The WiKID Blog | WiKID Systemshttp://www.wikidsystems.com/blog/2024-01-05T18:13:16+00:00The WiKID Blog, musings on two-factor authentication, information security and some other stuff.The latest WiKID version includes an SBOM 2024-01-05T18:13:16+00:00roothttp://www.wikidsystems.com/blog/author/root/http://www.wikidsystems.com/blog/the-latest-wikid-version-includes-an-sbom/<p>As of 6.2 and 5.4, we are including an SBOM in the WiKID RPM. It is located in /opt/WiKID. We have embedded the process in our build system so we can quickly see if any of the libraries we use have any known vulnerabilities. Needless to say, this greatly enhances the security of our product. Even if you never look at the SBOM file, we do! </p>
<p> Please update to the latest! If you have an older version, see how to <a href="http://www.wikidsystems.com/support/installation-how-tos/how-to-move-your-users-and-data-to-the-new-wikid-server/" title="Move your WiKID users to a new server">move all your users to a new WiKID server</a>.</p>
<p><img alt="software bill of materials output" height="274" src="https://www.wikidsystems.com/static/media/uploads/.thumbnails/sbom.png/sbom-900x274.png" width="900"/></p>WiKID 6 is released!2022-12-08T18:43:02+00:00roothttp://www.wikidsystems.com/blog/author/root/http://www.wikidsystems.com/blog/wikid-6-is-released/<p>We are pleased to announce the release of Version 6 of the WiKID Strong Authentication server. The new ISO is based on Rocky 9. It offers unparalleled security and scalability. All the supporting packages for WIKID have been upgraded as well.</p>
<p>We have also released a tool "migrator.jar" which will easily allow current 5.x or earlier users to migrate to the new platform.</p>
<p>WiKID's OTP-based system is not susceptible to "MFA Fatigue" attacks because the user must initiate the process, not the server.</p>
<p>WiKID is ideally suited for companies that need two-factor authentication for AD admins with its non-invasive native AD protocol. In addition, it can perform password-reset using two-factor authentication.</p>
<p>Please <a href="http://www.wikidsystems.com/downloads/the-fastest-way-to-two-factor-authentication/">download the latest server and give it a spin!</a></p>Log4j CVE-2021-442282021-12-13T16:04:58+00:00roothttp://www.wikidsystems.com/blog/author/root/http://www.wikidsystems.com/blog/log4j-cve-2021-44228/<p>We are fairly confident that we are not vulnerable to the Log4J bug, but we will be releasing an update soon with an updated version of Log4J. Stay tuned.</p>
<p>EDIT: Please download 5.1.4-b2090 for the log4j update as well as a few other libraries.</p>Questions about 2FA for AD admins2021-06-08T18:43:07+00:00roothttp://www.wikidsystems.com/blog/author/root/http://www.wikidsystems.com/blog/questions-about-2fa-for-ad-admins/<p>We've recently had more questions about deploying WiKID for <a href="http://www.wikidsystems.com/learn-more/features-benefits/native-active-directory-two-factor-authentication/" title="Native two-factor authentication for Active Directory">two-factor authentication for AD admins</a> to thwart potential privilege escalation in ransomware attacks. We've <a href="http://www.wikidsystems.com/blog/defeating-pass-the-hash-attacks-with-two-factor-authentication/">done a proof-of-concept showing that WiKID can make privilege escalation quite difficult</a>. We realized that we missed a key question about deploying two-factor authentication for admins: how do I know I won't lock out all my admins? That's a damn good question. And here's the answer:</p>
<div dir="auto">When an admin requests a one-time password from WiKID, it overwrites the current AD password with the OTP. The admin logs in and after the OTP expires, it overwrites it with a random long string. No one knows the value of this string and it's never used on the network. If Mimikatz or any other pass-the-hash malware attempts to log in with the OTP, it will fail. It should also trigger an alarm that there's something nasty in your network. </div>
<div dir="auto"> </div>
<div dir="auto">The WiKID server is really just acting like a password reset service (and yes, we have that functionality too). In order to 'turn off' two-factor for any account, just manually replace the random string with a password for that user. Obviously, you want these account credentials secured and not used remotely.</div>
