses.) By default, the IP
blacklist has no entries.
Advantages • It allows users to log in even if they have forgotten or lost their
grid card or token.
Considerations • It is only available if using token or card authentication (either grid
or passcode list).
• It requires policy considerations such as: expiry mode (either time
or use-based), minimum length, characters to use, character
replacements, challenge size, and automatic deletion when a user
begins using their grid card or token.
• You should only use this method as a temporary second-factor
authentication solution and not as a permanent second-factor
authentication solution.
Deployment type • Web access
Authentication methods 65
Feedback on guide
Using personal verification numbers
For additional security, you can require a user to enter a personal verification number
(PVN) during an authentication challenge. For example, when a user enters grid
coordinates, you can also prompt for their PVN number to validate the grid card user.
A PVN can be used with a card (grid or passcode list), token, temporary PIN, or
one-time-password authentication challenge.
Each user can have just one PVN. The PVN is a numeric value whose length is set by
policy. Users can pick their own PVNs or administrators can auto-generate random
PVNs and assign them to users.
67
Planning: initial considerations
This section identifies, at a high level, both the technical and nontechnical aspects
that need to be addressed for a successful deployment. These aspects can be
categorized into the following five areas:
• authentication methods
This refers to the authentication methods supported by Entrust
IdentityGuard and that your organization requires to verify user identities.
Examples include considering the requirements for second-factor and mutual
authentication, and how to implement the methods into your existing
authentication structure.
See “Authentication methods” on page 33.
• policies and practices
This refers to the specific security policies supported by Entrust IdentityGuard
and the practices used by your organization to implement these polices.
Examples of policies for Entrust IdentityGuard include the size of the grid or
passcode list, the length of a challenge, the number of authentication factors,
the use of a personal verification number (PVN), the inclusion of blacklists,
and the number of incorrect attempts before lockout.
See “Entrust IdentityGuard policies” on page 69.
• people
This refers to the personnel required to deploy, operate and support Entrust
IdentityGuard.
See “People” on page 70.
• architecture and technology
This refers to the technical aspects of supporting Entrust IdentityGuard, such
as the networking environment, operating systems, hardware and software,
and application integration. Examples include the environment in which
Entrust IdentityGuard is deployed, and the applications that Entrust
IdentityGuard protects.
See “Entrust IdentityGuard components” on page 23 and “Entrust
IdentityGuard baseline architectures” on page 153.
• operations
This refers to the ongoing operational aspects of Entrust IdentityGuard and
the procedures needed to support, administer, and operate Entrust
IdentityGuard. Examples include the initial deployment of grid cards or
tokens, and the distribution and activation of replacement grid cards or
tokens.
See “Operations” on page 71.
People
As with any system, Entrust IdentityGuard’s deployment and ongoing operation
requires the participation of people from different parts of your organization.
Although many people are required only on a part-time basis, identifying them and
communicating their roles and responsibilities early in the planning process can help
avoid delays later.
Table 18: People required for the deployment and operation of Entrust IdentityGuard
System monitoring
Entrust IdentityGuard operation generates a series of audit messages that can be
written to a file or stored in a database. These audits should be examined periodically
as a way of understanding the kinds of activities that are most common, and as a way
to monitor system health. There are three types of audits written: INFO, WARNING,
and ERROR. In the WARNING and ERROR cases, messages are also written to the
system logs.
You can also choose to send selected audit data to a database, either your Entrust
IdentityGuard database, or a separate database that you configure for audit data.
This allows you to generate scheduled or on-demand audit reports. If your Entrust
IdentityGuard installation uses an LDAP repository, you must configure a database for
audit reporting.
As an added benefit, your Entrust IdentityGuard installation can also be configured to
send selected audits as traps to your SNMP manager. This allows your support staff
Other precautions
Locate the Entrust IdentityGuard Server and related systems in a secure facility
designed and constructed to support the hosting of IT systems infrastructure. Such
hosting facilities are typically equipped with perimeter security barriers, surveillance,
air conditioning, uninterrupted power supply and fire protection. Implement physical
access controls to ensure that only those authorized to perform operations or support
services are allowed to enter the Entrust IdentityGuard region, which may be a
separate room or a lockable cabinet.
Depending on your organization’s approach to deploying applications into
production, additional implementations of Entrust IdentityGuard into test or staging
environments may be required.
Assigning administrators
Administer Entrust IdentityGuard and its users through the Administration interface.
This interface allows administrators to manage Entrust IdentityGuard policies, groups,
users, grid cards, tokens, configuration, and so on, and to handle day-to-day
interaction with the users (for example, requests for temporary PINs). You can enter
user information individually or by importing a file of user IDs.
Consider the following when determining the number and levels of administrators
you require:
• Each administrator is assigned a particular role or set of roles, which defines
which operations they can perform. Roles include a set of permissions that
govern what actions an administrator can perform.
For example, you can restrict an administrator who works at your Help Desk
to
– reset user accounts once they’ve been locked out
– manage temporary PINs
– view user account information
For more information about roles, see the Entrust IdentityGuard
Administration Guide.
• Administrators access the administration interface using password
authentication. You can optionally add grid or token authentication as well.
• Each administrator is assigned a set of user groups to manage.
• Administrators belong to a group, which determines their policy settings.
This group does not have to be a group they manage. See “Group
requirements” on page 79.
• The Properties editor gives administrators with applicable permissions to
access all Entrust IdentityGuard properties. Only administrators with a very
good understanding of Entrust IdentityGuard should be given access to the
Properties editor.
Training users
When deploying Entrust IdentityGuard, you must train your users to use the new
authentication methods and have them register as required. Also, if you have
Microsoft Windows desktop users, they must install the Entrust IdentityGuard
Desktop Client for Microsoft Windows.
