The WiKID Blog | WiKID Systemshttp://www.wikidsystems.com/blog/2017-04-04T20:00:58+00:00The WiKID Blog, musings on two-factor authentication, information security and some other stuff.PCI DSS disses multi-step authentication2017-04-04T20:00:58+00:00roothttp://www.wikidsystems.com/blog/author/root/http://www.wikidsystems.com/blog/pci-dss-disses-multi-step-authentication/<p>The PCI Council has published an <a href="https://www.pcisecuritystandards.org/pdfs/Multi-Factor-Authentication-Guidance-v1.pdf">"Information Supplement" on multi-factor authentication</a> (pdf). The document that multi-step and mutl-factor authentication are not the same and that the former is not acceptable. </p>
<blockquote>
<p>PCI DSS requires that all factors in multi-factor authentication be verified prior to the authentication mechanism granting the requested access. Moreover, no prior knowledge of the success or failure of any factor should be provided to the individual until all factors have been presented.<br/><snip><br/>For example, if an individual submits credentials (e.g., username/password) that, once successfully validated, lead to the presentation of the second factor for validation (e.g., biometric), this would be considered “multi-step” authentication.</p>
</blockquote>
<p>If this is the way you're doing your authentication with a service or using Google Authenticator, then it's probably time to re-think that (in addition to <a href="http://www.wikidsystems.com/blog/5-issues-enterprises-should-consider-before-using-google-authenticator-for-ssh/">other issues with Google Authenticator</a>). WiKID's authentication process is true multi-factor, easy to integration into a one-step authentication process and it can perform <a href="http://www.wikidsystems.com/blog/non-console-administrative-access/">2FA for non-console administrative access</a> as required by <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2.pdf">PCI 3.2</a> (pdf). </p>Non-Console Administrative Access2016-05-05T16:52:02+00:00roothttp://www.wikidsystems.com/blog/author/root/http://www.wikidsystems.com/blog/non-console-administrative-access/<p>Now that PCI-DSS 3.2 is live, we have been pondering how hard it will be to implement the new multi-factor authentication requirements. First some definitions from the PCI Glossary:</p>
<p><a href="https://www.pcisecuritystandards.org/pci_security/glossary#Non-Console%20Administrative%20Access" title="Non-Console Administrative Access">Non-Console Administrative Access:</a><br/><em>Refers to logical administrative access to a system component that occurs over a network interface rather than via a direct, physical connection to the system component. Non-console administrative access includes access from within local/internal networks as well as access from external, or remote, networks.</em></p>
<p><a href="https://www.pcisecuritystandards.org/pci_security/glossary#CDE" title="CDE">CDE</a>:<br/><em>Acronym for “cardholder data environment.” The people, processes and technology that store, process, or transmit cardholder data or sensitive authentication data.</em></p>
<p>It appears that not only will you have to use two-factor for your servers, but also your routers and VPNs. Luckily, this is not hard. </p>
<p>First, most enterprise-class routers and VPNs support radius for authentication of administrators. Previously, we have shown how to add two-factor authentication for non-console acces to both <a href="http://www.wikidsystems.com/support/how-to/how-to-add-two-factor-authentication-for-admin-access-to-a-cisco-asa-5500/" title="Non-console admin two-factor auth for Cisco">Cisco</a> and <a href="http://www.wikidsystems.com/support/how-to/how-to-require-two-factor-authentication-for-check-point-admins/" title="Non-console Adminstrative multi-factor auth for Checkpoint">Checkpoint</a> devices. You really should do this for all of your networking infrastructure to avoid attacks like <a href="http://www.wikidsystems.com/blog/yet-another-reason-to-add-two-factor-authentication-to-your-admin-accounts/">SYNful</a>.</p>
<p>Linux servers are easy too. Disable root login via SSH and require two-factor authentication for sudo via pam-radius. </p>
<p>Windows servers are harder because Microsoft, after spending all that money winning the battle of directories against Novell, wants you to use Active Directory all the time for everything. Even their radius plugin, NPS, wouldn't allow proxying to third-party authentication servers until Server 2008. At WiKID, we have figured out an elegant way to use one-time passwords for AD users. It doesn't require any software on the Windows side, just an admin capable of changing passwords. Not even a group policy. It does require that you have certificate for SSL connections, so you need to set up AD Certificate Server if you haven't. We do recommend that you have admin users and not just users that are admins. </p>
<p>We have a complete tutorial on setting up <a href="http://www.wikidsystems.com/support/tutorials/how-to-setup-two-factor-authentication-for-both-linux-and-windows-administrators/" title="multi-factor auth for non-console admins Windows and Linux">two-factor auth for Windows and LInux Admins with WiKID</a>.</p>
<p>The best thing about implementing the new PCI requirements is that they should actually be very impactful. As noted in the 2016 Verizon DBIR, 63% of attacks use credentials to infiltrate or escalate their attacks. Preventing pass-the-hash attacks alone will make escalation much harder if not impossible. And it will make detection much easier. </p>
