DynaPass(TM) Wireless Secure Access

Introduction
Security based on passwords is a frequently debated topic, and there are some important questions you should ask yourself. Some examples can be:

How much of the risk is related to the human factor?
- How do people treat their passwords?
- Does everyone really pick safe passwords?
- Do people "lend" their password to colleagues?
- Does everyone realize the importance in protecting passwords?
- Does everyone realize what can happen if a password gets into wrong hands?
- Can we be certain that somebody entering the correct password and username is really authorized to access the system e.g Strong authentication?

What will happen if we increase the requirements?
- All users will see this as a burden.
- If people forget their password today, just imagine what will happen after the increased security standards regarding passwords and the cost for this.
- Users will try to find loopholes and workarounds.

The challenge lies in creating a process around passwords that is very hard to copy and still be user friendly. The whole point with this process is to make life easy for the users and at the same time very tough for trespassers.

The conclusion has to be that we have to create better support for the users and remove the risks related to them while the system creates a higher security level.

We will cover a number of aspects around passwords/one-time passwords and at the end how we see how DynaGate™ can increase the security standards.

Background on passwords and how they are being handled
Today we protect our system and resources by applying different technologies to increase security and to be able to lock out trespassers from sensitive information. Companies and organisations are installing functions, structuring their resources, and creating routines and processes to accomplish the required security level.

At the same time we are getting more vulnerable since we are opening our systems to be able to work in a more mobile environment. In addition to this there is a strong movement to open up and provide access to information by external companies and users. The reason for this is a need for collaboration, which will give tremendous business benefits to the companies.

A major part in the security area is to be able to securely authorize a user. In many cases the only way is to rely on the combination of username and the password, which does not guarantee anything at all. It can be stolen,

borrowed or even cracked.

A password isn't only about technology; it incorporates human beings because it has to be handled by users. If you set the requirements too high then people will violate them by writing passwords down, pick easy and obvious ones just because they can't remember them otherwise. In many cases users lend out their passwords to colleagues, who can use them later on or even guess the password you will set the next time.

It is very common that user accounts are open for access 24 hours a day, 365 days a year. This opens up the opportunity to use a "borrowed" password for a long time even outside working hours. In most cases no one will even notice this since the control mechanism stops when a valid username and password have been entered.

It is quite easy to create rules around password handling but there is absolute no guarantee that users will follow those. It can have the opposite effect where users start to write them down for instance. It is even harder when it comes to external users because you can't incorporate them easily in your company standards.

Up till now there has been a physical aspect of access because you need a key or a card to be able to enter the company premises and the workstation. Today we talk about mobile users and users within different organisations, which makes the physical aspect more and more obsolete.

The solution would be to use dynamic passwords and introduce this in a very user-friendly way to keep it simple for the users. This has to be done in a way, which doesn't create huge amount of administration and maintenance. This solution should be generic when it comes to different types of devices such as laptops, PDA, WAP-phones etc and not be dependent on you always having to use your own workstation.

Dynamic passwords, which are changed all the time, and a mechanism controlling that only authorized users get access to the password together with activation of the account, will guarantee the security.

Important aspects of passwords and user accounts
April System Design has taken a closer look at the challenge passwords present and found a number of important parts which has to be solved to provide security around passwords and identification of authorized users:

New and fresh passwords all the time.
No need to remember them.
Secure identification of authorized users.
User-friendly for both the user and the company.
Limitation in access to user accounts.

Most important is dynamic passwords which are created randomly so they cannot be calculated or easily cracked. This means that you can always use a fresh password, which is more or less impossible to remember.

Because this one-time-password or dynamic password will only be generated when you need it then there is no point writing it down. If you accidentally lose it, just order a new one.

The identification is based on something unique you posses and something only you know. The combination creates the strength in identification.

From the users point of view, ease of use is maybe the most important factor and a solution based on additional equipment is not really what they want. You can loose or forget this additional devices and it is one more thing you have to carry around. One often-neglected part is that some of the security solutions have to be maintained and protected by the user.

For the company it is important to get a system that doesn't change the processes or routines when it comes to handling of users and their accounts. Some alternative solutions incorporate investments in additional devices, which have to be maintained, and administrated. Other solutions require clients or software, which have to be installed on all workstations and upgraded from time to time.

If we compare "Limitation of access to user accounts" with your door to the company then it should be possible to actually remove the door when it's not needed and therefore there is no key to unlock the door. We can "create" the door temporarily and it can be only opened with your key. It will be there for limited time and then automatically disappear when you are ready.