When planning training for users, consider the following:
• Inform users of Entrust IdentityGuard and your company’s plans for
implementation before deployment.
Suspending users
Administrators with applicable permission can suspend users. Suspended users
cannot use any Entrust IdentityGuard authentication method to gain access to your
applications.
View suspension as a temporary measure—an action taken while a problem with the
user is investigated and sorted out. To disable a user permanently, delete the user.
Attention: While you can change a group’s policy settings after the creation of
the group, take care not to invalidate pre-existing grid cards or other
authentication data. For example, if the grid size is increased from five rows to
10 rows after grid cards have been issued, subsequent challenges might include
cell coordinates from the additional five rows that do not exist on the original grid
cards.
Considerations Comments
What types of users do you • Do you have users in defined groups connecting to your
have that require multifactor company through VPN servers?
authentication?
You will need to enable either the Entrust IdentityGuard
Radius proxy or another VPN server authentication method.
• Do you have distinct groups of Windows users that require
multifactor authentication when logging in to their
computer?
You will need to install and configure the Entrust
IdentityGuard client for Windows.
• Do you have users who access your site using a Web portal?
You can put these users in a separate group with mutual
authentication enabled.
• Which applications will you create, and what types of users
will access each application?
You can group users by the applications they access.
How will you subdivide • What sorts of multifactor authentication do these users need?
these groups?
• Do some users who access your applications require stronger
multifactor authentication than others? Do some require
step-up authentication?
• Should users be grouped across functions, within
departments, or both?
Considerations Comments
How will you administer • Will each group have specific administrators?
these groups?
• Will one central group of administrators administer
everything?
• Will some administrators administer multiple groups?
• Will you have different levels of administration? For example,
will help desk administrators unlock passwords and assign
temporary PINs, and full administrators set up authentication
methods, and so on?
Group implementation
Entrust IdentityGuard implements groups in the following way:
• Groups are defined for both users and administrators.
• A single group is defined as default using a default flag. This group is used
whenever a group is not explicitly defined.
• Grid cards and tokens are associated with specific groups. In order to assign
the grid card or token to a user, the user must belong to the same group as
the grid card or token.
If your system contains only unique user names, then your client applications do not
have to include group names in a user identification request.
When Entrust IdentityGuard needs to verify a user and the application does not
return the group information, Entrust IdentityGuard tries to match the user with the
correct group following these rules:
• First search all repositories for all users with the given user name. For an
LDAP-compliant directory, look in all search bases. See “Repository” on
page 26 for more information on the connection between search bases and
groups.
• If no user entries are found, return an error.
• If one user entry is found, use that entry.
• If multiple user entries are found, check if one of those entries is in the default
group. If it is, return that entry. If not, return an error.
Note: If you are using groups with VPN users, see the Entrust IdentityGuard
Administration Guide for more information on how groups are implemented.
Deployment considerations
This chapter provides information you should consider when deploying Entrust
IdentityGuard in your organization.
This chapter contains the following sections:
• “Application integration” on page 84
• “Application considerations” on page 87
• “Selecting a repository” on page 89
• “Performance testing strategies” on page 91
• “Backing up, restoring and migrating” on page 93
• “High availability and disaster recovery” on page 94
• “Switching over to Entrust IdentityGuard” on page 101
83
Application integration
You can integrate Entrust IdentityGuard with many applications, including Web portal
applications, remote access applications and Microsoft Windows login. Several of
these applications have already been integrated, tested and documented by Entrust
with more to be added over time.
For the latest information on integrated solutions, contact Entrust. See “Obtaining
technical assistance” on page 15 for contact information.
This section contains the following topics:
• “Web integration” on page 84
• “Microsoft Windows integration” on page 85
• “VPN remote access integration” on page 85
• “Wireless Access Portal integration” on page 86
Web integration
The Entrust IdentityGuard Authentication API is used to retrieve challenge requests
and authenticate user responses. It is designed to easily integrate with your existing
authentication applications to provide multifactor authentication.
You can create a client application that calls the Authentication API using its Web
service, Java Platform, or .NET interfaces to authenticate users. For more information,
see the Entrust IdentityGuard Programming Guide for your programming language.
Deployment considerations 85
Feedback on guide
controller, an LDAP-compliant directory, or Entrust IdentityGuard. You then use
Entrust IdentityGuard to provide multifactor authentication.
Regardless of the resource you use, the VPN server thinks it is communicating with a
Radius server. It is actually communicating with the Entrust IdentityGuard Radius
proxy. Figure 36 on page 161 illustrates the integration approach. No changes are
required for the VPN client.
With the Entrust IdentityGuard Radius proxy, you can configure some of your VPN
servers to use a Radius server and some to use a different first-factor authentication
resource. You can direct different groups of users to different first-factor
authentication resources. Users who do not exist in Entrust IdentityGuard are
authenticated by the first-factor authentication mechanism only.
See the Entrust IdentityGuard Administration Guide for details on how to configure
the Radius proxy.
Deployment considerations 87
Feedback on guide
For more information about implementing the Entrust IdentityGuard Administration
API, see the Entrust IdentityGuard Programming Guide.
Directory repositories
User entries must exist in the directory before you can populate any Entrust
IdentityGuard attributes. Entrust IdentityGuard cannot create any user entries in a
Deployment considerations 89
Feedback on guide
directory. You must create users in the directory with your existing directory
management tool.
Entrust IdentityGuard cannot store unassigned grid patterns and token serial numbers
in a directory, but stores them in either a local file system or a local database. In a
configuration with a directory and a local file system, only a single Entrust
IdentityGuard server can host the local file system, and all assignments of grids or
tokens must be performed on that server. Availability of that server affects your
organization's ability to assign grids or tokens. Using a local database to store
unassigned grids and tokens supports a high availability configuration (see “High
availability and disaster recovery” on page 94).