<p>Remember, WiKID is free for 5 users. <a href="http://www.wikidsystems.com/downloads/wikid-strong-authentication-system-enterprise/">Download today and lock down your network!</a></p>
<p> </p>
<p> </p>
<p> </p>
<p> </p>
<p> </p>Hackers For Charity Challenge2015-11-30T21:16:36+00:00adminhttp://www.wikidsystems.com/blog/author/admin/http://www.wikidsystems.com/blog/hackers-for-charity-challenge/<p>This morning I saw a <a class="external-link" href="https://twitter.com/ihackstuff/status/664811441619410945" target="_self" title="">tweet from Johnny Long</a> about them being in hole $2,700 due to unexpected baggage fees. As long time admirers we decided it was time to do something. So, we gave $100 and committed to giving $100 per evaluation certificate created between now and Thanksgiving. No one wants to go into Thanksgiving in the hole. </p>
<p>We are going to make it extra, extra easy for y'all to set up WiKID server and get an evaluation cert. We have created a Virtual Box OVA. Just download the image and use the quick-start configuration file to get an evaluation cert in three steps.</p>
<p>First, download this special <a class="external-link" href="http://wikidsystems-dl.com/HFC_VBox_special.ova.zip" target="_self" title=""><span class="external-link">WiKID virtual box image</span></a>. (md5: 65434003098404ef5a348dc6ff4c3b89). It is configured for Bridged Networking. You can change that, but it is best if the server can get out and back to our certificate server. </p>
<p>Login as root/wikid. (Typically you would get prompted to change that, but since we bundled this up as vbox image, you won't.) Run ifconfig to see your IP address. Now, copy the quick config file:</p>
<pre> cp /opt/WiKID/conf/sample-quick-setup.properties wikid.conf</pre>
<p>Then edit wikid.conf. Change the IP address and the domaincode to your zero-padded IP (that is 192.168.50.2 is 192168050002). Everything else is optional for our purposes (you making us give money away). Change the hostname to HFC.something. Run:</p>
<pre># wikidctl quick-setup configfile=wikid.conf</pre>
<p>And that's it. You should have created a cert. Ping us via twitter if you want to remind us.</p>
<p>Run:</p>
<pre># wikidctl start</pre>
<p>When prompted for the passphrase, enter 'protectme' unless you edited the config file. You can now browse to https://yourip/WiKIDAdmin and see the server if you like. If you actually created a radius network client then all you need to do is register a token to a user and test.</p>
<p>Happy Holidays.</p>Scalability notes for the WiKID Strong Authentication server2015-10-26T16:26:00+00:00adminhttp://www.wikidsystems.com/blog/author/admin/http://www.wikidsystems.com/blog/scalability-notes-for-the-wikid-strong-authentication-server/<p>Large two-factor authentication deployments are becoming more and more common these days as enterprises deploy it to more and more employees . We're also seeing more SaaS providers needing to meet regulations such as HIPAA and PCI. These enterprises have large user bases and need scalable, reliable, affordable two-factor authentication. We have the affordable part covered (you can see our <a class="internal-link" href="https://www.wikidsystems.com/pricing" target="_self" title="">pricing online</a>) and we are highly incented to provide reliable software thanks to our annual subscription license. But how scalable is WiKID?</p>
<p>We have had a stress tester for some time. We use it along with our <a class="internal-link" href="https://www.wikidsystems.com/support/wikid-support-center/installation-how-tos/how-to-use-the-wikid-quick-configuration-option" target="_self" title="">quick-setup config option</a> to quickly build and test new releases. We decided to publish some results to show how well WiKID can scale. The first thing to know is that you can segment users across WiKID boxes without their knowledge or any impact on users. Second, we are testing transactions/authentication per time period and doing a lot, because we want to stress the system. You need to know the authentication per minute that you do to know how many WiKID servers you need.</p>
<p>The stress tester registers a number of users and then tests authentications using RADIUS. We throw a number of round on the stress tester. The WiKID virtual servers use our minimum recommended set up of 2 gigs of RAM and 1 CPU. They are configured for replication, primary and secondary. The host is a modest server with plenty of RAM and 1 CPU with 8 cores. The tester runs on the host and the servers are in VirtualBox.</p>
<table class="plain" summary="Scalabilty of the WiKID Server">
<tbody>
<tr><th><strong>Transactions</strong></th><th><strong>Tx/Minute</strong></th><th><strong>Tx/Hour</strong></th></tr>
<tr>
<td>1,000</td>
<td>342.95</td>
<td>20,577.07</td>
</tr>
<tr>
<td>1,000</td>
<td>394.83</td>
<td>23,689.67</td>
</tr>
<tr>
<td>1,000</td>
<td>371.29</td>
<td>22,277.23</td>
</tr>
<tr>
<td>1,000</td>
<td>379.08</td>
<td>22,744.93</td>
</tr>
<tr>
<td></td>
<td>Average</td>
<td><em><strong>22,322.23</strong></em></td>
</tr>
</tbody>
</table>
<p>The tester starts out registering a bunch of users, then performs radius authentications for those testers. Here it is with 10,000 transactions:</p>
<table class="plain" summary="Scalabilty of the WiKID Server">
<tbody>