<div dir="auto"> </div>WiKID Android tokens had their data deleted over the weekend by Google Chrome bug2019-12-16T15:53:50+00:00roothttp://www.wikidsystems.com/blog/author/root/http://www.wikidsystems.com/blog/wikid-android-tokens-had-their-data-deleted-over-the-weekend-by-google-chrome-bug/<p>If you woke up Monday morning to a number of upset and confused Anroid token users, we apologize. We did too. Over the weekend Google released an update the Chrome that included <a href="https://bugs.chromium.org/p/chromium/issues/detail?id=1033655#c19">a bug that deleted other app's localstorage</a>. Unfortunately, the data is gone. The users will need to be re-registered. The new version was rolled out to 50% of Android users. Google is still working on a fix. They are not sure if the user data can be restored. We will update as we learn more. </p>Scalability improvements in version 5.0 of the WiKID Strong Authentication server2019-11-26T17:39:56+00:00roothttp://www.wikidsystems.com/blog/author/root/http://www.wikidsystems.com/blog/scalability-improvements-in-version-50-of-the-wikid-strong-authentication-server/<p>Our recent 5.0 release focused on speed and scalabilty, as well as adding a RESTful version of our API and<a href="http://www.wikidsystems.com/downloads/enterprise-changelog/" title="Changelog"> other enhancements</a>. The speed improvements are truly impressive. </p>
<p>Here's a 2-CPU VirtualBox VM with 6 gigs of RAM running our previous 4.2 release:</p>
<table border="1" style="height: 197px;" width="308">
<tbody>
<tr>
<td><strong>Transactions</strong></td>
<td><strong>TX/Second</strong></td>
<td><strong>TX/Hour</strong></td>
</tr>
<tr>
<td>10,000</td>
<td>558</td>
<td><span data-sheets-formula="=R[0]C[-1]*60" data-sheets-userformat='{"2":1,"3":[null,2,"#,##0.00",1]}' data-sheets-value='{"1":3,"3":33495.97490034947}' style="font-size: 10pt; font-family: Arial; font-style: normal; text-align: right;">33,495</span></td>
</tr>
<tr>
<td>10,000</td>
<td>627</td>
<td>37,667</td>
</tr>
<tr>
<td>10,000</td>
<td>654</td>
<td>39,256</td>
</tr>
<tr>
<td>10,000</td>
<td>647</td>
<td>38,847</td>
</tr>
<tr>
<td><strong>Average</strong></td>
<td><strong>621</strong></td>
<td><strong>37,317</strong></td>
</tr>
</tbody>
</table>
<p> </p>
<p>So, an average of 621 transactions per second. A transaction here includes a small number of registrations of new users and a large number of authentications.</p>
<p>Now, let's update the same server to 5.0:</p>
<table border="1" style="height: 167px;" width="308">
<tbody>
<tr>
<td><strong>Transactions</strong></td>
<td><strong>TX/Second</strong></td>
<td><strong>TX/Hour</strong></td>
</tr>
<tr>
<td>10,000</td>
<td>1,281</td>
<td>76,889</td>
</tr>
<tr>
<td>10,000</td>
<td>1,319</td>
<td>79,188</td>
</tr>
<tr>
<td>10,000</td>
<td>1,394</td>
<td>83,676</td>
</tr>
<tr>
<td>10,000</td>
<td>1,377</td>
<td>82,658</td>
</tr>
<tr>
<td><strong>Average</strong></td>
<td><strong>1343</strong></td>
<td><strong>80,603</strong></td>
</tr>
</tbody>
</table>
<p> </p>
<p>That's a 116% improvement! And you can do 1,343 transactions per minute on a 2 CPU box! Note that the stresstester is running on the same server as the VM, so real life performance will be better. Now, what about a larger server? To test this, we installed the WiKID RPMs on a t3a.2xlarge server with 8 CPUs and 32 gigs of RAM.</p>
<p>Here's the performance under 4.2:</p>
<table border="1" style="height: 167px;" width="308">
<tbody>
<tr>
<td><strong>Transactions</strong></td>
<td><strong>TX/Second</strong></td>
<td><strong>TX/Hour</strong></td>
</tr>
<tr>
<td>10,000</td>
<td>5,155</td>
<td>309,318</td>
</tr>
<tr>
<td>10,000</td>
<td>5,025</td>
<td>301,558</td>
</tr>
<tr>
<td>10,000</td>
<td>5,026</td>
<td>301,563</td>
</tr>
<tr>
<td>10,000</td>
<td>5,068</td>
<td>304,082</td>
</tr>
<tr>
<td><strong>Average</strong></td>
<td>5,068</td>
<td><strong>304,130</strong></td>
</tr>
</tbody>
</table>
<p> </p>
<p>Pretty impressive, but let's see how 5.0 does:</p>
<table border="1" style="height: 167px;" width="308">
<tbody>
<tr>
<td><strong>Transactions</strong></td>
<td><strong>TX/Second</strong></td>