Entrust IdentityGuard supports many widely-used directories. For more information,
see the Entrust IdentityGuard Directory Configuration Guide.
Database repositories
For databases, no existing user entries need to exist before you can populate any
Entrust IdentityGuard attributes. Entrust IdentityGuard can create new user entries in
a database for you.
Entrust IdentityGuard stores unassigned grid patterns and token serial numbers in
separate tables in a database. Using a database to store unassigned grids and tokens
supports a high availability configuration (see “High availability and disaster
recovery” on page 94).
Entrust IdentityGuard supports many widely-used databases. For more information,
see the Entrust IdentityGuard Database Configuration Guide.
Deployment considerations 91
Feedback on guide
After this script has been run a number of times and under different levels of load,
you can tabulate the results into a report showing the performance of the overall
Entrust IdentityGuard authentication system.
For information about repository size requirements, see either the Entrust
IdentityGuard Directory Configuration Guide or the Entrust IdentityGuard Database
Configuration Guide.
Deployment considerations 93
Feedback on guide
High availability and disaster recovery
Entrust IdentityGuard offers a failover scheme to ensure there are backup systems in
place in the event that a primary system fails. This scheme addresses high availability
and disaster recovery issues as described here:
• “Entrust IdentityGuard Server hot-standby or load-balancing” on page 94
• “Repository failover” on page 96
• “Radius server failover” on page 100
For procedures for configuring these failover scenarios, see the Entrust IdentityGuard
Administration Guide.
All data sources (databases, directories, Radius servers, external authentication
sources) that Entrust IdentityGuard uses are listed in specific properties in the Entrust
IdentityGuard properties file. To set up a common failover mechanism, you use the
Properties editor to list two or more URLs for each applicable property. The URLs
point to the data sources or servers.
When Entrust IdentityGuard needs to access a server or data source, it tries the first
URL in the list (known as the primary). If the connection succeeds, Entrust
IdentityGuard uses it until it fails. When the primary fails or is unavailable, Entrust
IdentityGuard tries the second URL in the list. If it fails or is unavailable, Entrust
IdentityGuard tries the next URL, and so on. In failure cases, Entrust IdentityGuard
always restarts at the primary source and traverses the URL list until it makes a valid
connection. During the traversal, the connection that caused the original failure is
skipped.
Hot-standby scenario
The hot-standby scenario is shown in Figure 20. The solid line shows the primary
connection, while the dotted line shows the hot-standby connection.
Load-balancing scenario
The load-balancing scenario is shown on the right side of Figure 20.
There are two ways to set up load-balancing:
• Both authentication and administration processes can be load-balanced if
they share the same repository, or their repositories are kept synchronized.
• If authentication and administration are not sharing a repository, only the
authentication service can be load-balanced.
Deployment considerations 95
Feedback on guide
Figure 20: Entrust IdentityGuard server load-balancing scenarios
Repository failover
You can configure repository failover to ensure there are backups if the primary
repository fails. To configure failover, use the Properties Editor to specify multiple
repository URLs—either LDAP-compliant directories or databases—in the Entrust
IdentityGuard properties file.
To configure failover for an LDAP-compliant directory or a database, see the Entrust
IdentityGuard Administration Guide.
There are two repository failover scenarios:
• local
• geographically dispersed
Deployment considerations 97
Feedback on guide
Standard multi-site failover configuration
In the standard configuration, each Entrust IdentityGuard server works from its own
repository, but the two repositories must be perfect replicas of each other.
Note that when you use geographically-dispersed Entrust IdentityGuard servers, both
servers can perform authentication tasks, but the primary Entrust IdentityGuard
server must provide the Administration services.
In Figure 22, the solid lines show the normal operating connections, and the dotted
lines show possible failover connections.
Deployment considerations 99
Feedback on guide
Radius server failover
Configure Radius server failover on the Entrust IdentityGuard Radius proxy to ensure
that there are backup Radius servers if the primary system fails. If a timeout occurs
while waiting for a response from the Radius server—and Radius server failover is
configured—Entrust IdentityGuard Radius proxy uses the next URL address in a list
(for the next request that it receives) and the current request times out. When the
Entrust IdentityGuard Radius proxy reaches the end of the list of URL addresses, it
starts at the beginning of the list again.
To create the list of Radius server IP addresses, see the Entrust Administration Guide.
103
Grid requirements
This section focuses on the items you need to consider before determining what type
of grid best suits your security needs and your users.
This section contains the following topics:
• “Grid size and format” on page 104
• “Grid lifetime and replacement” on page 105
Note: It may be appropriate within a user population to deploy various grid sizes
depending on the frequency of use and the transaction risk. Entrust
IdentityGuard supports this approach by allowing you to set up users in groups.
See “Group requirements” on page 79.
Table 20: Policy considerations associated with grid size and format
Table 21: Policy considerations associated with grid lifetime and replacement
Challenge size
You can configure the size of the Entrust IdentityGuard challenge (the number of cells
in a grid challenge), and this has an impact on the security of the solution.
• The greater the number of cells used in a challenge, the more data is given
away with each observation by an attacker.
For example, should users be tricked into entering a single authentication to
an attacker’s application, they would be giving away twice as much grid data
with a challenge size of six coordinates as with three coordinates. The more
data that is given away, the more quickly an attacker will gather enough data
to answer a challenge from the legitimate application.
• The challenge needs to be of a minimum size to reduce the probability that
an attacker can guess some or all of the challenge coordinate responses.
For example, assume an attacker successfully captures some grid card data
and then attempts to authenticate. The attacker receives a challenge in
which one of the challenge coordinates is already known to the attacker.
With a challenge size of two, the attacker has a much better chance of
obtaining the remainder of the challenge by guessing than if the challenge
size was four, especially since the Entrust IdentityGuard lock-out feature
limits the authentication attempts.