<tr><th>Transactions</th><th>TX/Minute</th><th>Tx/Hour</th></tr>
<tr>
<td>10,000</td>
<td>408.75</td>
<td><span style="text-align: right;">24,525.07</span></td>
</tr>
<tr>
<td>10,000</td>
<td>408.11</td>
<td><span style="text-align: right;">24,486.40</span></td>
</tr>
<tr>
<td>10,000</td>
<td>409.39</td>
<td><span style="text-align: right;">24,581.30</span></td>
</tr>
<tr>
<td></td>
<td>Average</td>
<td><strong><span style="text-align: right;">24,530.92</span></strong></td>
</tr>
</tbody>
</table>
<p>24,000 transactions per hour is a very decent through put for a single small server. </p>
<p>Next, I set the logs to go to syslog instead of to the database. This means that they are not available in the WiKIDAdmin web UI, but they would go into your SIEM (you can set them to go to both, but you wouldn't see any speed improvement. </p>
<table class="plain">
<tbody>
<tr><th>Transactions</th><th>Tx/Minute</th><th>Tx/Hour</th></tr>
<tr>
<td>1,000</td>
<td><span style="text-align: right;">580.78</span></td>
<td><span style="text-align: right;">34,846.58</span></td>
</tr>
<tr>
<td>1,000</td>
<td><span style="text-align: right;">714.37</span></td>
<td><span style="text-align: right;"><span style="text-align: right;">42,862.25</span></span></td>
</tr>
<tr>
<td>1,000</td>
<td><span style="text-align: right;">769.36</span></td>
<td><span style="text-align: right;"><span style="text-align: right;">46,161.54</span></span></td>
</tr>
<tr>
<td>1,000</td>
<td><span style="text-align: right;">800.38</span></td>
<td><span style="text-align: right;">48,023.05</span></td>
</tr>
<tr>
<td></td>
<td><span style="text-align: right;">Average</span></td>
<td><span style="text-align: right;"><span style="text-align: right;">45,682.28</span></span></td>
</tr>
</tbody>
</table>
<p>That's pretty impressive. 45,000 authentications per hour. </p>
<p>This gives you an idea of what kind of peak performance WiKID can handle. This last 1,000 transaction test took less than 2 minutes. We're going on the record as saying that WiKID is secure, reliable, and highly scalable.</p>Latest release pushes into Privileged Access Management2015-10-15T14:39:00+00:00adminhttp://www.wikidsystems.com/blog/author/admin/http://www.wikidsystems.com/blog/latest-release-pushes-into-privileged-access-management/<p>The <a class="internal-link" href="https://www.wikidsystems.com/company/recent-press-releases/wikid-systems-launches-first-native-active-directory-two-factor-authentication-to-help-companies-prevent-attack-escalation-and-credential-misuse" target="_self" title="">4.1 release</a> of the <a class="internal-link" href="https://www.wikidsystems.com/downloads/wikid-strong-authentication-system-enterprise" target="_self" title="">WiKID Strong Authentication Server</a> - Enterprise Edition includes the ability to use one-time passcodes for Active Directory accounts. We noted an increasing focus on privileged accounts. Companies need these accounts to manage windows PCs and infrastructure. Multiple system admins need to have the credentials for them too. So, organizations often have shared spreadsheets with credentials. You can put them into a "password vault" but then there is still a password to the vault and an attacker that is already on the system can still perform a 'pass-the-hash' attack to escalate their privilege. </p>
<p>At WiKID we prefer to just get rid of the secrets. With the new Active Directory protocol on WiKID, a user gets an OTP and it is pushed to AD as the new password. They login with the OTP. The WiKID server then overwrites the OTP with a random string. WiKID allows multiple tokens on the same username as well so you can have five tokens for the user 'Admin' if you want.</p>
<p>The benefits:</p>
<ul>
<li>No need to maintain a spreadsheet of passwords or a vault</li>
<li>Users are managed on the WiKID server vs changing passwords</li>
<li>Two-factor authentication for critical accounts in Windows</li>
</ul>
<p>Every year the Verizon DBIR and other reports prove that attackers use credentials to infiltrate and then to escalate their privileges. Two-factor authentication for remote access thwarts the former, this new functionality thwarts the latter.</p>
<p>I should also note that if you are an organization with up to 5 admins (which covers a lot of ground), you can deploy this for free. </p>
<p><span class="linkButtonRedContent"><a class="internal-link" href="https://www.wikidsystems.com/downloads/wikid-strong-authentication-system-enterprise" target="_self" title="">Download today! </a></span></p>VPN services leak info via IPv62015-07-08T21:33:00+00:00adminhttp://www.wikidsystems.com/blog/author/admin/http://www.wikidsystems.com/blog/vpn-services-leak-info-via-ipv6/<p>Earlier this year, we released a set of packer scripts that allow you to easily build a <a class="internal-link" href="https://www.wikidsystems.com/support/wikid-support-center/tutorials/build-a-2fa-ready-openvpn-community-virtual-appliance" target="_self" title="">two-factor ready openvpn virtual appliance</a>. We have updated the scripts to turn off IPv6 because it seems that VPN services using <a class="external-link" href="http://www.theregister.co.uk/2015/06/30/worlds_best_vpns_fall_flat_in_security_tests/" target="_self" title="">Openvpn can leak information via IPv6</a>. (This was surely the easy fix. There may be better ones.)</p>
