Case study: The City of St. Petersburg

Known as “The Sunshine City”, St.Petersburg, Florida in the US averages 361 days of sunshine each
year. It covers 61.7 sq. miles and has a population of approximately a quarter of a million people making it the 5th largest city in Florida. St. Petersburg has emerged as a top destination for the arts with the Dali Museum, the Dale Chihuly world renowned glass collection, and six art districts. It is the job of the city’s 2,500+ employees to provide the essential services and support that keeps the city running smoothly.

The challenge

The city has a growing number of employees that need to access resources on the city network, whilst working away from the office. To help them, the city implemented a remote access solution from VMware and mobile device management from AirWatch. However, with many of the software applications not available in mobile versions, it was causing a problem for those logging on via tablets and smartphones.

The solution was to use VMware View, which would give employees remote access to the desktop applications they needed from their mobile devices. However, this increased the security risk, as Brian Campbell, Information Technology Security Officer at the City of St. Petersburg explains: “The only security requirement offered by VMware View to gain access to the users' desktop was their security credentials of user ID and password. Whilst we have stringent polices for user ID creation and robust password management, we recognised that it simply was not enough.”

Mr. Campbell uses the example of a mobile device being inadvertently infected with a key-logger, which could capture the login credentials and potentially be used to infiltrate the system and cause disruption.

The city decided that an additional layer of security was needed and a two-factor authentication (2FA) solution would be the most prudent way forward. The city’s Information Security team investigated, demonstrated and discounted a number of the market leading solutions. Mr. Campbell explains: “The solutions we looked at were not straightforward, elegant, nor in a small enough form factor to make us feel comfortable in choosing any of them. That is until we found PINgrid from Winfrasoft.”

Initially the simplicity of PINgrid made the team wary, but also intrigued enough to embark upon rigorous and thorough testing to scrutinise every aspect of the solution. The result was zero failures. “We had to know if a solution so simple could meet our high expectations,” Adds Mr Campbell. “During the testing phase we were in frequent contact with the Winfrasoft team and their responses to our questions were always immediate and positive. Not only were we impressed with the solution were also impressed with their customer service.”

Having found its 2FA solution, the city invested in user licenses for PINgrid for the members of staff who are authorised to have remote access, and today it is fully integrated with the VMware solution.

The benefits

To use PINgrid all an employee with remote access rights needs to do is download the app (available from all major app stores) on to their mobile device. Meanwhile, the Information Security team creates their account which in turn triggers an email to be sent to the employee, which includes their initial PINgrid pattern. The entire process takes a matter of minutes.

Now, all the user needs to do to login is to access VMware View but before they enter their username and password they are prompted for a One Time Code. This code is obtained by simply opening the PINgrid app and entering the corresponding digits that appear in their pattern.

“For staff choosing to install the app on their personal devices we ensured that they understood that the PINgrid app is essentially a standalone number generator requiring no Internet access, no “phone home” requirement, and giving them reassurance that it is completely independent and that they could use it with confidence,” notes Campbell.

“We have found that the beauty of PINgrid is in its simplicity,” remarks Mr. Campbell. “It has been easy to deploy and the roll-out required virtually no user training, even though we offered it to everyone, only around 5% of the users requested assistance” Campbell concludes: “PINgrid is absolutely the solution we were looking for but didn’t expect to find. It works perfectly, is consistent and we have no complaints or problems at all. We are very pleased indeed.”

VIDEO: Winfrasoft CEO, Steven Hope Explains Why the Time Has Not Yet Come for Biometrics

Last week our CEO, Steven Hope, joined leading privacy, identity and security experts from across  Europe to present at Building Trust on a Hyperconnected World, an event hosted by EEMA and OASIS at the EMEA headquarters of CA Technologies, Ditton Manor.

In the session entitled ‘Biometrics: the time has come?’, Steven was joined by Professor JJ Nietfield from the University Medical Centre in Utrecht, the Chair of the OASIS IBOPS Technical Committee, Abbie Barbir and Executive Director of EEMA, David Goodman. During his presentation and the panel debate which followed, Steven shared his perspective on the hype surrounding the use of biometrics. He explained that whilst the technology does have the potential to have a place in the identification and authentication process, there is a reason why it has not yet taken off in the way many experts had expected.

Steven argued that the proliferation of biometrics on the latest smart devices is focused on delivering a convenient user experience, and is not about delivering tight security, despite the worrying efforts of some large organisations (especially those in the banking sector) trying to find ways to exploit the likes of TouchID for authentication purposes. He also observed how the word ‘biometrics’ has wrongly become synonymous with security, and explained how smart devices operating consumer-grade biometric sensors, could not and should not be expected to deliver the accuracy and reliability of high-end biometrics equipment used in the commercial world.

You can watch Steven's full presentation here...

Winfrasoft to Help Organisations Move from Passwords and Hard Token Authentication at the Security IT Summit 2015

Winfrasoft today announced that at the Security IT Summit 2015 it will be demonstrating how organisations can move away from password-based security with the award-winning PINgrid, PINpass and PINphrase. The one-day event takes place on 7th July at the Hilton London, Wembley.

