2 July 2015

Winfrasoft to Help Organisations Move from Passwords and Hard Token Authentication at the Security IT Summit 2015

Winfrasoft today announced that at the Security IT Summit 2015 it will be demonstrating how organisations can move away from password-based security with the award-winning PINgrid, PINpass and PINphrase. The one-day event takes place on 7th July at the Hilton London, Wembley.

At the Security IT Summit, Winfrasoft (an OATH and FIDO Alliance Member) will provide security professionals working in B2B and B2C organisations with a fresh alternative to their current authentication and transaction verification methods. Delegates will learn how they can remove the reliance on password-based authentication and pressure on the helpdesk for resets, eliminate procurement costs and administration surrounding card readers and keyring tokens, and innovate without the need to implement expensive biometrics.
- PINgrid is an award-winning and patented multi-factor authentication and transaction signing solution that is being used in the public and private sector today to transform any mobile device into a soft-token, via a simple offline app, replacing passwords with a memorable pattern that automatically generates an OTP.

 - PINpass turns any mobile device into a token by sending a six to eight digit OTP to it via SMS or email. By combining it with a PIN, or an existing Active Directory password, PINpass creates a strong 2FA solution.

- PINphrase uses Random Character Authentication.

PINgrid, PINphrase and PINpass all support implementation in 1.5 and 2FA environments.

Sales Director at Winfrasoft, Fred Astfeldt comments: “Recently we have seen a reaction from retail banks as they start to offer customers a choice in how they authenticate themselves online, giving the option to continue with card-reader or keyring token, or to login using their memorable information. In PINphrase, Winfrasoft is the only authentication speciality with an off-the-shelf product that enables any organisation to implement this form of authentication without the need to develop it in-house.”

Astfeldt adds: “Our solutions have been rigorously tested in public and private sector organisations and have been proven to deliver strong, robust and reliable authentication. However, they have also been demonstrated to have a major impact on improving the end-user experience.”

In addition to PINgrid, PINphrase and PINpass, Winfrasoft will also be demonstrating its Enterprise Desktop Logon and Remote Desktop Agent for organisations using Microsoft’s Remote Desktop Services, Citrix and VMware. These solutions enhance secure access to the corporate network, applications and data by augmenting the username and password login with either 1.5 or 2FA.

For more information about the Security IT Summit visit: www.securityitsummit.events

Follow the event on Twitter @SecIT_Summit

18 June 2015

Why Password Vaults, and Emojis are not the Future of Authentication

The news this week that Last Pass has suffered a security breach is a reminder of why I am not a fan of the password vaults currently on the market.

Password vaults serve one purpose only and that is to make it easier for people to store their login
credentials centrally. They are not about making those credentials more secure. Yes, you will see marketing materials talking about encryption and the like, but at the end of the day all you are doing is consolidating your passwords and ‘securing’ them with just one master code.

People buy in to password vaults for convenience in fact Last Pass has the tagline ‘The last password you’ll ever need’. It is essentially the same as storing all your credit, debit and store cards, along with your driving licence and cash in a wallet. It seems like a great idea until it gets stolen.

For me, the root cause of the problem isn’t the password vault itself, but the password. Most of us tend to see the login screen as an obstacle that stands in the way of us doing what it is that we want to do. Anything that makes it quicker and easier to get through the process is welcomed with open arms. To illustrate my point, how many of you click the ‘remember this password’ when given the opportunity? I know I have.

If we are being honest most of us are willing to make some form of trade-off between security and convenience, but we should not be expected to do so. Passwords continue to haunt our lives because organisations decide to enforce their use, and in most instances it is because they do so as they don’t know what else to do. As security professionals it is our role to give these organisation choice, show them that there is a better way and crucially, put forward a compelling business case that will drive lasting change.

At the same time Last Pass has been hitting the headlines this week, so too has Tripwire for its attempt to solve the problem using Emojis. As a marking gimmick it has certainly succeeded in grabbing attention, and they seem to be heading in the right direction by trying to make login credentials easier to remember and leveraging the capabilities of mobile devices. But could such a solution viably replace every website, mobile app or corporate network that currently uses a password? Emojis might appeal to millennials logging on to a social forum, but would a silver surfer feel comfortable using them for their online banking? It may well be more secure than a password but I can’t imagine entering: smiley face, sad face, birthday cake and love heart to authorise a transaction from my corporate bank account!
Meanwhile, at the other end of the scale biometrics are promising to change the world, but unless you are a large bank with money to burn it is pretty much out of reach, and even then you have the issue of standardising on a biometric.