<p>I continue to believe that companies and organizations will need to deliver not just software but configurations. This update to our packer scripts shows how updates can be added and maintained over time. Eventually, IaaS providers like Amazon, Google, Digital Ocean, etc will make it easy to pull containers from services like Docker Hub and launch these configured containers for users. It will be as easy launch such a container configured to your needs as it is to use a VPN service - or any SaaS service. </p>Bridging Gunnar Gaps to create virtual circles2015-06-19T15:48:18+00:00adminhttp://www.wikidsystems.com/blog/author/admin/http://www.wikidsystems.com/blog/bridging-gunnar-gaps-to-create-virtual-circles/<p>If you haven't read Gunnar Peterson's post <a class="external-link" href="http://1raindrop.typepad.com/1_raindrop/2015/04/security-fast-and-security-slow.html" target="_self" title="">Security, Fast and Slow</a>, please do so now. It is about how Security's natural tendencies grate the natural tendencies of Development. Security needs to adapt to make it easier for Development to make the right decisions to bridges such gaps. I now call these "Gunnar Gaps". </p>
<p>As a security vendor, I wonder what we do to that might create or hopefully bridge such gaps. The best thing I think we do for developers is have easily downloadable API code examples that are LGPL-licensed. This means that a developer can quickly setup a WiKID server in a lab and integrate our API into their code base without talking to a sales person or worrying about licensing (LGPL allows you to use the code in a commercial application without releasing the code as open source). </p>
<p><a class="external-link" href="https://twitter.com/joshcorman" target="_self" title="">Josh Corman </a>hit on this same idea:</p>
<p><a class="external-link" href="https://twitter.com/joshcorman/status/606447781927092225" target="_self" title=""><img alt="devops for vendors" class="image-inline" height="185" src="https://www.wikidsystems.com/static/media/uploads/images/WiKIDBlog/.thumbnails/joshcormandevopsvendors.jpg/joshcormandevopsvendors-503x185.jpg" title="devops for vendors" width="503"/></a></p>
<p>Devs don't want paywalls, sales people, web forms that require email addresses, etc when working on projects. That's pure friction and gap-creation. </p>
<p>Devs like well documented code. And the best documentation is examples. We actually like providing example code that developers can cut and paste. It allows them to focus on exactly the functionality they need and it creates a much tighter feed-back loop to us. So, bridging the gap to developers works both ways and makes our product better too.</p>New eGuide on Adding Two-factor Authentication to your Network2015-05-05T14:35:31+00:00adminhttp://www.wikidsystems.com/blog/author/admin/http://www.wikidsystems.com/blog/new-eguide-on-adding-two-factor-authentication-to-your-network/<p>Multi-factor authentication is a key requirement for securing infrastructure, we have tried our best to make it less expensive and less of a headache for users and admins. We do a lot of work helping systems administrators integrate two-factor authentication. These efforts often involve supporting other products and we're ok with that. People ask us "Do you work with my VPN?" So we often produce tutorials on how to add two-factor authentication a specific product, like <a class="internal-link" href="https://www.wikidsystems.com/support/wikid-support-center/how-to/using-wikid-strong-authentication-with-openvpn" title="Using WiKID Strong Authentication with OpenVPN">OpenVPN</a> or a <a class="internal-link" href="https://www.wikidsystems.com/support/wikid-support-center/how-to/how-to-configure-a-cisco-vpn-concentrator-for-two-factor-authentication-from-wikid" title="How to configure a Cisco VPN concentrator for two-factor authentication from WiKID.">Cisco</a> box or a <a class="internal-link" href="https://www.wikidsystems.com/support/wikid-support-center/how-to/how-to-use-wikid-strong-authentication-with-juniper-uac-appliance" title="How to use WiKID Strong Authentication with Juniper IC Series UAC Appliance">Juniper UAC.</a></p>
<p>However, we realized that what was missing was an overview that gave more strategic guidance on how to plan our your two-factor authentication implementation. While we have a lot of the content on the website, we needed to put it into one document for continuity. So, please enjoy.</p>
<p>Also, please share this information. It is mostly product agnostic and uses RADIUS - an open and widely supported authentication protocol - so the lessons apply to all two-factor authentication products. This guide is primarly aimed at the overworked souls that toil in organizations <a href="https://451research.com/t1r-insight-living-below-the-security-poverty-line">living below the information security poverty line</a> that perform so many tasks it's difficult to anything except meet the minimum PCI requirements. In my opinion, most of this deficit can be made up by education. Better knowledge of how to implement security right and better awareness of less expensive/free/opensource options.</p>
<p>You can <a class="internal-link" href="https://www.wikidsystems.com/learn-more/white-papers" title="Two-factor Authentication White Papers">download the eGuide and all of our white papers here without registering</a>.</p>WiKID Systems Two-Factor Auth with F5 APM and VMware Horizon with View2015-04-29T17:56:52+00:00adminhttp://www.wikidsystems.com/blog/author/admin/http://www.wikidsystems.com/blog/wikid-systems-two-factor-auth-with-f5-apm-and-vmware-horizon-with-view/<p>Check out this great tutorial on adding WiKID two-factor authentication to an <a class="external-link" href="https://blog.shiplett.org/wikid-systems-two-factor-auth-with-f5-apm-and-vmware-horizon-with-view/">F5 APM for VMware View.</a></p>