<td><strong>TX/Hour</strong></td>
</tr>
<tr>
<td>10,000</td>
<td>13,522</td>
<td>811,322</td>
</tr>
<tr>
<td>10,000</td>
<td>15,230</td>
<td>913,844</td>
</tr>
<tr>
<td>10,000</td>
<td>14,862</td>
<td>891,729</td>
</tr>
<tr>
<td>10,000</td>
<td>13,834</td>
<td>830,047</td>
</tr>
<tr>
<td><strong>Average</strong></td>
<td><strong>14,362</strong></td>
<td>
<p><strong>861,736</strong></p>
</td>
</tr>
</tbody>
</table>
<p> </p>
<p>That's a 185% improvement! And a significant number of authentications per minute.</p>
<p>You can download the latest version of the WiKID Strong Authentication server <a href="http://www.wikidsystems.com/downloads/wikid-strong-authentication-system-enterprise/" title="MFA Server">here</a>. </p>5.0 Released!2019-11-21T15:23:55+00:00roothttp://www.wikidsystems.com/blog/author/root/http://www.wikidsystems.com/blog/50-released/<p>We've <a href="http://www.wikidsystems.com/downloads/wikid-strong-authentication-system-enterprise/" title="Download the WiKID Server">officially released version 5.0 of the WiKID Strong Authentication Server</a>. There are<a href="http://www.wikidsystems.com/downloads/enterprise-changelog/" title="Changelog"> numerous improvements in this release</a>, most under the hood. Speed is dramatically increased. We have setup a separate logging system so that logs no longer go into the postgres database. We have also fine-tuned the WiKIDAdmin web UI to increase speed and reduce overhead.</p>
<p>For customers that use our API, we have released a RESTful version of it. Please see /opt/WiKID/tomcat/webapps/WiKIDAdmin/exampleREST.jsp for a fully commented page with all the functionality.</p>
<p>We also added the ability to run the postgres database externally. If you are using a postgresql cluster or cloud service, you can now point your WiKID server to it.</p>
<p>We'll be updating our documentation in the days to come with more details.</p>Docker repository for the WiKID Strong Authentication server2018-09-13T15:11:34+00:00roothttp://www.wikidsystems.com/blog/author/root/http://www.wikidsystems.com/blog/docker-repository-for-the-wikid-strong-authentication-server/<p><a href="https://hub.docker.com/r/wikidsystems/wikid_enterprise/">https://hub.docker.com/r/wikidsystems/wikid_enterprise/</a></p>
<p>We have created a Docker Hub repository for anyone looking to quickly setup our two-factor authentication server. This is still a work in progress, so please provide feedback!</p>
<p> </p>
<p> </p>New Amazon EC2 image on marketplace2018-07-24T18:41:19+00:00roothttp://www.wikidsystems.com/blog/author/root/http://www.wikidsystems.com/blog/new-amazon-ec2-image-on-marketplace/<p>Get your two-factor auth server running on Amazon: <a href="https://aws.amazon.com/marketplace/pp/B01LD0YRXG" title="WiKID 2FA server on EC2">https://aws.amazon.com/marketplace/pp/B01LD0YRXG</a></p>Update your WiKID servers for Spectre and Meltdown2018-01-05T21:33:31+00:00roothttp://www.wikidsystems.com/blog/author/root/http://www.wikidsystems.com/blog/update-your-wikid-servers-for-spectre-and-meltdown/<p>Since basically every computer is affected by these bugs, your WiKID server is too. You will need to run 'yum update' to get the latest kernel patches. (And it's a great idea to do this regularly.) Reboot and you should have the fix. </p>
<p>You can run:</p>
<pre>rpm -q --changelog kernel | egrep 'CVE-2017-5715|CVE-2017-5753|CVE-2017-5754'</pre>
<p>To see if you have the patch. It will return a bunch of comments if you do. If you don't see anything, try the process again.</p>Get your license expiration date from the command line2017-12-08T19:38:02+00:00roothttp://www.wikidsystems.com/blog/author/root/http://www.wikidsystems.com/blog/get-your-license-expiration-date-from-the-command-line/<p>This is from one of our customers that uses Nagios to track license expirations:</p>
<pre>keytool -list -v -keystore /opt/WiKID/private/intCAKeys.p12 -storetype pkcs12 -storepass *******|grep "Valid from" |cut -d":" -f 5-7</pre>
<p>Where your passphrase replaces the asterisks. The first date returned is your expiration date.</p>