This is the big challenge we as an industry face if we are going to replace something as ubiquitous as a password. We need to find something that has the potential to be just as ubiquitous in the future, otherwise we will be stuck in the same old rut. 

We think we might have just the thing! www.pingrid.com 

Author: Fred Astfedlt, Winfrasoft

11 June 2015

Reducing Customer Friction with Better Authentication

Retail banks around the work are trying to get to grips with a difficult challenge. How to make their identification and authentication processes secure enough to protect them and satisfy the regulators, but at the same time balance that with the desire of customers to have a frictionless experience. This was one of the key issues that was debated at a one day conference held at the Department of Business Innovation and Skills in London last week.

Attended by experts in e-identity and authentication, those working in some of the largest banks in Europe, as well as representatives from the European Commission and the European Banking Association (EBA), the event was held a few weeks after 24 out of 28 authorities from EU member states signed up to the new EBA guidelines for online payment security. Coming in to force from 1st August 2015 these guidelines require banks to have stronger authentication whereby a customer must provide non-reusable security details. So, unsurprisingly online payments was a red hot topic of conversation.

The problem with online payments today is when consumers buy something online they reach for their debit or credit-card. However, these cards were introduced when there was no Internet and where designed to be presented at the point-of-sale. As a result banks are having to deal with huge amounts of fraud from online card payments, costing huge sums of money and draining resources.

Since their introduction cards have evolved, such chip-and-pin, and more recently contactless payment technology for low value transactions, but the later makes these cards more, rather than less susceptible to crime. So it is interesting to see how the rapid uptake of this innovation, which suggests customers are willing to trade a level of security for convenience, in much the same way as they opt for easy to remember passwords for their online accounts.

The problem for banks is that whilst customer may be happy with a trade-off, the banks and its regulators are not. However, they know that to gain and retain customers they need to find ways of delivering a more frictionless online experience. Hence, whether you are a business or a retail customer you may have seen the need to for your card reader or key-ringer number generator (otherwise known as a hard-token) diminish in favour of more convenient methods of online authentication. Of course, this is also great news for banks as the cost to administer these devices is very high indeed.

However, during the conference it was clear that banks are eager to find ways to strengthen their identification and authentication processes in a friction free manner, and worryingly many explained how they are investigating the use cases of biometrics in all its forms.

In my opinion, there are a number of significant stumbling blocks when it comes to biometrics. Not only the level of investment and management that is required, and the sophistication of biometric readers on the current crop of ‘smart devices’, but also the challenge and cost of on-boarding all new and existing customers. This is far from the frictionless experience that customers are wanting, and banks are replacing one costly technology with another! Also, these readers currently feature on the higher end devices, alienating the majority of customers. And, as one speaker was quick to point out – what happens if a customer using biometrics is a victim of fraud? Criminals will undoubtedly find a way to cheat the system. So, how does a victim then go about proving they are who they say they are?

One of the most insightful observations of the day was that banks can choose to add as many ‘layers’ of security as they wish, but if they are going to satisfy the customer they need to make the customer feel like they are using just one, any more and they feel like barriers. So, whether they are logging on or transacting via a website, on a desktop PC, a browser on a smartphone or tablet, or via an app, the process needs to be convenient, reliable and of course trusted.

This is why the username, password and memorable information approach has been well adopted as it is device agnostic. So, if you want to have stronger security (and whilst this approach it strong it could be stronger) you need to find a solution that can also work in this environment, and currently biometric readers are neither robust nor ubiquitous enough to satisfy these requirements.

However, there was unanimous consensus that using smart/mobile devices was undoubtedly the way forward. Using these devices presents a way to improve the authentication process for banks, without adversely impacting or burdening the customer. Yet, rather than biometrics, these device can be used to replace card-readers or key-ring tokens, by augmenting the username and password login in with a one-time code generated through an offline app residing on the device.