<p>The only comment I made was that by using a radius server such as <a class="internal-link" href="https://www.wikidsystems.com/support/wikid-support-center/how-to/how-to-add-two-factor-authentication-to-nps">NPS in the two-factor authentication process</a> would reduce the number of login screens for the users. I would also argue that NOT using AD passwords outside of the LAN is a GOOD thing.</p>A whole bunch of new Check Point Tutorials2015-04-27T14:53:00+00:00adminhttp://www.wikidsystems.com/blog/author/admin/http://www.wikidsystems.com/blog/a-whole-bunch-of-new-check-point-tutorials/<p>We have just completed a few new tutorials for <a class="external-link" href="http://www.checkpoint.com/">Check Point</a>. We used the Gaia Open Server R77 and the Smart Console. It's pretty slick, except for only running on Windows. Certainly better than the dated Java interface of the <a class="internal-link" href="http://www.wikidsystems.com/support/how-to/keyword/cisco">Cisco ASA</a>s.</p>
<p>We covered how to add <strong>two-factor authentication</strong> to both <a class="internal-link" href="http://www.wikidsystems.com/support/how-to/how-to-add-two-factor-authentication-to-checkpoint-security-gateway-ipsec-vpn/">IPSec VPNs</a> and the<a class="internal-link" href="http://www.wikidsystems.com/support/how-to/how-to-add-two-factor-authentication-to-checkpoint-security-gateway-mobile-access/"> Mobile Access SSL-VPN</a> as well as something we always recommend: Requiring <a class="internal-link" href="http://www.wikidsystems.com/support/how-to/how-to-require-two-factor-authentication-for-check-point-admins/">two-factor authentication for administrator access (privileged access management!)</a>. This was quite easy to setup on the Security Gateway, but you have to do it on a per-user basis. There appears to be no way to require an authentication type by group.</p>
<p>Special shout-out to my source for all things Check Point, <a class="external-link" href="https://hurricanelabs.com">Hurricane Labs</a>! They got me the evaluation ISO for the lab and helped with questions along the way.</p>A whole bunch of Cisco Two-factor Tutorials2015-01-29T22:10:00+00:00adminhttp://www.wikidsystems.com/blog/author/admin/http://www.wikidsystems.com/blog/a-whole-bunch-of-cisco-two-factor-tutorials/<p>We've spent some time in our lab with a Cisco ASA 5500 series VPN and we have posted a few of tutorials:</p>
<ul>
<li><a class="internal-link" href="http://www.wikidsystems.com/support/how-to/how-to-add-two-factor-authentication-to-a-cisco-asa-5500">How to add two-factor authentication to an ASA 5500 via RADIUS.</a> This is the basic setup: you want two-factor authentication for your remote users on your Cisco ASA. Note as always, we recommend you put NPS or another Radius server between your VPN and WiKID. Note that this setup should work for <em>any two-factor authentication server</em> that supports radius. That's the benefit of using a standard protocol!</li>
<li><a class="internal-link" href="http://www.wikidsystems.com/support/how-to/how-to-configure-the-asa-for-2fa-using-the-console">How to configure the ASA 5500 for two-factor auth via the console.</a> Same goal: two-factor for all your VPN users, but via the console. Much simpler really.</li>
<li><a class="internal-link" href="http://www.wikidsystems.com/support/how-to/how-to-add-two-factor-authentication-for-admin-access-to-a-cisco-asa-5500">How to protect the Cisco ASA Admin interface with 2FA.</a> One problem enterprises have is shared admin passwords. Companies should really add two-factor authentication to all administrative accounts where possible. Obviously these logins should run through your directory via NPS or another radius server too.</li>
<li><a class="internal-link" href="http://www.wikidsystems.com/support/how-to/how-to-add-mutual-https-authentication-to-a-cisco-asa-ssl-vpn">How to add mutual HTTPS authentication to the ASA SSL VPN.</a> Here's a neat trick that will thwart most network-based MiTM attacks using WiKID's mutual https authentication. If you are worried about users connecting via dubious wifi networks, check this one out.</li>
</ul>
<p>If you have general questions about how to architect your network for <a class="internal-link" href="http://www.wikidsystems.com/learn-more/white-papers/">two-factor authentication, see our eguide. </a></p>
<p>Download the<a class="internal-link" href="http://www.wikidsystems.com/downloads/wikid-strong-authentication-system-enterprise/"> WiKID Strong Authentication Enterprise server</a>. It is free for up to 5 users and only $24 per user per year after that!</p>
