In Q1-2015, RCDevs (http://www.rcdevs.com) and Yubico (http://www.yubico.com), two leaders in the multi-factor authentication market, joined their forces to provide their customers with the most advanced 2FA solution available in the strong authentication market. The solution relies on RCDevs’ OpenOTP technology combined with Yubico’s OTP/U2F user authenticators and HSM devices. It also aggregates the best of two worlds: RCDevs specialised in the OTP/U2F Enterprise integration with its flexible and full-featured security back-end supporting a wide variety of user authenticators. Yubico focussed on user experience, usability and stronger security concepts with its YubiKey product family and cost-effective HSM devices.
Customers world-wide recognise RCDevs and Yubico as pioneers in the security market, providing advanced technologies and high-quality products. The RCDevs/Yubico solution is well designed, suited for modern customer needs, extremely robust and scalable from SMEs to large corporations. It is already used by thousands of customers world-wide, including fortune 500 companies.
Universal Second Factor (U2F) is rapidly becoming the new standard in 2 factor authentication, corporations are ready to take advantage of this new method but need a smooth transition from their current legacy OTP solutions. In this document we will describe our state of the art OTP and U2F authentication solution offered by Yubico and RCDevs and how this solution can be deployed without disrupting your end-users and your company security.
A New Standard for Two-Factor Authentication
The U2F protocol moves beyond the traditional One Time Password (OTP) solutions, relying on shared secrets with validating third parties. Instead, it brings true 2nd factor authentication to a touch of a button, using public key crypto to validate identities online. Removing the need for a validating third party, U2F protects against phishing, session hijacking, man in the middle, and malware attacks while simplifying the authentication process to use the U2F device and the U2F server.
U2F Login Workflow
U2F was created by Google and Yubico, with contributions from NXP, and is today hosted by the open-authentication industry consortium, FIDO Alliance. The technical specifications were launched in late 2014, including native support in Google Accounts and Chrome, and have since resulted in a thriving ecosystem of hardware, software and service providers.
RCDevs OpenOTPTM Server
OpenOTP is the RCDevs multi-factor authentication solution. It provides secure and reliable authentication of users to applications and online services, intranet and extranet access, secure transaction, etc. OpenOTP relies on proven technologies and open-standards such as OATH (the initiative for open authentication) and FIDO-U2F (universal second-factor). OpenOTP is an enterprise-grade authentication server which supports both single-factor and versatile multi-factor authentication methods using:
LDAP/AD domain passwords
YubiKeys from Yubico (Standard, Neo, Nano, Edge)
Security Key from Google and Yubico (U2F)
Hardware Tokens (event-based, time-based and challenge-based)
Mobile/Software Tokens (Google Authenticator and any OATH compliant client)
SMS Tokens (with Clickatel, Plivo, AQL, custom SMSCs and any SMMP provider)
Mail and Secure Mail Tokens (PIN mailer)
Pre-generated OTP Lists, Emergency OTP, etc…
Security policies in OpenOTP are extremely powerful and support password concatenation, challenge-response mode, flexible domain/network/application -based configurations, support for LDAP groups, geolocations…
The OpenOTP architecture is modular and highly scalable, with proxy servers that can be exposed in the DMZ and a backend server which comes with failover and load balancing capabilities.
OpenOTP and most RCDevs integration plugins support two-factor authentication with both OTP and U2F though a set of comprehensive APIs, fine-grained Identity and access management (IAM), powerful audit capabilities, Web SSO with integrated OpenID / SAML services, advanced RADIUS support.
OpenOTP supports a wide range of integration including VPNs (F5, Juniper, Cisco, Checkpoint, Palo-Alto…), Microsoft (ADFS, Exchange, Sharepoint, Windows login, RDP…), Citrix, UNIX/Linux services, OpenSource software (CRM, WebMail, eCommerce…), Google Apps and much more. See our compatibility matrix in the next pages for more details.
Yubico OTP / U2F Hardware
OpenOTP 100% supports all Yubico authenticator devices and form-factors. This includes YubiKey devices working in Yubico OTP and OATH modes as well as the newer U2F devices available from Google and Yubico. YubiCloud online validation service is optionally supported by OpenOTP. Customers are also given the choice to use the OpenOTP internal secure seed storage or to rely on Yubico’s high-availability Cloud services.
For an end-user, the activation of a YubiKey in OTP or U2F mode simply consists in pressing the YubiKey in a self-service application. YubiKey OTP devices can be imported in the OpenOTP device Inventory, making it possible to deploy thousands of YubiKeys quickly and with little to no administrator actions.
With the advanced OpenOTP APIs, both YubiKey OTP and U2F authentication can be used concurrently. Users will experience signed authentication with FIDO-U2F anytime the target resource is compatible and continue working in YubiKey OTP mode for their VPNs. Newer YubiKeys (like YubiKey Edge and YubiKey NEO) support both OTP and U2F working modes and the devices automatically choose the right authentication mechanism.
U2F Device Enrolment
OpenOTP supports hardware encryption and true random generation with the cost-effective YubiHSM modules from Yubico. YubiHSMs provide AES-256-CBC encrypted storage for sensitive user metadata and Token inventories. In OpenOTP, HSM are hot-plug and work in high-availability mode. Multiple YubiHSMs can be used in parallel, allowing for a simple and straight-forward upgrade path.
Cost-Effective Hardware Crypto
In OpenOTP, YubiHSMs are used for:
Secure storage of YubiKey and OATH Tokens’ secret seeds.
Secure storage of passwords, PIN code and other critical user / system information.
Random OTP generation for SMS, Mail OTP and printed OTP lists.
Random U2F challenges.