• Find a balance between the minimum and maximum constraints when you
set the optimal challenge size for a given grid size.
For most applications, the optimal challenge size is three. This number
provides the best overall resistance to an attacker guessing remaining
challenge coordinates across a range of observed authentications.
Preproduction model
These two models are not mutually exclusive. For example, an organization may use
the preproduction model for new users and use the produce-and-assign model for
existing users. The organization could also use the preproduction model for Entrust
IdentityGuard grid card replacement.
Produce-and-assign model
In the produce-and-assign model, the user (who will receive an Entrust IdentityGuard
grid card) must be known in advance of grid creation. The user is created within the
first-factor authentication application. Then use the Entrust IdentityGuard “Create
User” function to populate the user entry in the repository with the Entrust
IdentityGuard attributes. During the user creation process, a grid is generated for the
user.
In this model, grid card production and distribution must take into account that a grid
has already been created and assigned to a user within Entrust IdentityGuard.
Therefore, the physical card containing the grid must be distributed to the correct
recipient.
This approach is manageable for small-scale usage (a few grid cards a day), where the
entire enrollment process is handled as an over-the-counter service, completed in a
few minutes. One advantage to this process is that it easily supports Entrust
IdentityGuard grid card personalization, such as printing a photograph on the grid
card.
The following subsections provide more detail on how to produce and assign grids
when enrolling existing and new users:
• “Produce-and-assign grids for existing users” on page 110
• “Produce-and-assign grids for new users” on page 112
2a. Administrator
requests card
Preproduction model
In the preproduction model, users are not necessarily known in advance. A set of grids
is generated, but not assigned to specific users. A grid is assigned to a user at some
point during the user registration and activation process. How and when the
assignment occurs depends on the user administration processes in place.
How the grid card production models are used plays a significant role in user life cycle
management. See “User life cycle management” on page 139.
Figure 28 shows the steps involved in the generation of the Entrust IdentityGuard
production file for the preproduction model. In this model, anonymous grids are
created. Grid assignment happens later in the registration process.
Anonymous grids can be sent to users in the mail. When the user receives a grid card
in the mail, they assign the grid card to themselves at a self-enrollment Web site. At
such a Web site, you can configure Entrust IdentityGuard to challenge the user to
prove that they have the grid card, rather than just ask for the serial number. For
example, after the user enters their serial number, they are presented with a grid
challenge. If the grid challenge fails, the grid card stays in the unassigned state. This
is to ensure that the user does not assign the wrong grid card to themselves by
entering the wrong serial number.
Also, users can receive their anonymous grids in person. For example, a bank teller
can pull a grid card out of a box to give to a customer in a bank branch. In this model,
grid cards should have a tamper-evident sticker that covers the grid, but not the serial
number.
Note: For users who are visually impaired, you can produce the grid cards with
Braille characters. If you do produce grid cards with Braille characters, ensure that
your application does not conceal challenges (such as presenting challenges as
images), but presents the challenges in machine-readable text.
Also see “Grid card production cost factors” on page 121 and “Delivery and
activation” on page 149.
Typical characteristics
The following are general characteristics of deployments involving in-house grid card
production (note that these characteristics do not exclude an outsource approach for
deployment):
• used for Enterprise deployments where grid card production already exists
• grid cards are distributed at either over-the-counter service locations or
through existing corporate mailing facilities
Setup
The following areas need to be addressed prior to starting any in-house Entrust
IdentityGuard grid card production:
• Review internal departmental agreements and process.
• Check the inventory of existing card stock (for example, letter stock, card
artwork, logo, branding).
Process
The following process steps are required with in-house Entrust IdentityGuard grid
card production. (These steps may vary based on corporate procedures and policy.)
Setup
The following areas need to be addressed prior to starting any outsourced Entrust
IdentityGuard grid card production:
• Select a grid card production facility for Entrust IdentityGuard grid card
production and distribution (Entrust can recommend a grid card production
partner).
• Create grid card production partner agreements.
• Write a welcome letter and activation instructions for users.
• Secure inter-organization transmission capability
– for Entrust IdentityGuard grid card generation information
– for Entrust IdentityGuard grid card distribution
• Send grid cards to users or deliver grid cards to the service desk for internal
distribution.
Process
The following steps are involved in outsourcing Entrust IdentityGuard grid card
production.
Typical characteristics
The following are general characteristics of deployments involving Entrust
IdentityGuard grid card production:
• The organization using Entrust IdentityGuard grid cards does not have an
internal card production capability or elects not to use the internal capability.
• The organization would like to set up a quick pilot deployment.
• The organization does not need many grid cards (1000 grid cards or less)
Setup
Before starting any Entrust IdentityGuard grid card production, you must select one
of three card options:
• a generic card with a preproduced grid
• a generic card with a customer-assigned grid
• a customer card with a customer-assigned grid
For more information on this topic, see the Entrust IdentityGuard Card Production
Service User Guide.
Table 22: Factors that influence the cost of grid card production
Secure email
You can transmit the Entrust IdentityGuard production file as an attachment in a
secure email using S/MIME or PGP. This ensures that only the intended recipient can
open the file for subsequent processing. You can also digitally sign the email to
validate your identity. This technique is simple to employ and uses well-understood
technology, if you have a secure email system.
Secure FTP
You can transmit the Entrust IdentityGuard production file using an encrypted FTP
session. The data is encrypted in transit and, depending on the implementation, may
also be digitally signed for integrity. It requires the receiving organization to set up a
secure FTP server and to provide access to the sending organization. While the setup
may take longer than SSL or secure email, secure FTP allows for automated
transmission, which is important in very large deployments.