At the Security IT Summit, Winfrasoft (an OATH and FIDO Alliance Member) will provide security professionals working in B2B and B2C organisations with a fresh alternative to their current authentication and transaction verification methods. Delegates will learn how they can remove the reliance on password-based authentication and pressure on the helpdesk for resets, eliminate procurement costs and administration surrounding card readers and keyring tokens, and innovate without the need to implement expensive biometrics.

- PINgrid is an award-winning and patented multi-factor authentication and transaction signing solution that is being used in the public and private sector today to transform any mobile device into a soft-token, via a simple offline app, replacing passwords with a memorable pattern that automatically generates an OTP.

 - PINpass turns any mobile device into a token by sending a six to eight digit OTP to it via SMS or email. By combining it with a PIN, or an existing Active Directory password, PINpass creates a strong 2FA solution.

- PINphrase uses Random Character Authentication.

PINgrid, PINphrase and PINpass all support implementation in 1.5 and 2FA environments.

Head of Sales at Winfrasoft, Fred Astfeldt comments: “Recently we have seen a reaction from retail banks as they start to offer customers a choice in how they authenticate themselves online, giving the option to continue with card-reader or keyring token, or to login using their memorable information. In PINphrase, Winfrasoft is the only authentication speciality with an off-the-shelf product that enables any organisation to implement this form of authentication without the need to develop it in-house.”

Astfeldt adds: “Our solutions have been rigorously tested in public and private sector organisations and have been proven to deliver strong, robust and reliable authentication. However, they have also been demonstrated to have a major impact on improving the end-user experience.”

In addition to PINgrid, PINphrase and PINpass, Winfrasoft will also be demonstrating its Enterprise Desktop Logon and Remote Desktop Agent for organisations using Microsoft’s Remote Desktop Services, Citrix and VMware. These solutions enhance secure access to the corporate network, applications and data by augmenting the username and password login with either 1.5 or 2FA.

For more information about the Security IT Summit visit: www.securityitsummit.events

Follow the event on Twitter @SecIT_Summit

Why Password Vaults, and Emojis are not the Future of Authentication

The news this week that Last Pass has suffered a security breach is a reminder of why I am not a fan of the password vaults currently on the market.

Password vaults serve one purpose only and that is to make it easier for people to store their login
credentials centrally. They are not about making those credentials more secure. Yes, you will see marketing materials talking about encryption and the like, but at the end of the day all you are doing is consolidating your passwords and ‘securing’ them with just one master code.

People buy in to password vaults for convenience in fact Last Pass has the tagline ‘The last password you’ll ever need’. It is essentially the same as storing all your credit, debit and store cards, along with your driving licence and cash in a wallet. It seems like a great idea until it gets stolen.

For me, the root cause of the problem isn’t the password vault itself, but the password. Most of us tend to see the login screen as an obstacle that stands in the way of us doing what it is that we want to do. Anything that makes it quicker and easier to get through the process is welcomed with open arms. To illustrate my point, how many of you click the ‘remember this password’ when given the opportunity? I know I have.

If we are being honest most of us are willing to make some form of trade-off between security and convenience, but we should not be expected to do so. Passwords continue to haunt our lives because organisations decide to enforce their use, and in most instances it is because they do so as they don’t know what else to do. As security professionals it is our role to give these organisation choice, show them that there is a better way and crucially, put forward a compelling business case that will drive lasting change.

At the same time Last Pass has been hitting the headlines this week, so too has Tripwire for its attempt to solve the problem using Emojis. As a marking gimmick it has certainly succeeded in grabbing attention, and they seem to be heading in the right direction by trying to make login credentials easier to remember and leveraging the capabilities of mobile devices. But could such a solution viably replace every website, mobile app or corporate network that currently uses a password? Emojis might appeal to millennials logging on to a social forum, but would a silver surfer feel comfortable using them for their online banking? It may well be more secure than a password but I can’t imagine entering: smiley face, sad face, birthday cake and love heart to authorise a transaction from my corporate bank account!

Meanwhile, at the other end of the scale biometrics are promising to change the world, but unless you are a large bank with money to burn it is pretty much out of reach, and even then you have the issue of standardising on a biometric.

This is the big challenge we as an industry face if we are going to replace something as ubiquitous as a password. We need to find something that has the potential to be just as ubiquitous in the future, otherwise we will be stuck in the same old rut. 

We think we might have just the thing! www.pingrid.com 

Author: Fred Astfedlt, Winfrasoft

How to Secure Every Remote Desktop with 2FA

You may find it hard to believe but I am just about old enough to remember a time when you switched off your office PC at the end of the day and that was it. If you wanted to finish off that all important presentation you could take a laptop home, but there would be no network access. So, you hurriedly copy and pasted everything on to the desktop on a Friday afternoon. Sound familiar?