Simple Use Case
The following describes a sample use case so you can understand how YubiKey NEO and OpenOTP can work together.
ACME has set up the YubiKey NEO for its employees, and is using OpenOTP to provide authentication for their internal systems.
The ACME user inserts his YubiKey NEO, which has dual capabilities U2F/OTP, into a USB port on his PC. The PC is protected by Windows user login and password and a one-touch U2F challenge. The user enters his domain username and password, and touches his YubiKey NEO to confirm the U2F authentication. His credentials are validated, and he is logged in to his Windows environment.
U2F also controls access to Microsoft Web resources, such as SharePoint or Outlook Web Access as well as hosted services such as Google apps. Every time the user is asked for the second factor authentication, all he has to do is touch the YubiKey NEO device.
From the OpenOTP application, this ACME user can launch all of his SAML-enabled cloud applications, including Salesforce or Jive, after a single U2F authentication. For VPN access, this ACME user will use the same YubiKey, using a single touch to generate a One Time Password.
ACME Administrators will also use their own YubiKey NEO to authenticate to their privileged UNIX accounts over SSH utilizing the OTP mode.
For accessing cloud applications on their Android devices, both administrators and users leverage the NFC capability of the YubiKey NEO and, once again, they enjoy a one-touch experience As a fall back method, OpenOTP will offer a simple OTP via SMSField Communications.
Web Products (Joomla, WordPress, Magento, Roundcube, Drupal, OwnCloud…)
Linux / UNIX Services
Mac OSX Login and Services
Home-made Web Applications
C, C++, Java, .NET
OpenOTP APIs & SDK
This list is not exhaustive! And as vendors integrate their technology with the Fido alliance standard, this compatibility matrix will evolve. For up to date compatibility matrix, please refer to: http://www.rcdevs.com/openotp/.
Migrating from a third-party OTP solution
While some customers need to move to multi-factor authentication due to risk management or regulations, some others want to migrate to a newer, cheaper and best-suited authentication solution. Migrating is a challenging and costly process which often requires non negligible efforts. Thanks to OpenOTP’s advanced migration options, moving from a third-party OTP solution like RSA, Vasco, HID or SafeNet to RCDevs & Yubico is made smooth and easy, without even disrupting your production.
There are many possible scenarios to implement a migration to RCDevs & Yubico. A common option consists in installing and configuring OpenOTP on top of your Active Directory Domain, side by side with an existing OTP solution. In this case the migration simply consists in implementing a standalone OpenOTP installation and switching to the new system when it is ready for production. In many cases, this approach is the easiest option but in some circumstances, you need to make OpenOTP server(s) work commonly with the existing OTP server(s), at least for a certain time. This second option is required when:
There are many users involved and you need to gradually re-enrol the users with other OTP devices or software (ex. you change from RSA Tokens to YubiKeys).
You need the existing OTP server(s) to remain for a certain time because some integrations have been customised for specific server APIs. You also need to update these custom integrations for OpenOTP. For example, your home-made Web applications’ login process must be adapted to use the OpenOTP Web APIs.
You want to keep existing hardware Tokens for users until they expire and sporadically enrol new hardware Tokens (ex. YubiKeys) one-by-one.
Implementing OpenOTP two-factor for your VPNs and/or applications is possible for any of the supported integrations by following the RCDevs recommendations and documentation. You can check RCDevs website at http://www.rcdevs.com/products/openotp/ for more information regarding supported products and APIs. Note that these OpenOTP integrations and their requirements are not covered by this document.
By “migration”, we mean deploying OpenOTP server(s) and keep your existing OTP server(s) running while migrating / transferring users and applications. When finally everything runs fine on OpenOTP, you can safely remove any legacy OTP servers. We will consider a sample environment composed of:
One OTP server from a third-party vendor which provides a RADIUS RFC-2865 interface.
A VPN server as client application consuming the RADIUS OTP validation service.
A pool of users registered in a MS Active Directory LDAP.
A migration process as described in section 3.1 is only possible under some preliminary conditions:
OpenOTP requires users to be stored in LDAP or Active Directory. Depending on the existing OTP server technology, the users and Tokens may be stored directly in the LDAP (AD) or in a dedicated user store (ex. SQL database). In both cases, we assume the user identities exist in the LDAP or AD. This means even if the OTP server uses its own objects for managing user Tokens, these objects correspond to existing AD user identities.
OpenOTP will need to use the existing OTP server as back-end validation server. This means it will act as a proxy and forward OTP validation requests to the existing OTP server. The request forwarding mechanism uses the RADIUS protocol. The existing OTP server must also provide a RADIUS service in our sample migration scenario.
In a fist step, a new OpenOTP platform is deployed on the same infrastructure as the existing OTP system. OpenOTP will be connected to the same LDAP/AD directories. In LDAP, all the users are activated for use with OpenOTP and configured in “OTP Proxy” mode. The OpenOTP Proxy feature is configured to connect to the RADIUS server already in place. The Proxy authentication can be tested via the OpenOTP admin interfaces.
In a second step, the VPNs and any other integration are re-configured one-by-one to use the RADIUS server included in OpenOTP. And RCDevs’ integration plugin are deployed on other applications not using RADIUS. At this time, any authentication request goes first to OpenOTP and OTP validations are forwarded to the legacy OTP servers.
Migration with OTP Proxy
The third step consists in enrolling new Tokens (ex. YubiKeys) on your LDAP users via OpenOTP administrative tools or self-services. When enrolled, the users do not rely anymore on the legacy OTP servers. This step can be batched and automated for thousands of users with email-based enrolment for example, or performed on the users one-by-one.
In the last step, you remove the legacy OTP system and OpenOTP becomes the only multi-factor platform in your infrastructure.