<p>The complete list of Cisco tutorials is <a href="http://www.wikidsystems.com/support/how-to/keyword/cisco/">here </a>. Let us know if there is something else you'd like to see!</p>X2Go on Centos2014-10-28T19:31:00+00:00adminhttp://www.wikidsystems.com/blog/author/admin/http://www.wikidsystems.com/blog/x2go-on-centos/<p>I recently did a tutorial on how to add <a class="external-link" href="http://www.howtoforge.com/two-factor-authentication-from-wikid-to-x2go-remote-desktop-on-ubuntu">two-factor authentication to X2Go via pam-radius on Ubuntu</a>. I've been playing with X2go since then on CentOS. I've released the <a class="external-link" href="http://packer.io">packer.io</a> scripts that I used to create my <a class="external-link" href="https://github.com/wikidsystems/packer_templates">X2Go virtual boxes on Github</a>. In addition, since packer can output AMIs, we've released a public AMI of the output. It is ami-c854d7a0 (based on a <a class="external-link" href="http://www.rightscale.com/">Rightscale</a> image).</p>
<p>The AMI is almost ready for two-factor auth. You still need to edit /etc/pam.d/sshd and the line "auth sufficient pam_radius_auth.so" as the 2nd line. Also, add your radius server and shared secret to /etc/raddb/server. (I'm still working out how to allow EC2 keys and pam-radius. Any help appreciated. )</p>
<p>If you launch the AMI, you can add a user and that user can create a virtual desktop right away with the X2Go client. Pretty slick way to test it out.</p>Our big list of two-factor authentication tutorials2014-03-20T16:42:00+00:00adminhttp://www.wikidsystems.com/blog/author/admin/http://www.wikidsystems.com/blog/our-big-list-of-two-factor-authentication-tutorials/<p>There's a great new site promoting the use of two-factor authentication by various web services: <a class="external-link" href="http://twofactorauth.org/">http://twofactorauth.org/</a>.</p>
<p>Of course, we are all for two-factor authentication. Our approach has been to educate systems administrators and integrators on how to implement two-factor authentication to various remote access solutions. To that end, here is our <a href="https://www.wikidsystems.com/support/support/big-list-of-two-factor-tutorials">big list of two-factor authentication tutorials.</a></p>New server update2014-02-06T15:09:00+00:00adminhttp://www.wikidsystems.com/blog/author/admin/http://www.wikidsystems.com/blog/new-server-update/<p>The latest release of our two-factor authentication server is a strong one. We focused on speed enhancements and usability for some of our large (meaning multi-thousand users) enterprise customers. It is capable of performing close to <strong>500 authentications per minute</strong> in replication mode and well over 1000 per minute in stand-alone mode.</p>
<p>In addition, we have added filtering to the user page so now you can quickly find all the users that have say, iPhone software tokens. Pagination on the user and logging tabs also increases ease of use and performance.</p>
<p>One thing we have seen this year is growth in both the new customers and growth in existing customers. As two-factor authentication deployments grow in size, we're are improving our server to meet those needs. \</p>
<p>We're also thinking about the fact that companies can now choose between a self-hosted two-factor authentication system, like WiKID or one of the authentication as service offerings. Why would give up control of the keys to your kingdom to a service? Ease of deployment, reliability, and cost spring to mind and we're addressing those. WiKID is already <a class="internal-link" href="http://www.wikidsystems.com/pricing">less expensive than most Enterprise-class authentication services</a>. Our server is rock-solid reliable and simple to install. There is always room for improvement, though and expect more from us soon.</p>
<p>If you are one of our customers or in the market for a two-factor authentication solution, I urge you to <a class="internal-link" href="http://www.wikidsystems.com/downloads/">test our latest server</a>.</p>iPhone token woes2013-11-14T18:21:00+00:00adminhttp://www.wikidsystems.com/blog/author/admin/http://www.wikidsystems.com/blog/iphone-token-woes/<p>Last night Apple published what we thought was a minor update to our iPhone/iPad software token. This morning we started getting reports of trouble. We pulled the software token from the app store as soon as possible. The apple store has no option to revert to the old binary, sadly. If you had the token set to auto-update, then you may no longer be able to get an one-time passcode from your WiKID server. There are two options: You can delete the domain on your token and re-register or you can wait for an update, which we are feverishly working on.</p>
<p>We apologize for the inconvenience. We aim to offer reliable software that is easy and simple to maintain for us and admins. Today we failed to do so.</p>
<p>Nick</p>HTML5 Token2013-06-21T13:49:00+00:00adminhttp://www.wikidsystems.com/blog/author/admin/http://www.wikidsystems.com/blog/html5-token/<p>For the record, our open-source HTML5 token was released in 2010 and is available on our sourceforge site: <a class="external-link" href="http://sourceforge.net/projects/wikid-twofactor/files/HTML5_Token_Client/">http://sourceforge.net/projects/wikid-twofactor/files/HTML5_Token_Client/</a>.</p>
<p>Just a note as some folks are claiming they are the first open-source two-factor authentication solution.</p>Reporting via our API2013-06-05T14:37:00+00:00adminhttp://www.wikidsystems.com/blog/author/admin/http://www.wikidsystems.com/blog/reporting-via-our-api/<p>Reporting is a fact of life. And to be honest, good reporting is good for security. In this post, we will take a look at the reports you can generate via the wAuth API to help monitor and manage your two-factor authentication installation.</p>
<p>The first report is the user report:</p>