Today, thanks to great technology such as Microsoft’s Remote Desktop Services and of course many others, we can all get (and indeed expect) access to our desktop resources whether in a coffee shop, airport lounge, train or a customer site.  Logging on in this way is now second nature.  It means we are free from the shackles of the office-bound desktop and arguably a lot more productive.

But, for many organisations this freedom comes at a price and that is compromised security. Does the benefit outweigh the risk? I am not so sure, as you are only as strong as your weakest link. Being able to offer remote desktop access from a technical perspective is relatively simple and low cost (again thanks to the likes of Microsoft), but securing it adequately and effectively has traditionally been expensive and prohibitive.  I am of course talking about two-factor authentication (2FA).

As 2FA isn’t built-in to Microsoft Remote Desktop Services the only option for organisations conscious of securely protecting their desktop PCs and the network upon which they reside, from data breaches and cyber threats has been to invest in a separate solution. But, traditionally 2FA has been the preserve of key-ring token providers, which require a large (the numbers can be quite frightening) up-front investment and demand a lot of administrative resource. There is often a lot of resistance from those who will be using the token and unless you have a huge remote workforce, the numbers simply don’t stack up to make it a viable proposition.

Add in to the mix regulatory compliance policies for some sectors that demand 2FA is used. You have one camp that is forced to make the painful investment, or the other that simply cannot justify or afford it and must enforce a blanket ban on remote access. Of course, there will be a few ill-advised cases that chose to risk it.

For those not needing to adhere to regulation, the majority settle for the default username and password combination that Microsoft Remote Desktop Services offers.  However, with advances in technology, most notably the ability to place soft-tokens on to mobile devices, the costs have plummeted and it is easier than ever to manage.

From today, organisations using Microsoft Remote Desktop can strengthen with 2FA by augmenting the username and password screen with the need to enter a unique one time passcode.

Using the new Winfrasoft Remote Desktop Agent, all the user needs to do is download the PINgrid app on to their phone. From this point when logging in they simply open the app and enter the digits that appear in their PINgrid pattern.  It is also great news for the IT team as there is no need for any code changes, making it very quick and easy-to-deploy, whether you are an SME, or a large multi-national enterprise.

The Remote Desktop Agent makes strong 2FA affordable for all. So, those who need to comply with regulation but could not afford to do so, now can. Organisations of all shapes and sizes that want to secure their desktop access with 2FA have the option to do so. And, those that have had their hands tied and are using expensive hard-tokens now have a viable alternative to consider when their next license renewal is due.

For more information about Winfrasoft Remote Desktop Agent contact a member of our team on Tel:  +44 (0)118 336 8330, or Email: sales@winfrasoft.com

Author: Steven Hope, CEO, Winfrasoft

PRESS RELEASE: Winfrasoft Launches Remote Desktop Agent to Deliver Two-Factor Authentication For Microsoft’s Remote Desktop Services

Winfrasoft today announced the launch of its Remote Desktop Agent (RDA) that takes advantage of its award-winning PINgrid solution to deliver secure two-factor authentication (2FA) for organisations using Microsoft’s Remote Desktop Services. Quick and easy-to-deploy without the need for code changes, RDA enables IT security teams to comply with 2FA policy requirements, without slowing down the user log-in experience.

When a user attempts to log-in to their desktop remotely they are presented with the familiar username and password challenge, alongside which they are asked to enter their one-time PINgrid passcode. The user simply enters the digits included within their individual PINgrid pattern, which is displayed on their smartphone or tablet, via the PINgrid app. For organisations that want to strengthen their authentication but do not require full 2FA, RDA can be deployed directly on to the login screen as a non-obtrusive 1.5FA solution.

CEO of Winfrasoft, Steven Hope comments: “Many organisations rely on Microsoft’s Remote Desktop Services to provide employees with anywhere access to their desktop via an Internet connection. The big problem for IT security teams is that it doesn’t have two-factor authentication built-in. Our RDA solution uses PINgrid, which is trusted by public and private sector organisations around the world to deliver strong authentication.”

Remote Desktop Agent is available now.

Would you use Touch ID for your mobile banking?

You will likely have seem the news that RBS and Nat West are planning to use Apple's Touch ID. On the face of it would seem to make perfect sense to make use of this latest innovation in smartphone technology, however in my opinion Touch ID for banking is not a good idea. 

Firstly, when this technology was launched it was hacked within days and with relative ease, and that was not a big surprise. After all, it simply isn’t commercially viable to place high-quality biometrics technology on a mass-market consumer device costing a few hundred pounds.

I myself am an iPhone user and stopped using Touch ID when I challenged a friend over dinner to get access to my device. It wasn’t until I got home later in the evening that I realised he had succeeded in changing some of my settings.

We do need to move away from passwords and what they are replaced with must strike a balance between delivering security and usability if they are going to become ubiquitous. For me whilst this latest news from RBS and Nat West is great headlines grabber but is ultimately they latest gimmick on the biometrics bandwagon.