End-to-end encryption
An alternative to secure FTP is to encrypt and digitally sign the Entrust IdentityGuard
production file prior to transmission. You can then transmit the file by any available
means (for example, HTTP, email, or FTP), because only the intended recipient can
open the file for subsequent processing. The recipient can be a person who will
submit the file for processing, or an application that decrypts the file immediately
before processing it. This technique provides the broadest security for the Entrust
IdentityGuard production file, but this technique requires careful planning to
implement. Consideration needs to be given to the management of the encryption
keys, which can be assisted with the use of a public key infrastructure (PKI).
125
Using tokens for authentication
Users can authenticate to Entrust IdentityGuard using tokens. Once Entrust
IdentityGuard and users are set up to accept tokens, users must enter a dynamic
password (the random number generated by a token device) in response to an
Entrust IdentityGuard token challenge.
Your application is not limited to one type of token or one token vendor. You can
configure Entrust IdentityGuard to use a wide range of tokens. The default
installation of Entrust IdentityGuard supports Entrust tokens. Each user can have a
current and a pending token at the same time, and they do not have to be from the
same vendor.
Assigning tokens
A master user or administrator assigns tokens to users. Tokens have the same states
as grid cards (pending, hold_pending, current, hold and canceled). Only tokens that
are in the pending and current states are used for authentication. Token states have
the same transition behavior as for grid cards. For more information on token states,
see the Entrust IdentityGuard Administration Guide.
User tokens do not have an expiry date or a superseded date. Any token can be
unassigned and added back to the unassigned tokens list.
Token self-activation
Users can activate their own tokens. When the user receives the token, they must
activate it. The user authenticates (with for example, a user name and password) to
a self-registration Web site. The user enters the serial number of the token; however,
they must also authenticate using the token to demonstrate that they possess the
physical device. After successful authentication, the token is activated. If the
authentication fails, the token is unassigned.
Deploying knowledge-based
authentication
This chapter provides deployment information for knowledge-based authentication
(questions and answers). Typically, you integrate Entrust IdentityGuard with your
current knowledge-based authentication application.
To make it easier for users, you can use questions and answers for additional
authentication rather than for your main second-factor authentication method. For
example, use machine authentication for the user’s normal login location and reserve
the questions for when the user logs in from a different machine.
This chapter contains the following sections:
• “Question requirements” on page 130
• “Challenge requirements” on page 135
• “Security considerations” on page 137
Note: Many concepts discussed in the following sections were first presented by
Mike Just in “Designing and Evaluating Challenge-Question Systems” IEEE
Security & Privacy, vol. 02, no. 5, pp. 32-39, September-October, 2004.
129
Question requirements
This section provides you with information about how to create and select a set of
questions for your users to answer.
This section contains the following topics:
• “Sources of questions” on page 130
• “Creating good questions” on page 131
• “Selecting a set of questions” on page 133
Sources of questions
There are several methods for developing the questions for knowledge-based
authentication. The methods are discussed in Table 23.
Method Considerations
Generated codes • Examples include auto-generated PVNs, PINs, or TANs (transaction
numbers)
• Represents a simple form of question
• Applies to existing users and is extremely useful for encouraging
them to register for new services
Transaction data • Examples include the date and balance of a recent statement.
• Client applications must extract the data from an existing database
to form the questions
• Permits an organization to use information that is already known
about users as a part of knowledge-based authentication.
• Requires client applications to use Entrust IdentityGuard’s
Administration API (see the Entrust IdentityGuard Programming
Guide for more information). This custom application executes the
necessary Entrust IdentityGuard calls to import and manage the data
on a per user basis. Entrust Professional Services can help
organizations with this type of customizing task. For contact
information, see “Obtaining technical assistance” on page 15.
Prepopulated lists • May be necessary to have users register their own questions and
answers. It is recommended that your application present users with
a stock list of questions from which they make selections and provide
answers.
• Gives your organization control over the questions to ensure they
meet criteria for privacy, security, and usability. See “Creating good
questions” on page 131.
Method Considerations
User-generated • Allows users to enter their own question-and-answer challenges (not
recommended).
• Users generally do not write well-formed questions.
• Users tend to forget the answers to their own questions more
frequently than stock questions.
• In a design that uses multiple question-and-answer sets, it may make
sense to allow one question and answer that is composed entirely by
the user.
Criteria Considerations
Privacy • Organizations are subject to legislation and regulations relating to
the collection, storage, control, and handling of personal
information.
• It is prudent to avoid personal information when building a
knowledge-based authentication system.
• Construct the information collected for question-and-answer sets so
that it is used exclusively for authentication purposes.
Security • Construct questions so that the answers are both difficult to obtain
and difficult to guess.
• For privacy reasons, do not rely on personal information such as
names, family histories and birth dates. Identity thieves regularly find
or steal personal information, rendering the reliability of personal
information almost useless.
• Avoid questions that have a limited number of realistic answers. For
example, What is my eye color? would not require many attempts
to guess a correct answer.
Criteria Considerations
Usability • Knowledge-based authentication must be simple and easy for users
to use.
• The questions should have a wide applicability to the organization’s
users. For example, the question What is the name of my first pet?
only applies to pet owners.
• An answer must be easily recalled for the question to be useful.
Questions that reflect user’s habits, regular activities, or practices
generally meet this criteria.
• Answers need to remain constant for the question to be of value.
Questions that prompt for a “favorite” may have different responses
over time, while those that ask for a “first” should not change.
• A user must be able to enter a correct response each time. This is
discussed under “Challenge accuracy” on page 135.
Sample questions
The following are some examples of good questions:
What is your spouse’s middle name? What is your oldest sibling’s nickname?
What is your favorite restaurant? What is your maternal grandmother’s middle
name?
What is your best friend’s first name? What is your oldest child’s middle name?
Who is your favorite fictional character? What is your youngest child’s nickname?
What is the middle name of your oldest Which sports team did you like most as a
sibling? child?
What is the first name of your oldest nephew? What is your paternal grandmother’s first
name?