Who needs dynamic passwords?
Different groups or type of users has different needs and requirements and if you simplify them slightly, you can divide them into four groups:

Mobile users - Users that needs to be connected regardless where they are. Can be salespeople, consultants, service staff etc.

Local users - People physically located in the office and connected trough the LAN.

External users - People with access to information or resources, which is located within other organisations. Can be Extranet solutions where partners or customers get access to information or resources.

Temporary users - Can be consultants hired by your company and they should only have access during daytime at certain days over a limited time.

It is quite natural to see Mobile users as the most vulnerable group and therefore most suitable for dynamic passwords. They are regarded as high risk due to their nature to roam around and not being protected by key or cards to enter the office. The idea with dynamic passwords is that they should be able to connect without violating the security standard, when it comes to passwords, regardless of chosen workstation.

Local users are important since people in general are not careful with passwords and it is easy for passwords to end up in wrong hands. A majority of "on site" security incidents can be related to this according to statistics. In many cases due to people writing down passwords, in other cases they have chosen a password that can be associated to something around the workstation. It is easier to catch a password on the LAN or even get the database with all passwords. Choosing to work with dynamic passwords for the local users increases the security. Furthermore for Mobile users it is easiest to use the same process both inside and out.

The number of External users increases all the time because of business solutions such as Extranet and other B2B solutions. This adds a different aspect since you have one part "owning" the information and one part using the information. This can create a problem if the "owning part" wants to protect the information on a higher security level than the users. This can affect the price for the protection and the usability of the system. Someone has to administer the system and if you put the burden on maintaining a software solution or hardware solution to the users, or their company, they have always the option to go away. It is not enough to have access based on company level, you should always aim at individuals because otherwise you can't keep track on users.

Temporary users can be consultants etc. hired by you and they should have limited access to systems and information during their working hours. They should be locked out when they are finished and it should be possible to set this from the beginning.

How can DynaPass be of assistance?
DynaPass is a dynamic password solution, which creates secure passwords and a secure handling of user accounts. The ambition has been to create a system which has no or minor impact on other parts in a secure solution.

Why choosing a Mobile phone as a client?
It is quite natural since there is a Smart Card in every Mobile phone (GSM). This Smart Card or SIM card is unique per each user. This SIM card is used for identifying the individual user. One other reason is that basically all Mobile users have already a Mobile phone, which they always carry around in the same way as their wallet and keys. This means that the users doesn't have to bring other devices, it's combined with the Mobile phone. Some other arguments;

No investments in tokens, card readers, finger scanners etc.
No extra administration since you already administer the Mobil phones.
No special software that has to be enrolled and maintained on all clients.
Freedom of choosing workstation.
You don't have to protect certificates etc.
Users don't normally forget to bring the Mobile phone along in the same way as for a separate security solution with tokens.
Users will detect the loss of a Mobile phone rapidly and therefore it is easy to keep up the security.
It is a clear trend that more and more employees are using a Mobile phone as the only phone, which gives the opportunity to increase the security for more and more people within the company.
Mobile Internet introduces new ways of connecting to different services via Mobile network. GPRS will increase the usage of these new services and the Mobile phone will play a central role. With DynaPass you will use the same equipment e.g. the Mobile phone.
There are combinations and hybrids of PDA and Mobil phones on the market today and we will see more in the future. With DynaPass you will use the same equipment.
Blue tooth will be built in into Mobile phones and will affect how we can connect to services in the future. With DynaPass you will use the same equipment.
New applications in Mobile phones such as biometric, certificates etc. This will increase the security for DynaPass even further.

DynaPass doesn't require special Mobile phones or SIM cards. The only requirement is that the Mobile phone can handle SMS. This is very important since it's always tricky to force users to adopt "special" Mobile phones.
Another aspect is that you don't have to replace existing Mobile phones in your company.

Is the Mobile phone safe?
The security in DynaPass is built up on a number of different levels and the possibility that all levels would fail at the same time is very unlikely. One part of the security lies in the fact that all of the Operators have a number of security mechanisms built in into their networks. The reason for this is to protect their services (including yours) and their revenue.

All Mobile phones (GSM) are protected by a SIM card and a PIN code. Without those it is impossible to use and connect the Mobile phone to a network and can't be used by this reason. It is impossible to gain access to information stored on the SIM card without the proper PIN code.