<p> </p>Apple's treatment of 32-bit libraries requires a new WiKID token for iOS 112017-12-06T17:03:34+00:00roothttp://www.wikidsystems.com/blog/author/root/http://www.wikidsystems.com/blog/apples-treatment-of-32-bit-libraries-requires-a-new-wikid-token-for-ios-11/<p>Apple announced that it will no longer support 32-bit libraries or apps. We developed our iPhone WiKID token before there even was a 64-bit encryption library available. </p>
<p>We couldn't just upgrade the iPhone token to 64-bit. It would have invalidated all the existing keys for iOS tokens. Instead, we created a new 64-bit compliant <a href="https://itunes.apple.com/us/app/wikid-token-64/id1210457819?ls=1&mt=8" title="iPhone software token">iPhone WiKID token</a>.</p>
<p>With iOS 11, it appears that the iPhone token will launch fine (since most of the app is 64-bit), but you cannot successfully open the token because the encryption library won't open. If you get this error, please have the user remove the app and <a href="https://itunes.apple.com/us/app/wikid-token-64/id1210457819?ls=1&mt=8">install the new version</a>. </p>
<p>We apologize for the inconvenience. </p>Deloitte and the need for 2FA on Admin accounts2017-10-02T20:16:03+00:00roothttp://www.wikidsystems.com/blog/author/root/http://www.wikidsystems.com/blog/deloitte-and-the-need-for-2fa-on-admin-accounts/<p>Deloitte Touche Tohmatsu Limited has 263,000 employees. That's an astounding number of people, computers, networks, access points etc, etc. Very hard to keep attackers out of such a vast network with so many needs and uses. It would cost a lot of money to provide 2FA for all those users. It would take a lot of effort to monitor the SIEM events for all those users.</p>
<p>However, if they are typical of organizations their size, they probably have a ratio of 1:50 IT to employees (maybe that's off big time, but you will get the drift). That means that they have about 5,260 IT staff. Let's call it 5,000 admins - really most IT workers aren't admins, so these numbers are high. That would cost $60,000 per year to add WiKID 2FA to those accounts. Now, think about how much easier the log management, SIEM events, etc etc will be versus 263,000 employees. </p>
<p>I am not saying you can forget about everyone else, but preventing attackers from escalating is cheaper and easier than preventing infiltration.</p>
<p>Please, please use <a href="http://www.wikidsystems.com/learn-more/features-benefits/native-active-directory-two-factor-authentication/" title="2FA for non-console admin access">2FA for admin accounts.</a></p>
<p> </p>Evading Microsoft ATA > Another reason to use 2FA for Windows Admins2017-08-15T19:18:05+00:00roothttp://www.wikidsystems.com/blog/author/root/http://www.wikidsystems.com/blog/evading-microsoft-ata-another-reason-to-use-2fa-for-windows-admins/<p>Nikhil "SamratAshok" Mittal has a great <a href="http://www.labofapenetrationtester.com/2017/08/week-of-evading-microsoft-ata-day1.html" title="Week of Evading Detection by ATA">series of posts on how to avoid detection</a> by <a href="https://docs.microsoft.com/en-us/advanced-threat-analytics/what-is-ata" title="MS ATA">Microsoft's Advanced Threat Analytics (ATA)</a>. </p>
<p>We won't say that you shouldn't deploy ATA to monitor your network for suspicious behavior, especially if your licensing already is covered. However, it does seem like an example of technology designed to protect something that you'd be better off not having at all: static admin credentials. As we proved in our last post on<a href="http://www.wikidsystems.com/blog/defeating-pass-the-hash-attacks-with-two-factor-authentication/" title="Defeating pass-the-hash attacks with 2FA"> defeating pass-the-hash with two-factor authentication</a>, tools like mimikatz will fail when using WiKID's native AD protocol for Admins. ATA seems like a great tool, but Nikhil has shown that defense-in-depth is the key as always.</p>Defeating pass-the-hash attacks with two-factor authentication2017-06-29T17:14:10+00:00roothttp://www.wikidsystems.com/blog/author/root/http://www.wikidsystems.com/blog/defeating-pass-the-hash-attacks-with-two-factor-authentication/<p>Implementing two-factor authentication for remote access is a great way to keep attackers out of your network. Users' credentials are floating all around the internet. But attackers can still get in your network through malware and other tools. In the past, we described how <a href="http://www.wikidsystems.com/blog/defense-at-every-stage/" title="Defense in depth with two-factor auth">two-factor authentication can be used at each stage of an attack</a> to make detection easier and execution much harder:</p>
<ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 10px; padding-left: 20px; color: #333333; font-family: 'Open Sans'; font-size: 15px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: #ffffff; text-decoration-style: initial; text-decoration-color: initial;">
<li style="box-sizing: border-box;">Implementing two-factor authentication for remote access will make intrusion much more difficult.</li>
<li style="box-sizing: border-box;">Implementing two-factor authentication for privileged accounts will make escalation much more difficult.</li>
<li style="box-sizing: border-box;">Implementing two-factor authentication at your outbound proxy will make <span style="box-sizing: border-box; float: none;">exfiltration</span> much more difficult.</li>
</ul>
<p>The PCI Council is now requiring <a href="http://www.wikidsystems.com/blog/non-console-administrative-access/" title="2FA for non-console admin access">two-factor authentication for non-console administrative access</a>. To see how easy the pass-the-hash attack is and to show how WiKID can mitigate it, we present the tale of two domain administrators. One uses a static password, the other uses the WiKID Native Active Directory 2FA protocol.</p>
<p>In our lab we setup two boxes: a windows domain server using Server 2012 and a PC running windows 10. On the Win 10 box, download two tools: <a href="https://github.com/gentilkiwi/mimikatz" title="Mimikatz">Mimikatz</a> and <a href="https://technet.microsoft.com/en-us/sysinternals/pstools.aspx" title="PSTools">PStools</a>. We will use mimikatz to grab the hash and psexec to pass it to the AD server to get a console on it. </p>
<p>Note that you will need to turn off Windows Defender as it will remove and quarantine Mimikatz. Right click on the appropriate mimikatz.exe and choose Run as Administrator. You need to be a local admin for the tool to work. </p>
<p><img alt="run mimikatz as admin" height="239" src="https://www.wikidsystems.com/static/media/uploads/.thumbnails/run_as_admin.png/run_as_admin-593x239.png" width="593"/></p>
<p>Next, check that you have the appropropiate privileges by running:</p>
<pre>privilege::debug</pre>
<p>We do:</p>
<p><img alt="privlege::debug command" height="231" src="https://www.wikidsystems.com/static/media/uploads/.thumbnails/privilege_debug.png/privilege_debug-664x231.png" width="664"/></p>
<p>Let's have our two domain admins login to the box to do a bit of work. The first domain admin logs in with their static AD password because, really, what's the point? The network is small and the users are pretty smart. Then our much more sophisticated domain admin logs in with a one-time passcode from their WiKID server, which has been setup to <a href="http://www.wikidsystems.com/learn-more/features-benefits/native-active-directory-two-factor-authentication/" title="two-factor authentication for windows/AD logins">provide 2FA for AD logins</a>, because he really likes to sleep well at night and knows that attackers are clever with many motivations. That these two admins on working on the same computer and network in very different ways is just an example of really bad script development. </p>
<p><img alt="2FA for windows logins" height="258" src="https://www.wikidsystems.com/static/media/uploads/.thumbnails/good-admin-login.png/good-admin-login-584x258.png" width="584"/></p>
<p>Note a few things:</p>
<ul>
<li>The AD protocol supports complex one-time passwords that meet AD complexity requirements.</li>
<li>The password lifetime can be configured in the domain settings too. This setting is key as it is an attack window.</li>
<li>This is the PC client pictured, in real life you would likely use a smart phone software token.</li>
</ul>
<p>Next, we use this mimikatz command to grab the hashes of these two admins:</p>
<pre>sekurlsa::logonpasswords</pre>
<p>This is what we get:</p>
<p><img alt="getting pass-the-hash credentials" height="407" src="https://www.wikidsystems.com/static/media/uploads/.thumbnails/sysadmin_ntml.png/sysadmin_ntml-671x407.png" width="671"/></p>