What is your paternal grandfather’s first name? What was the first name of your favorite
teacher in final year of high school?
What was the name of your first On what street did your best friend in high
girlfriend/boyfriend? school live? (enter full name of street only)
What is the first name of your spouse’s father? What is the first name of your oldest niece?
What is the first name of the Maid of Honour When is your wedding anniversary? (Month
at your wedding? and Year only)
What is the first name of the Best Man at your What is your paternal grandfather’s middle
wedding? name?
Challenge size
You may want a different number of questions presented based on the type of access
or transaction the user requires. For example, access to a company information portal
could require two questions while access to a online investment site could require four
questions. It is recommended that a user answer at least three questions.
You set the minimum and maximum number of required questions in Entrust
IdentityGuard policy, and then set the exact number of questions for each
authentication scenario in your application. Your application must present a number
of questions between the minimum and maximum, and take into account the number
of wrong answers allowed (if applicable).
Challenge accuracy
Once you have determined how many questions a user must answer to authenticate,
you must determine how accurate a user’s answers must be.
139
Life cycle management overview
This section describes the high level processes for managing the life cycle of Entrust
IdentityGuard users. Since Entrust IdentityGuard is a multifactor authenticator, a user
account must already exist in the first-factor authentication application (for example,
user name and password). No assumptions are made about the organization’s
procedures for managing user accounts.
User life cycle management consists of the following stages and processes:
• enrollment
This is the initial stage where users enroll for the Entrust IdentityGuard
service. See “Enrollment” on page 142.
• usage
This is the normal operations stage where users login to your organization
through Entrust IdentityGuard. See “Usage” on page 144.
• renewal
This is an ongoing stage where users are issued new Entrust IdentityGuard
grids (on new cards), tokens, personal verification numbers (PVN) or
questions to replace older ones. See “Renewal” on page 145.
• replacement
This covers the handling of
– lost, stolen, damaged, and “left behind” Entrust IdentityGuard grid cards,
passcode lists, or tokens
– forgotten answers and PVNs
Users are issued temporary PINs (if using grid cards, lists, or tokens), or
receive replacement Entrust IdentityGuard grid cards, passcode lists or
tokens. See “Replacement” on page 146.
• delivery and activation
This describes the processes to physically deliver Entrust IdentityGuard grid
cards, passcode lists, or tokens and activate the authentication method for
each user. It does not apply to the nonphysical authentication methods, such
as knowledge-based questions and answers, or one-time passwords. See
“Delivery and activation” on page 149.
• maintenance
This describes the processes to
– Remove stale or idle grid cards or tokens from the Entrust IdentityGuard
system. This includes grid cards, lists or tokens that are cancelled, never
activated, or unassigned, as well as those assigned to terminated user
accounts.
– Update graphics or images used for organization authentication.
Attention: The cancellation process is irreversible for grid cards, passcode lists,
and tokens. Once they are cancelled, they can never be used again.
Deliver card or
token to user
From
enrolment ,
replacement ,
or renewal
Deliver card or User pickup Activate
token to central (Verify identity, authentication
service desk personalization ) method
153
Architecture overview
There are three levels of baseline architecture in this section: evaluation, standard and
high availability.
Evaluation
Evaluation-level architecture:
• suits test and proof-of-concept environments
• is designed to be low cost to implement, by minimizing the required
equipment
• represents a limited environment that you can set up quickly for
proof-of-concept, investigation of functionality, and so on
• is not intended for production purposes
Assumptions:
• generally very small, ranging from a few users up to a hundred users
• used for test purposes only
• no firewalls
• no NTP service; clock is set manually
• typically resides within a development environment, or on an isolated
network segment
Standard
Standard-level architecture:
• suits production implementations from pilot phase through initial rollout
• lacks equipment redundancy; any standard environment should be
implemented with robust equipment to provide a moderately high level of
availability and performance
• represents production environments suitable for a medium volume
environment
• is more complex to set up than the evaluation architectures because of
firewalls and other security provisions
• uses separate servers for each function to support higher throughput
Assumptions:
• support for internal or external users
• generally moderate in size, supporting tens of thousands of users
• multiple firewalls create zones for increasing levels of security
High availability
High availability architecture:
• suits large scale production implementations that demand the highest levels
of availability and performance
• expands upon the standard configurations by adding redundancy for both
high availability and scalability
• is intended for production purposes in a high volume environment, whether
supporting internal or external users
Assumptions:
• offers higher throughput than standard baseline architectures
• includes redundant systems, links, trusted time sources, and data stores
• is more complex to set up because of the significant provision for security,
performance, and availability
• deployments are generally large, supporting millions of users
• uses load-balancers to achieve high availability for Entrust IdentityGuard
• user session “stickiness” configured on load-balancers to provide the ability
to consistently bring a user back to the same Entrust IdentityGuard Server
• can be based on SSL session ID, IP address, cookie, or HTTP redirection
This feature is required in a multiple Entrust IdentityGuard Server architecture
where challenge-response caching is used. Since this feature eventually
becomes the second-factor authentication repository, consider scaling the
second-factor authentication repository. Entrust IdentityGuard supports
users in multiple repositories.
