Introduction

Virtual Private Networks (VPNs) are a critical technology for supporting today's agile, dispersed work-force. It provides end-users secure access to corporate network resources regardless of their physical location and has become commonplace in today's quick-paced business world. Allowing remote users this type of access boosts e?ciency and responsiveness but does introduce a consequen4al amount of risk. Secure authentication is the primary way to mi4gate this risk but achieving the requisite level of security can oGen introduce usability issues for end-users.

The options available to authenticate VPN users are typically:

Single factor : Users are only required to provide their network username and password. This is the bare minimum for allowing access and is no longer considered secure enough. If ignoring the potential costs of a data breach, use of passwords introduces very little overhead.

Certificate-based: The first attempt at stronger authentication used digital certificates. End- users would maintain their own certificate issued by a trusted authority that was leveraged to prove their identity through a series of cryptographic operations. A benefit of certificates is that mutual authentication ensures both the server and the end-user prove their identity to each another. Furthermore, moving the certificate to a hardware device like a smart card could also enable true two-factor authentication. However, administration of a Public Key Infrastructure (PKI) includes numerous processes for handling enrollment, expiration and revocation of certificates. The complexity of this authentication type entails a steep learning curve for both administrators and end-users alike.

Two-factor (Hard Tokens) : In addition to requiring that users provide their username and password (something they know), two-factor introduces the need for them to prove they either have something or are something (e.g. biometrics). Of the two, proving possession of a physical device is much more mature and reliable. Examples of hardware-based tokens include key fobs such as RSA SecurID, USB-based tokens like Yubico's YubiKey and smart cards. Possession of the hardware token is proven by either entering a time or counter-based One Time Passcode (OTP) or by the hardware performing some cryptographically secure operation. Hardware-based tokens are the elder statesman of two-factor authentication, but also typically have high associated initial or ongoing maintenance costs.

Two-factor (Soft Tokens) : A newer form of two-factor leverages the ubiquity of mobile phones. In this case, they replace an otherwise under-utilized key fob as the device of which ownership must be proven. This could entail the phone receiving a dynamically generated OTP via SMS or phone call or could involve a native mobile app that generates a time-based OTP after the device is enrolled. In both cases, the user must typically enter the OTP manually. Some two-factor vendors utilize "push" technology to alert an app on the phone that only requires the user to confirm their access request but these typically incur per-use costs and cannot be internally hosted.

A new alternative for two-factor authentication leverages the user's machine as the hardware token. The need for ancillary devices is completely removed with this option. In addition to standard hardware and software-based token methods, PortalGuard also offers this new alternative and refers to it as "PassiveKey for VPN". There are numerous benefits to this approach:

  • End-users are freed from needing to tote around key fobs or have adequate cell phone reception
  • End-users do not need to manually enter OTPs
  • PassiveKey enrollment can be completely automated and silent by leveraging Kerberos and Active Directory integration
  • PassiveKey use is simple and straightforward : it does not degrade the user experience
  • Companies eliminate the cost associated with hardware tokens and per-use software tokens
  • Two-factor authentication for security or compliance reasons is still achieved