<p>And:</p>
<p><img alt="more creds for pass-the-hash" height="394" src="https://www.wikidsystems.com/static/media/uploads/.thumbnails/nowen_admin.png/nowen_admin-619x394.png" width="619"/></p>
<p>Note the NTLM hashes - that's what we will use. </p>
<p>Now, we will use Mimikatz's pash-the-hash command to escalate our privilege to domain admin. First, we try the admin that used the static password.</p>
<pre>sekurlsa::pth /user:sysadmin /domain:wikidsystems.com /ntlm:0a53c1165654e555ed5992963d097495</pre>
<p>This command gives us a dos prompt that shows my user hasn't changed:</p>
<p><img alt="user prompt with hash" height="187" src="https://www.wikidsystems.com/static/media/uploads/.thumbnails/user_prompt.png/user_prompt-499x187.png" width="499"/></p>
<p> but in fact, the user has the administrator's ticket. We can use psexec to prove this</p>
<pre><span style="font-weight: 400;">psexec.exe \\192.168.56.129 cmd.exe</span></pre>
<p> </p>
<p><img alt="Hash passed successfully" height="456" src="https://www.wikidsystems.com/static/media/uploads/.thumbnails/hash_passed.png/hash_passed-567x456.png" width="567"/></p>
<p><strong>You can see that we are now sysadmin on the domain server. The attack was successful! </strong></p>
<p>Now, let's try the same with the domain admin that used the WiKID password to login.</p>
<pre>sekurlsa::pth /user:nowen_admin /domain:wikidsystems.com ntlm:f2ef29069c481dfaec8ce0590b4fa46d</pre>
<p> We get our DOS prompt with our username once again:</p>
<p><img alt="user prompt in dos" height="187" src="https://www.wikidsystems.com/static/media/uploads/.thumbnails/user_prompt.png/user_prompt-499x187.png" width="499"/></p>
<p> Now, let's see if the hash will work. We run the same command:</p>
<pre><span style="font-weight: 400;">psexec.exe \\192.168.56.129 cmd.exe</span></pre>
<p><img alt="Pass-the-hash thwarted!" height="354" src="https://www.wikidsystems.com/static/media/uploads/.thumbnails/pass_the_hash_thwarted.png/pass_the_hash_thwarted-577x354.png" width="577"/></p>
<p><strong> It fails! </strong> Of course it does. The password is changed after the expiration of the "one-time password" and the hash is no longer valid. Note that it's not really a one-time password. The WiKID server writes a random password to AD and sends it to the token as well. Once the password expires, the <strong>WiKID server over-writes the password in AD</strong> with another random complex string that no one knows. Thus, there is a window where an attacker can still use the hash - the lifetime of the password, which can be configured in the WiKID domain to whatever you want. It also means that you can setup an alert in your SIEM for both unsuccessful pass-the-hash attacks (a la "honey tokens") and multiple successful logins within the password expiration.</p>
<p>The WiKID server is free for up to 5 users. So, even if you don't use two-factor authentication for remote access, a company with 5 or fewer domain admins could use this for free. That's a lot of companies.</p>
<p> </p>
<p> </p>
<p> </p>Two-factor authentication for banking2017-05-05T20:45:30+00:00roothttp://www.wikidsystems.com/blog/author/root/http://www.wikidsystems.com/blog/two-factor-authentication-for-banking/<p>Clearly, <a href="https://arstechnica.com/security/2017/05/thieves-drain-2fa-protected-bank-accounts-by-abusing-ss7-routing-protocol/">you should not use SMS for banking authentiation</a>. We have been <a href="http://www.wikidsystems.com/blog/another-nail-for-sms-authentication/">saying this</a> for over <a href="http://www.wikidsystems.com/blog/why-using-sms-for-authentication-is-a-bad-idea/">eight years now</a>. The solution must use encryption that you control.</p>
<p>Any hardware-based solution <strong>like key fobs</strong> would be <a href="http://www.wikidsystems.com/learn-more/authentication-problems/key-fobs-are-an-expensive-hassle/">very expensive and difficult to scale</a>. Banks have a lot of users.</p>