The network in terms of security encrypts all traffic in the air.

How safe is the combination DynaPass and Mobile phone?
The Mobile phone is protected by the mechanisms used by the Operator and if it is reported stolen, missing, or without proper PIN code it can't connect to the network. This means that it can't be used to get a password from DynaPass. Identities in a Mobile phone e.g. MSISDN number can't be faked.

In DynaPass you link users to their specific mobile phone numbers (MSISDN) and stores this in a database accessed by DynaPass. Every request from a Mobile phone comes as a SMS message, which includes originators mobile phone number. This request is checked by a search for corresponding mobile phone number in the DynaPass database and stored in a log file. If it is a valid number then it will be matched with the appropriate user. If it originates from a mobile phone number which is not in the database then it will be logged but no further actions will be taken.

All distribution of passwords is done to mobile phone numbers within DynaPass database as a precaution if someone finds a way so simulate the originating mobile phone number. The password will show up in the Mobile phone connected to the appropriate user.

As an optional enhancement of security, a secret part of the password is added. The individual users set this secret part and it is newer sent over the Mobile network. It is only the combination between the part given by the Mobile phone and the secret part that can give you access.

The secret part of the password cannot be found in the Mobile phone or in the computer. The part created by DynaPass will change all the time, which means that you don't have to change the secret part so often.

If someone will find your Mobile phone or find the password created by DynaPass they still need to know the secret part, how to log on, username etc. They have to find out all this in limited time since you can set for how long this password will be active and for how long the user account will be open.

If the Mobile phone is stolen, just report it to your helpdesk and they will deactivate your mobile phone number from DynaPass and report the loss to the Operator. The stolen Mobile phone, or rather SIM card, won't be able to connect to the mobile network and even if it could it can't request a password from DynaPass. The user can continue to log on with a temporary password or start using another mobile phone.

How does DynaPass work?
DynaPass is installed as a service on an existing Windows NT/Windows2000 server or in a dedicated server just for DynaPass.

Information about user accounts etc. is collected and synchronised with accounts in Windows NT, Active Directory or Novell eDirectory/NDS and DynaPass related objects such as MSISDN numbers, settings etc are added and stored in the database used by DynaPass.

Once the user accounts are activated, DynaPass will now administer the user accounts. Setting of new passwords and activation and de-activation of accounts will be handled by DynaPass according to the settings you have decided per users or groups. A major advantage with this is that you haven't changed anything in the procedures for logging in to the system so you can keep the existing systems such as VPN etc. All system capable of handling login to a Windows NT/Windows 2000 or Novell eDirectory/NDS can be used together with DynaPass.

Distribution and request of password can be done trough the mobile network (PLMN) utilizing SMS. There are different ways of connecting to mobile networks (PLMN) and the choice is based on cost and requirements. The easiest way is to connect a mobile phone directly to the server through a serial cable. The other way is to connect directly to the Operators SMS central, which can be done over Internet. The latter alternative is more suitable if there are many users involved.

Requesting a password from DynaPass.

The users request a password by sending a SMS message to DynaPass.
DynaPass checks that it is originated from an authorized mobile phone by searching in the DynaPass database and to which user account it is linked. If not authorized then DynaPass will not take any action except for logging the attempt. If it originates from an authorized mobile phone DynaPass randomly creates a password.
DynaPass sends the password to the mobile phone number found in the database. At the same time DynaPass updates Domain Controller with an identical password. If a secret part of the password is set then this part will be incorporated automatically. Finally, DynaPass activates the account according to your stipulated parameters.
Shortly after, normally after approx. 5 sec, the user receives his password in his mobile phone and can use this for logging on to the system. If the secret part is set the user just add this part to the password.

The process for sending out passwords is pretty much the same except for step, 1 and 2, which normally isn't required unless for example the user happened to delete the password in his mobile phone.

Summary
DynaPass is a security solution handling passwords and user accounts in a secure way. The mobile phone and the SIM card are used to authorize the users and provide them with a client for requesting and receiving passwords.

The simplicity for the user is very obvious since there are no additions in software clients, hardware devices or the fact that you don't have to remember any complicated passwords.
Important for the company or the organisation is that the security standards can be increased and still be manageable since there are no additional equipment or software needed in all the workstations. DynaPass is just a "add on" to existing infrastructure/ systems and reuses the mobile phone as a client for a security solution.

Se Frequent Questions and Answers