Secure Mobile Web Service Applications: The BlackBerry Enterprise Solution, Page 3
Two-Factor Authentication (Optional)
MDS supports a variety of corporate authentication schemes:
- HTTP Basic
In addition, MDS supports two-factor authentication from RSA Security, Inc. for those organizations invested in their technology. As indicated by the red characters in Figure 4, MDS integrates with RSA Authentication Manager to support RSA SecurID authentication for an extra layer of authorization when accessing content served by MDS.
Two-factor authentication technology can provide a safe and more secure alternative to the use of passwords. The user combines something he or she knows, a PIN, with something he or she has, a token code from an RSA SecurID token. With this system, it is impossible for someone to impersonate another unless he or she has access to both the PIN and the authenticator.
By combining the use of an authentication algorithm, the time of day, and a uniquely assigned seed record, an RSA SecurID token automatically generates and displays a pseudo-random token code. When combined with the PIN, the token code becomes the user's pass code that allows access to the protected resource. This process is outlined in Figure 5.
When a user navigates to a site or application requiring authorization, they are prompted for their Username and—in lieu of a password—the Token Passcode that's shown in Figure 6. You can use either a software or a hardware token (See Figure 7 for the latter). However, in addition to the fact that using a software token eliminates the need to carry around the small, easy-to-lose-or-forget hardware token, the software token has another major advantage:
Up to ten seed records can be associated with a single token, each with a different name to associate itself with any one of ten different sites. When bringing up the token, you scroll down the list of named seeds and pick one. This is particularly helpful when you want to use two-factor authentication for connecting to multiple, for example partner, sites.
When a user attempts to access a protected system, a special software agent—called an RSA Authentication Agent—initiates an Authentication Manager authentication session instead of a basic password session. The Authentication Agent transmits the information to the RSA Authentication Manager software, which approves access when the information is validated. The user is granted access appropriate to his or her authorization level, which is noted by the RSA Authentication Manager software in its log file.
Figure 5: Time-synchronous two-factor authentication with RSA SecureID
Figure 6: BlackBerry with RSA SecureID software token
If the BES Administrator sets the Application Control Policy's Disposition property to Required (using the BlackBerry Handheld Configuration Tool), users are not able to uninstall the SecurID application from their handheld devices. To enable users to uninstall the application themselves, the BES Administrator must set the value for the Application Control Policy's Disposition property to Optional.
Figure 7: Hardware tokens
Native LDAP support and QuickAdmin, a Web-based help desk utility, make the security administrator's job easier. LDAP support enables the RSA Authentication Manager software to take advantage of the user and group information in the directory. Automated LDAP to RSA Authentication Manager import and synchronization utilities let administrators bring the data from the directory into the RSA Authentication Manager program and keep the data synchronized. RSA Authentication Manager software supports leading directories such as Microsoft Active Directory, Sun ONE LDAP Directory, and Novell eDirectory.
The system also features evasion of attack logic that automatically detects attempted intrusions or use of stolen tokens. This prevents unwelcome network attacks by tracking user authentication between replicated servers and blocks redundant requests in order to prevent replay attacks against servers or agents.