<pre><%
if (request.getParameter("action") != null && request.getParameter("action").equalsIgnoreCase("Get User Report")) {
ReportDataTransaction.Separator separator;
if("comma".equals(request.getParameter("separator"))){
separator = ReportDataTransaction.Separator.COMMA;
} else if("tab".equals(request.getParameter("separator"))){
separator = ReportDataTransaction.Separator.TAB;
} else {
separator = ReportDataTransaction.Separator.XML;
}
status = wc.getUserReport(separator,request.getParameter("includeDisabledUsers")!=null, request.getParameter("includeTokenData")!=null);
}
%>
</pre>
<p>The XML looks like (note that the XML needs to be on one line, it is edited for presentation):</p>
<pre>
<transaction><br/> <type>12</type><br/> <data dataType="USER" separator=","> <br/> <options> <br/> <includeDisabledUsers>true</includeDisabledUsers> <br/> <includeTokenData>true</includeTokenData> <br/> <groupUserData>false</groupUserData> <br/> <includeDisabledDevices>false</includeDisabledDevices><br/> <includeUnregistered>false</includeUnregistered><br/> </options> <br/> </data><br/></transaction></pre>
<p>The report is available in comma delimited, tab delimited and XML.</p>
<pre>username,badPasscodes,userCreation,userStatus,tokenDeviceID,tokenStatus,badPINs,tokenExpiration,tokenCreation,domainCode,domainName,deviceDomainName </pre>
<p>This report will show you users that are perhaps in danger of getting disabled for bad passcode attempts (ie, bad logins) or bad PIN attempts.</p>
<p>If you run multiple domains, you may want a report based on domains:</p>
<pre><%
if (request.getParameter("action") != null && request.getParameter("action").equalsIgnoreCase("Get Domain Report")) {
ReportDataTransaction.Separator separator;
if("comma".equals(request.getParameter("separator"))){
separator = ReportDataTransaction.Separator.COMMA;
} else if("tab".equals(request.getParameter("separator"))){
separator = ReportDataTransaction.Separator.TAB;
} else {
separator = ReportDataTransaction.Separator.XML;
}
status = wc.getDomainReport(separator, request.getParameter("groupUserData") != null);
}
%>
</pre>
<p>This report shows the following information:</p>
<pre> domainName,domainCode,deviceDomainName,userName,tokenDeviceID </pre>
<p>Each user can have more than one token/device. You can generate a report of your two-factor authentication users based on their tokens:</p>
<pre><%
if (request.getParameter("action") != null && request.getParameter("action").equalsIgnoreCase("Get Device Report")) {
ReportDataTransaction.Separator separator;
if("comma".equals(request.getParameter("separator"))){
separator = ReportDataTransaction.Separator.COMMA;
} else if("tab".equals(request.getParameter("separator"))){
separator = ReportDataTransaction.Separator.TAB;
} else {
separator = ReportDataTransaction.Separator.XML;
}
status = wc.getDeviceReport(separator, request.getParameter("includeDisabledDevices") != null, request.getParameter("includeUnregistered") != null);
}
%>
</pre>
<p>The output:</p>
<pre>deviceid,username,badPINs,tokenStatus,tokenExpiration,tokenCreation,domainCodedomainName,deviceDomainName </pre>
<p>If you have any additional reporting needs, please let us know!</p>PCI Compliance2013-05-15T16:31:00+00:00adminhttp://www.wikidsystems.com/blog/author/admin/http://www.wikidsystems.com/blog/pci-compliance/<p>If you are using the WiKID Strong Authentication System to meet the PCI-DSS requirement for two-factor authentication, you should upgrade to the latest version of the server. We have a couple of fixes that popped in a scan. See the <a class="internal-link" href="https://www.wikidsystems.com/downloads/changelogs">Changelogs</a>. In particular, build 3.5.0-b1411 disabled unnecessary HTTP methods and 3.5.0-b1403 removed weak SSL ciphers from the WiKIDAdmin.</p>New Drupal two-factor module released - CMS authentication issues2013-02-28T19:59:00+00:00adminhttp://www.wikidsystems.com/blog/author/admin/http://www.wikidsystems.com/blog/new-drupal-two-factor-module-released-cms-authentication-issues/<p>WiKID is pleased to annouce the release of a <a href="http://drupal.org/sandbox/greghaygood/1927960">two-factor authentication module for Drupal</a>.</p>
<p>I'm personally really happy about the feedback we've already gotten and the questions posed. It clearly shows the issues software projects face regarding implementation of two-factor authentication. In reality, it is implementation of authentication. Clearly, the days of storing username and password in the CMS database are (hopefully) over. So what should they look like now? In my opinion, they should handle the session, be pluggable and provide lots of logging.</p>
<p>By 'handle session' I mean that if the authentication is successful, everything else should work. It should not matter what form of authentication is performed and you should not need to create a new account or if you have to it is as simple as possible.</p>
<p> By pluggable, I mean that it should handle really any type of authentication via a simple process. Linux PAM is a good example as is Plone. Plone provides a super simple example that you can copy (as I did).</p>
<p>Sadly, logging is where many fall down. Plone's authentication system totally eats any feedback. This makes it very hard to determine where the issue is. Organizations with two-factor authentication typcially have three or more nodes, the client (the CMS or VPN), a radius server (ACS, NPS, Freeradius), a directory (LDAP, NPS) and a two-factor authentication server (<a class="internal-link" href="https://www.wikidsystems.com/downloads" title="Downloads">WiKID</a>, of course). If one of these nodes isn't logging properly it just makes it that much more difficult to trouble-shoot.</p>