<p>Obviously, any <strong>shared-secret based solution</strong> may be vulnerable an attack <a href="https://www.theregister.co.uk/2011/03/18/rsa_breach_leaks_securid_data/">similar to the Chinese attack on RSA</a>, which then required re-issuing all tokens - an expensive proposition if you have a lot of users even if you are using software tokens. <a href="http://www.wikidsystems.com/learn-more/technology-architecture/architecture-overview/"> Private/Public keys that are generated</a> on the users' devices are much better. </p>
<p>Since<strong> network-based Man-in-the-middle attacks</strong> are so easy to do now and since certificates are impossible for even advanced users to verify, you<a href="http://www.wikidsystems.com/learn-more/technology-architecture/wikid-mutual-authentication/"> should have some form of mutual authentication</a>.</p>
<p>You need a <strong>solid API</strong> so you can <a href="http://www.wikidsystems.com/learn-more/features-benefits/wikids-self-service-ease-of-deployment-capabilities/">manage enrolloment and create CSR management tools</a>.</p>
<p>You need to be able to <strong>white-label</strong> the two-factor authentication client into your sofware and you need the <strong><a href="http://www.wikidsystems.com/blog/scalability-notes-for-the-wikid-strong-authentication-server/">server to be highly-scalable</a></strong>.</p>
<p>The WiKID Strong Authentication System meets all these requirements.</p>It always comes to this: why making the right security designs up front matters.2017-04-26T16:21:42+00:00roothttp://www.wikidsystems.com/blog/author/root/http://www.wikidsystems.com/blog/it-always-comes-to-this-why-making-the-right-security-designs-up-front-matters/<p>When we started WiKID, we knew we had to be as secure as or more secure than the leading players at the time (RSA, Vasco, mostly, way back then). We decided that using asymmetric keys generated on users' devices was the best way to overcome objections to software-based tokens. After all, R,S & A had developed public key encryption to overcome the weaknesses of shared secret encryption.<br/><br/>Fast-forward and the dominant form of consumer-oriented two-factor authentication is "two-step" authentication using a shared secret-based protocol (even after hackers successfully stole the shared secretsof a major 2FA vendor) or worse, using SMS. Of course, we know the saying that marketing trumps technology. This seemed like a typical case of that. No one much cared about the increased security offered by asymmetric encryption.<br/><br/>But, security is a slightly different beast because: 1. Attackers are always getting better. 2. Regulationsand compliance can force a market to change despite marketing. The #PCI-DSS Council may be in the process of doing that with their most <a href="http://www.wikidsystems.com/blog/pci-dss-disses-multi-step-authentication/">recent guidance on multi-factor authentication</a>, stating that multi-step authentication leaks account information and should not be used. NIST has said that using SMS as an authentication mechanism is deprecated.<br/><br/>In a way, this will be easier for many systems administrators. Most VPNs and remote access services by default support OTP-based 2FA via RADIUS (which also allows authorization in AD/LDAP another recommended practice) and they do not support a multi-step authentication process. There is no way, for example, to do two-step authentication on a <a href="http://www.wikidsystems.com/support/how-to/keyword/cisco/" title="Cisco 2FA tutorials">Cisco</a> ASA. But, two-factor authentication is easy and can be added to <a href="http://www.wikidsystems.com/support/how-to/keyword/cisco/">ASA Admin accounts</a> as well, a great idea and soon to be required for PCI's non-console admin access requirements.<br/><br/></p>PCI DSS disses multi-step authentication2017-04-04T20:00:58+00:00roothttp://www.wikidsystems.com/blog/author/root/http://www.wikidsystems.com/blog/pci-dss-disses-multi-step-authentication/<p>The PCI Council has published an <a href="https://www.pcisecuritystandards.org/pdfs/Multi-Factor-Authentication-Guidance-v1.pdf">"Information Supplement" on multi-factor authentication</a> (pdf). The document that multi-step and mutl-factor authentication are not the same and that the former is not acceptable. </p>
<blockquote>