Requirements
• directory or database with user repository
• Entrust IdentityGuard Server
• Web server or application server running an application that controls
first-factor authentication (user name and password) and manages the
repository
• client with Web browser
Requirements
• directory and/or database on a dedicated server for the user repository
• Entrust IdentityGuard Server
• application server running an application that completes first-factor
authentication (user name and password) and manages the repository
(Entrust IdentityGuard can manage first-factor authentication if required)
• hard and soft firewalls creating a DMZ (demilitarized zone) for the Web
server, and protecting internal resources
Requirements
• replicated directories and/or databases for the user repository, set up in a
high availability or disaster recovery cluster
• Entrust IdentityGuard Servers
• load-balancers to divide the load among the various Entrust IdentityGuard
Servers
• Entrust IdentityGuard Radius proxies, configured on the Entrust
IdentityGuard Servers
• a cluster of first-factor authentication resources, such as Radius servers,
domain controllers, or LDAP directories (see “External authentication” on
page 40); optionally, Entrust IdentityGuard can manage first-factor
authentication
• VPN devices (IPsec or SSL)
• clients with VPN connection (dial-up, wireless, and so on)
• administrators to manage Entrust IdentityGuard users
Wireless access
point
LDAP or database
repository
EAP supplicant
Entrust IdentityGuard
Server with Radius
proxy
Requirements
• wireless access point
• LDAP directory or database user repository
Firewall
Distributed LDAP or
database repository
Access server
EAP supplicant supporting RAS and
EAP
Entrust IdentityGuard
Administrator Server with Radius
proxy
Requirements
• wireless access point
• distributed LDAP directory or database user repository
• Entrust IdentityGuard Server and the Radius proxy
• an administrator to manage Entrust IdentityGuard users
Distributed LDAP or
database repository
Entrust IdentityGuard
Server with Radius
proxy
Entrust IdentityGuard
Server with Radius
Administrator proxy
Requirements
• wireless access point
• replicated and distributed LDAP directory or database user repository
• multiple Entrust IdentityGuard Servers with the Radius proxy
• an administrator to manage Entrust IdentityGuard users
Requirements
• Active Directory with user repository
• Domain controller (you can install it on the same machine as the user
repository)
• Entrust IdentityGuard Server
• Microsoft Routing and Remote Access Service (RRAS) with Internet
Authentication Service (IAS)
Firewall Firewall
Distributed domain
with Active Directory
Entrust IdentityGuard
Administrator
Server
Requirements
• distributed domain configuration with user repository
• Entrust IdentityGuard Server
• Microsoft Routing and Remote Access Service (RRAS) with Internet
Authentication Service (IAS)
Note: In any remote-access configuration shown in this section, you can set up
an architecture in which the IAS is enabled on a different computer than the
RRAS is. In that instance, you need to install the Remote Access Plug-in on the
computer hosting the IAS.
Requirements
• distributed domain configuration with replicated user repository
• Entrust IdentityGuard Servers
• load-balancers to divide the load between the Entrust IdentityGuard Servers
• Microsoft Routing and Remote Access Service (RRAS) with Internet
Authentication Service (IAS)
• Entrust IdentityGuard Remote Access Plug-in for Microsoft Windows Server
installed on the IAS computer
• client with Microsoft Remote Access capabilities
• hard and soft firewalls creating a DMZ (demilitarized zone) for the Remote
Access Server, and protecting internal resources
• an administrator to manage Entrust IdentityGuard users
Access server
supporting RAS and
EAP
LDAP or database
repository
Entrust IdentityGuard
Server with Radius
proxy
Requirements
• an LDAP directory or database user repository
• Entrust IdentityGuard Server and the Radius proxy
• access server supporting Remote Access Service (RAS) and EAP
Requirements
• distributed LDAP directory or database user repository
• Entrust IdentityGuard Server and the Radius proxy
• access server supporting Remote Access Service (RAS) and EAP
• remote Microsoft Windows client supporting EAP
• hard and soft firewalls creating a DMZ (demilitarized zone) for the RAS, and
protecting internal resources
Distributed LDAP or
database repository
Entrust IdentityGuard
Server with Radius
proxy
Requirements
• replicated and distributed LDAP directory or database user repository
• multiple Entrust IdentityGuard Servers with the Radius proxy
• access server supporting Remote Access Service (RAS) and EAP
• remote Microsoft Windows client supporting EAP
• load-balancers to divide the load among the Entrust IdentityGuard Servers
Requirements
• Active Directory with user repository
• domain controller (you can install it on the same machine as the user
repository)
• Entrust IdentityGuard Server
• Entrust IdentityGuard Desktop for Microsoft Windows installed on a
computer
Requirements
• distributed domain configuration with user repository
• Entrust IdentityGuard Server
• firewall
• Entrust IdentityGuard Desktop for Microsoft Windows installed on users’
computers
• an administrator to manage Entrust IdentityGuard users
Firewall
Distributed domain
Entrust IdentityGuard with Active Directory
Desktop for Microsoft
Windows
Entrust IdentityGuard
Load -balancing
cluster
Administrator
Entrust IdentityGuard
Requirements
• distributed domain configuration with replicated user repository
• Entrust IdentityGuard Servers
• load-balancers to divide the load among the various Entrust IdentityGuard
Servers
• firewall
181
Entrust IdentityGuard grid card usability study
For organizations that want a strong authentication solution that is easy to use and
easy to deploy, the results of this study show that Entrust IdentityGuard grid
authentication is an ideal candidate. Built and supported by security experts from
Entrust, Entrust IdentityGuard delivers a highly secure way of strongly authenticating
users, whether in a consumer situation that demands increased protection against
identity theft, or an enterprise situation that is looking to strengthen security for
applications like remote access or desktop authentication.
This section contains the following topics:
• “Usability test summary” on page 182
• “Objective” on page 182
• “Methodology” on page 183
• “Usability test results” on page 183
Objective
The objective of the study was to assess the overall usability of Entrust IdentityGuard
grid authentication in both consumer and enterprise deployment scenarios. In
addition, the study looked to maximize the usability of Entrust IdentityGuard grid
authentication by formally testing various design implementations of:
• the coordinates table
For example, the number of cells and the visual delineation of rows and
columns.
• the login screen design and challenge process flow
Methodology
The test had two separate execution phases, focusing independently on a consumer
environment through Web testing and an enterprise environment for desktop
authentication. It should be noted, that although desktop authentication was tested
only for enterprise users, the expectation is that similar excellent results would be
achieved for using Entrust IdentityGuard grid authentication for remote access
applications like IP/SEC or Enterprise methodology.