From the banks perspective this approach is relatively inexpensive when compared to hard-tokens and biometrics. It can be rolled out rapidly at a regional, national or international level and it ease the possible friction for the customer.

Another great benefit of this approach is that as well as being used for logging on to online bank accounts, it can also be used for swift online transaction verification, meaning online card payments can be afforded a far greater level of protection, which is great news for the banks who can save millions in reduced fraud incidents and the customers who are less likely to be innocent victims.

Author: Steven Hope, CEO, Winfrasoft

1 June 2015

Is Your Action Camera Watching You?

Here at Winfrasoft we think action cameras are great pieces of kit, whether you want capture for posterity the three-legged race at the school sports day, or are abseiling down a cliff. However, this morning we were as surprised as anyone to learn that the camera and the images, video and audio recorded and stored on them can be vulnerable to attack.

Today, the BBC has reported that the latest Hero4 device from the market leading action camera vendor GoPro could compromised by, yes you guess it weak password security!

In the video report, Ken Munro from Pen Test Partners explains how these cameras uses WiFi to sync with the GoPro app on the users mobile device. Those of you who have an action camera will know that from the app you can have complete control over the cameras features and functions. And it works fantastically well.

The problem is the GoPro app requires a password and as Mr Munro rightly points out, that people typically choose simple passwords. As a result, the ‘intruder’ can take full control of your camera without you knowing! In fact, they were able to crack the password in just a few seconds, using a dictionary attack. As a result the intruder can chose when the camera is switched on or off, can record (both video and audio) and they can even switch off the usual lights and sounds, so you would never know that the camera sat on the table is capturing everything. 

Of course, most criminals are not going to be interested in your adrenaline fuelled holiday adventures, but thought of someone possibly listening and watching without you knowing feels somewhat sinister and intrusive. The advice by Pen Test Partners is to make the password as strong as you can, but anyone who reads this blog regularly will know that there really isn’t such a thing. So, if you want to be 100% safe then make sure you have the WiFi setting on your camera switched off.

You can read the full story and watch the video at: http://www.bbc.co.uk/news/technology-32934083

Author: Steven Hope, Winfrasoft

27 May 2015

How to Secure Every Remote Desktop with 2FA

You may find it hard to believe but I am just about old enough to remember a time when you switched off your office PC at the end of the day and that was it. If you wanted to finish off that all important presentation you could take a laptop home, but there would be no network access. So, you hurriedly copy and pasted everything on to the desktop on a Friday afternoon. Sound familiar?

Today, thanks to great technology such as Microsoft’s Remote Desktop Services and of course many others, we can all get (and indeed expect) access to our desktop resources whether in a coffee shop, airport lounge, train or a customer site.  Logging on in this way is now second nature.  It means we are free from the shackles of the office-bound desktop and arguably a lot more productive.

But, for many organisations this freedom comes at a price and that is compromised security. Does the benefit outweigh the risk? I am not so sure, as you are only as strong as your weakest link. Being able to offer remote desktop access from a technical perspective is relatively simple and low cost (again thanks to the likes of Microsoft), but securing it adequately and effectively has traditionally been expensive and prohibitive.  I am of course talking about two-factor authentication (2FA).

As 2FA isn’t built-in to Microsoft Remote Desktop Services the only option for organisations conscious of securely protecting their desktop PCs and the network upon which they reside, from data breaches and cyber threats has been to invest in a separate solution. But, traditionally 2FA has been the preserve of key-ring token providers, which require a large (the numbers can be quite frightening) up-front investment and demand a lot of administrative resource. There is often a lot of resistance from those who will be using the token and unless you have a huge remote workforce, the numbers simply don’t stack up to make it a viable proposition.

Add in to the mix regulatory compliance policies for some sectors that demand 2FA is used. You have one camp that is forced to make the painful investment, or the other that simply cannot justify or afford it and must enforce a blanket ban on remote access. Of course, there will be a few ill-advised cases that chose to risk it.

For those not needing to adhere to regulation, the majority settle for the default username and password combination that Microsoft Remote Desktop Services offers.  However, with advances in technology, most notably the ability to place soft-tokens on to mobile devices, the costs have plummeted and it is easier than ever to manage.