<p>So, the inevitable question for us: Why didn't you use or develop a pluggable auth module for Drupal? Because our API does so much more than just authenticate. Indeed, most of the API was developed for user management in a multi-tier. multi-tenant environment. You can register tokens, add tokens to existing users, re-enable users, list users by domains, delete tokens, delete users, etc. all on a per network client basis.</p>
<p>If you use Drupal for any Enterprise-oriented software projects that require some extra security please give our module a whirl.</p>Are most people doing two-factor authentication right?2012-11-15T16:30:00+00:00adminhttp://www.wikidsystems.com/blog/author/admin/http://www.wikidsystems.com/blog/are-most-people-doing-two-factor-authentication-right/<p>Needless to say we're big proponents of two-factor authentication around here. We also have a pretty broad spectrum of customers from large service providers pushing two-factor authentication out to customer to small businesses doing security for the first time thanks/due to <a class="external-link" href="https://www.pcisecuritystandards.org/">PCI requirements</a>. A lot of infosec rock stars talk about how PCI should be a floor and without disagreeing, we first hand see companies reaching that floor, called by some the '<a class="external-link" href="https://451research.com/t1r-insight-living-below-the-security-poverty-line">information security poverty line</a>' and know that it is a big improvement.</p>
<p>One of the key ways we know whether a company is really trying or not is how they configure their two-factor authentication in their network. PCI regulations can be met by having your VPN talk directly to the two-factor authentication server. This configuration is quite easy if you use radius.</p>
<p>It takes more effort up front to have the VPN concentrator talk to your directory and have the directory perform authorization and then proxy the authentication request to the WiKID Strong Authentication server. However, the security benefits of this setup are clear. It is much easier to deprovision users and to have role changes reflected immediately. Long term, it's also less work and more flexible.</p>
<p>While recently review our web analytics I was interested to see that our top instructional content piece over the last 90 days is "<a class="internal-link" href="https://www.wikidsystems.com/support/wikid-support-center/how-to/how-to-add-two-factor-authentication-to-nps" title="How to add two-factor authentication to NPS">How to add two-factor authentication to NPS</a>". The next most popular is our tutorial on <a class="internal-link" href="https://www.wikidsystems.com/support/wikid-support-center/how-to/how-to-configure-pam-radius-in-ubuntu" title="How to configure Pam-radius in Ubuntu">"PAM radius for Ubuntu"</a>, followed by "<a class="internal-link" href="https://www.wikidsystems.com/support/wikid-support-center/how-to/how-to-add-two-factor-authentication-to-openldap-and-freeradius" title="How to add two-factor authentication to OpenLDAP and Freeradius">How to add two-factor authentication to OpenLDAP & Freeradius"</a>. Lees popular, but still higher than most of our VPN tutorials is "<a class="internal-link" href="https://www.wikidsystems.com/support/wikid-support-center/how-to/how-to-configure-ias-to-support-two-factor-authentication" title="How to configure IAS to support two-factor authentication">How to Configure IAS to Support Two-factor authentication</a>".</p>
<p>So two of our top three tutorials of late are about setting up two-factor authentication correctly. Of course, you can argue that almost everyone that has a directory is using AD or OpenLDAP, where as we have a tutorial for all the major VPN providers (<a class="internal-link" href="https://www.wikidsystems.com/support/wikid-support-center/how-to/how-to-configure-a-cisco-vpn-concentrator-for-two-factor-authentication-from-wikid" title="How to configure a Cisco VPN concentrator for two-factor authentication from WiKID.">Cisco</a>, <a class="internal-link" href="https://www.wikidsystems.com/support/wikid-support-center/how-to/how-to-use-wikid-strong-authentication-with-juniper-uac-appliance" title="How to use WiKID Strong Authentication with Juniper IC Series UAC Appliance">Juniper</a>, <a class="internal-link" href="https://www.wikidsystems.com/support/wikid-support-center/how-to/how-to-add-wikid-two-factor-authentication-to-a-sonicwall-vpn" title="How to add WiKID Two-Factor Authentication to a SonicWall VPN">Sonicwall</a>, <a class="internal-link" href="https://www.wikidsystems.com/support/wikid-support-center" title="WiKID Documentation Center">etc. etc</a>.) but I choose to see it as heading in the right direction. (Of course, if I weren't an uber-optimist I would have a real job instead of being</p>
<p>In addition, these numbers do not include the downloads for our eGuide on <a class="internal-link" href="https://www.wikidsystems.com/learn-more/white-papers"><span class="internal-link">Adding Two-factor Authentication to your Network</span></a>, which of course stresses the inclusion of your directory, with NPS as an example.</p>