The enterprise test was conducted using a face-to-face interview technique. Desktop
authentication with Entrust IdentityGuard grid cards was used as the method of
understanding the usability in the enterprise, with the assumption that usability of
Entrust IdentityGuard grid cards for remote access would be similar. The same Entrust
IdentityGuard grid options that were used for the consumer testing were used for the
enterprise testing.
Key details of the testing include:
• Seventeen people from a medium sized enterprise were tested in a focus
group environment.
• An Entrust IdentityGuard temporary PIN was used as an alternative to an
Entrust IdentityGuard challenge in order to assess usability in situations
where a user has lost or forgotten their Entrust IdentityGuard grid card.
1st try
71%
General guidelines
You can increase probability of initial successful grid challenge response if you:
• Provide first time users with written instructions that graphically depict how
to use the grid card and login procedure.
• Provide access (using a corporate Intranet or training center) to instruction
materials (such as a multimedia demonstration of how to use the grid for that
particular application) describing how to use an Entrust IdentityGuard grid
card.
Fonts
Given that the different fonts used in the test did not affect usability, it is
recommended that you choose the font within the following guidelines to ensure a
high level of usability:
• Use fonts that people are generally familiar with (Arial, Verdana, Helvetica,
and Times lend themselves to better readability).
At small sizes, Verdana offers bigger looking characters at the same point size
as other fonts.
• Use a sufficient character point size to ensure readability. A minimum of
11-point is recommended.
Use of color
Given that the different fonts used in the test did not affect usability, it is
recommended that customers choose the font within the following guidelines to
ensure a high level of usability:
• Avoid color combinations that create a tendency to “vibrate.”
189
- A B C D E F G H I J K L M N O P Q R S T U V W X Y Z -
overview 68 G
planning 67
desktop architecture Getting help 15
evaluation 176 grid
high availability 178 automating 124
standard 177 cell entropy 105
Desktop for Microsoft Windows 28 cell format 104
directory repository 89 challenge 42
disaster recovery 94 challenge algorithm 108
distribution of grid cards and tokens 149 challenge size 45, 107
deployment risks 45
distribution 110
E format 104
lifetime 45, 105
email, secure 123
location replay 52
end user. See user
one-step authentication 43
end-to-end encryption 123
enrollment 142 passcode list 45
replacement 105
from LDAP repository 142
sample passcode list 46
LDAP users 89
Entrust IdentityGuard Administration service 26 serial number 52
size 45, 104
Entrust IdentityGuard Desktop for Microsoft Windows 28
two-step authentication 44
Entrust IdentityGuard ISAPI filter 30
Entrust IdentityGuard Radius proxy 27 grid authentication 42, 103
grid card
Entrust IdentityGuard Remote Access Plug-in 29
Braille 118
Entrust IdentityGuard Server 24
Entrust tokens 41, 125 cost factors 121
production 118
evaluation architecture 154
production model 109
external authentication 40
security 117
usability study 181
F grid card production
costs 121
failover 94 Entrust IdentityGuard Card Production Service 121
advanced multi-site 99 in-house 118
geographically-dispersed repositories 97 outsourced 119
local repository 97 Grid card production service 121
multi-site 98 grid card usability study 181
Radius server 100 recommendations 185
repository 96 results 183
scenarios 94 summary 182
file transmission 123 grid production model 110
with end-to-end encryption 123 group 79
with secure email 123
with secure FTP 123
with SSL 123 H
fingerprint, machine fingerprint 60
first-factor authentication 19, 27, 40 high availability
architecture 155
flash object for machine authentication 55
failover scenarios 94
FTP 123
Index 191
- A B C D E F G H I J K L M N O P Q R S T U V W X Y Z -
operations 71 recovery 71
organization authentication remote access architecture
See mutual authentication evaluation 172
OTP, see one-time password high availability 174
out-of-band standard 173
authentication 49 Remote Access Plug-in 29
password delivery 50, 51 renewal of authentication factors 145
replacement of authentication factors 146
replay
P grid values 52
passcode list image 53
authentication 45 message 53
challenge 46 serial number 52
deployment risks 47 repository 26
length 47 database 90, 96
production 47 directory 89, 96
sample 46 failover 27
scratch cards 47 performance and maintainability 90
password authentication 39 selecting 89
people needed for deployment 70 synchronization 151
performance repository failover 96
repository 90 geographically dispersed 97
testing 91 local 97
performance testing 91 RRAS user 31
pharming 45
phishing 45
physical security 72
S
planning deployment of Entrust IdentityGuard 67 sample Web application 37
policies 69 scratch cards for passcode list 47
preproduction model, grid cards 114 search bases 81
produce-and-assign model 110 second-factor authentication 34
producing grid cards 118 secure email 123
production file secure FTP 123
pre-production model 114 sequence nonce 55
transmitting 123 shared secrets 88
Professional Services 16 SNMP monitoring 71
SSL
securing user responses 25
Q transmitting files 123
question and answer. See knowledge-based authentication standard architectures 154
strong authentication 18
system monitoring 71
R
Radius proxy 27, 39, 86 T
Radius server
authentication 39 TAN. See passcode list
failover 100 Technical Support 15
random challenge 108 technology 68
U
usability study, grid cards 181
user 31
enrollment 89, 142
groups 79
life cycle 139
locking out 77
Microsoft Windows 31
requirements 75
RRAS 31
services 77
suspending 78
training 76
VPN 32
Web 32
user enrollment from LDAP repository 89, 142
user ID 75, 76
V
VPN architecture
evaluation 160
high availability 162
standard 161
VPN user 32
194 IdentityGuard Deployment Guide Document issue: 1.0
Feedback on guide