From today, organisations using Microsoft Remote Desktop can strengthen with 2FA by augmenting the username and password screen with the need to enter a unique one time passcode.

Using the new Winfrasoft Remote Desktop Agent, all the user needs to do is download the PINgrid app on to their phone. From this point when logging in they simply open the app and enter the digits that appear in their PINgrid pattern.  It is also great news for the IT team as there is no need for any code changes, making it very quick and easy-to-deploy, whether you are an SME, or a large multi-national enterprise.

The Remote Desktop Agent makes strong 2FA affordable for all. So, those who need to comply with regulation but could not afford to do so, now can. Organisations of all shapes and sizes that want to secure their desktop access with 2FA have the option to do so. And, those that have had their hands tied and are using expensive hard-tokens now have a viable alternative to consider when their next license renewal is due.

For more information about Winfrasoft Remote Desktop Agent contact a member of our team on Tel+44 (0)118 336 8330, or Email: sales@winfrasoft.com

Author: Steven Hope, CEO, Winfrasoft

PRESS RELEASE: Winfrasoft Launches Remote Desktop Agent to Deliver Two-Factor Authentication For Microsoft’s Remote Desktop Services

Winfrasoft today announced the launch of its Remote Desktop Agent (RDA) that takes advantage of its award-winning PINgrid solution to deliver secure two-factor authentication (2FA) for organisations using Microsoft’s Remote Desktop Services. Quick and easy-to-deploy without the need for code changes, RDA enables IT security teams to comply with 2FA policy requirements, without slowing down the user log-in experience.

When a user attempts to log-in to their desktop remotely they are presented with the familiar username and password challenge, alongside which they are asked to enter their one-time PINgrid passcode. The user simply enters the digits included within their individual PINgrid pattern, which is displayed on their smartphone or tablet, via the PINgrid app. For organisations that want to strengthen their authentication but do not require full 2FA, RDA can be deployed directly on to the login screen as a non-obtrusive 1.5FA solution.

CEO of Winfrasoft, Steven Hope comments: “Many organisations rely on Microsoft’s Remote Desktop Services to provide employees with anywhere access to their desktop via an Internet connection. The big problem for IT security teams is that it doesn’t have two-factor authentication built-in. Our RDA solution uses PINgrid, which is trusted by public and private sector organisations around the world to deliver strong authentication.”

Remote Desktop Agent is available now.

5 May 2015

Creating a Pattern for Authentication

We all use patterns to create passwords and have our own ‘unique’ formulas that we hope will keep us secure and able to remember them. So, I was not surprised to read a story on TechWeekEurope in which Praetorian had reported that half of users’ passwords follow just 13 structures.

What did shock me thought is that there were as many as 13. How many of you use the tried and tested pattern for creating a password that begins with a capital letter at the start of a memorable word, followed by a memorable number and ending in an exclamation mark? My guess is that it is the majority of you!

It may seem to make sense that fewer structures inevitably make it easier for hackers to decipher passwords and therefore organisations should have policies for ‘strong’ passwords enforced upon them to avoid the obvious, and make it harder. However, the fact of the matter is even if there were double, quadruple or even ten times the number of structures being used, all it would do to a determined cybercriminal is slow them down a little, forcing them to use a wider variety of tools and tactics in their arsenal. It certainly would not stop or deter them.

My answer to the problem is simple. If people like using patterns to create passwords and those passwords are not secure, then remove the password from the equation altogether and use the pattern. This the foundation upon which PINgrid is based.

Of course, the obvious question to ask is what is to stop the professional cybercriminal or opportunist from simply guessing, or identifying patterns? After all, surely that is easier that passwords! So, here is the clever part. Unlike passwords the user never discloses the pattern that they have chosen. 

Using PINgrid, when the user logs in they simply type in the numbers (0-5 digits used in the grid) displayed in their memorable pattern. And, because these numbers are constantly changing it creates a huge range of possibilities. So, in a standard 6x6 configuration, PINgrid provides 2.1 billion unique pattern possibilities, scale that up to 8x8 (0-7 digits used in the grid) and the number grows to an incredible 68.7 billion.

Author: Alissa Lang, Winfrasoft