<p>PCI DSS requires that all factors in multi-factor authentication be verified prior to the authentication mechanism granting the requested access. Moreover, no prior knowledge of the success or failure of any factor should be provided to the individual until all factors have been presented.<br/><snip><br/>For example, if an individual submits credentials (e.g., username/password) that, once successfully validated, lead to the presentation of the second factor for validation (e.g., biometric), this would be considered “multi-step” authentication.</p>
</blockquote>
<p>If this is the way you're doing your authentication with a service or using Google Authenticator, then it's probably time to re-think that (in addition to <a href="http://www.wikidsystems.com/blog/5-issues-enterprises-should-consider-before-using-google-authenticator-for-ssh/">other issues with Google Authenticator</a>). WiKID's authentication process is true multi-factor, easy to integration into a one-step authentication process and it can perform <a href="http://www.wikidsystems.com/blog/non-console-administrative-access/">2FA for non-console administrative access</a> as required by <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2.pdf">PCI 3.2</a> (pdf). </p>New release, bug fixes and updates2017-02-17T20:47:11+00:00roothttp://www.wikidsystems.com/blog/author/root/http://www.wikidsystems.com/blog/new-release-bug-fixes-and-updates/<p>We released a new version of the WiKID server today and it warrants a few notes.</p>
<p><strong>First, if you downloaded an earlier version and didn't create an evaluation or production cert before today (2.17.2017) you must upgrade to the latest before you can get a cert.</strong></p>
<p>The release fixes a number of memory leaks in the wAuth API. It would only affect you if you were using the API for two-factor authentication logins for a large number of users, so only a handful of our customers. We also made significant updates to how certificate validation is handled. If you are using radius, it would not affect you.</p>
<p>We have also added support for Centos/RHEL 7. At the same time, we are dropping support for Centos/RHEL 5 and 32-bit platforms. If you are still running on one of these, <a href="http://www.wikidsystems.com/contact/">please let us know</a> and we'll help you upgrade.</p>
<p>You can get <a href="http://www.wikidsystems.com/downloads/wikid-strong-authentication-system-enterprise/">the latest server release here!</a></p>Preventing pass-the-hash via RDP with two-factor authentication2016-09-27T15:16:45+00:00roothttp://www.wikidsystems.com/blog/author/root/http://www.wikidsystems.com/blog/preventing-pass-the-hash-via-rdp-with-two-factor-authentication/<p>In researching pass-the-hash attacks, we discovered that when Microsoft implemented "Restricted Admin" mode they<a href="https://labs.portcullis.co.uk/blog/new-restricted-admin-feature-of-rdp-8-1-allows-pass-the-hash/" title="New “Restricted Admin” feature of RDP 8.1 allows pass-the-hash"> inadvertantly enabled pass-the-hash attacks via RDP 8.1</a>. This attack tool <a href="https://www.kali.org/penetration-testing/passing-hash-remote-desktop/" title="Passing the Hash with Remote Desktop">is now included in Kali Linux</a> and probably other tools. </p>
<p>This attack shows the weakness in the design of the system. The hash exists to make the system usable. It is a design feature. Since MS can't remove the password from their software, they have a number of fixes, patches and configuration options that try to secure it. </p>
<p>Isn't it better to get rid of, or at least minimize, the lifetime of the password? WiKID does this with <a href="http://www.wikidsystems.com/learn-more/features-benefits/native-active-directory-two-factor-authentication/" title="two-factor authentication for AD">our native AD 2FA solution. </a>The hash is only good for the life of the passcode.</p>
<p>If an attacker is trying to pass-the-hash while the admin is logged in, the admin will actually see the request for the RDP session! If they wait, the hash will no longer be valid.</p>
<p>In the past it seems as if the market was saying that pass-the-hash was a big problem, but smart cards were not worth the effort and expense. Now you can have essentially the same functionality using your smartphone and WiKID for $24 per admin per year.</p>
<p> </p>
<p> </p>
<p> </p>
<p> </p>