Given the amount of processing power attackers have at their disposal to crack passwords, combined with the sheer number of increasingly complex passwords users are expected to try to remember, security experts recommend using two-factor authentication solutions for securing corporate networks.
Two-factor authentication, which most commonly combines a knowledge factor (typically a password or PIN) with a possession factor (e.g. a security token or smart card), has become the mainstay authentication method for VPN access among corporate customers. By leveraging their investment and extending two-factor to wireless network access, enterprise network managers can provide tremendous security benefits vs. traditional fixed credentials or certificate authentication.
A key issue corporate customers often have to address is that the air is a shared medium and anyone can broadcast networks over the air. The threat of man-in-the-middle attackers broadcasting an imitation or honeypot network to capture communications is ever present. Even with advanced Wireless IPS (Intrusion Prevention Systems) in place, the nature of mobile computing means that such an attack need not take place close to corporate offices, but could happen anywhere employees may travel to.
Two-Factor Authentication On Microsoft Windows
SecureW2 designed Enterprise Client for Windows to support the full range of two-factor authentication products available, including RSA SecurID hardware tokens and soft tokens. Our client software adds PEAP-GTC functionality to Windows, allowing the use of security tokens to authenticate to WPA2-Enterprise / 802.1X networks. Combined with PEAP or EAP-TTLS, EAP-GTC will encapsulate all credentials within a secure TLS tunnel, hiding the username and passcode from any man-in-the middle attackers.
These protected EAP methods have a unique advantage over PEAP / MSCHAPv2 (credential authentication) and EAP-TLS (certificate authentication): even if a device is compromised, there are no cached credentials and no exportable digital certificate private keys. The one-time passcode protected by the additional layer of a PIN will thwart an attacker attempting to gain network access.
Advanced RSA Soft Token Integration
Soft tokens have some advantages over other two-factor authentication methods. They are convenient, eliminating the need to carry an extra device. They also shift more responsibility onto the users, who are naturally more conscious of protecting their own devices. Additionally, many soft tokens can protect user credentials by generating passcodes which include the PIN in hashed form, eliminating the need to transmit PINs in cleartext.
A common complaint about two-factor systems is that they add significant hassles each time a user authenticates to the wireless network. Normally, when authenticating with a soft token, the user must enter his or her username in the wireless authorization UI, open the token interface, enter a PIN, wait for a freshly generated passcode, and copy it into the network authentication interface. Sometimes the authentication server will issue one or more additional challenges, which require the user to repeat these steps, thereby reducing productivity and increasing user frustration.
When employing RSA soft tokens, Enterprise Client for Windows streamlines the end-user experience for wireless network authentication. The user may simply select the soft token from a drop-down menu and enter a username and PIN. Enterprise Client for Windows automatically opens the soft token, submits the previously entered PIN, requests a one-time passcode, and automatically transmits it to the authentication server. In short, you can have the security of two-factor wireless network authentication without the extra hassle.
Additional Security Benefits
SecureW2 Enterprise Client for Windows supports the ability to disable unused network connections so the devices are not “dual-homed,” a term used to describe when both the wired and wireless connections are active and creating potential backdoors for an attacker. Typically, most corporate customers support both wireless and a wired connection to their networks, but having a device with a wired connection active on the corporate LAN while a wireless connection is connected to a public or untrusted network could pose a security risk. Enterprise Client detects these dual connections and shuts down the second non-active connection.
Configuration lockdown allows network administrators to lock down their wireless profiles so that users do not change important settings which could compromise wireless security. For example, Enterprise Client for Windows enforces server certificate validation so that the device will only connect and submit credentials to the right authentication servers—a vital aspect of protecting secure network access.
Streamlined Two-Factor Authentication Solution
Two-factor wireless network authentication can greatly improve network security. However, it usually comes at a cost of reduced productivity and increased user frustration. SecureW2 Enterprise Client for Windows can eliminate the hassle while helping corporate network administrators maximize the benefits of security token infrastructure.
If you are concerned about lost or stolen devices being used to access your network, or if password-based authentication alone is inadequate for your security needs, Enterprise Client for Windows can help you provide streamlined two-factor authentication solutions in your WPA2-Enterprise / 802.1X environment.
SecureW2 Enterprise Client is fully compliant with the IEEE security standard 802.1X with support for key protocols EAP-TTLS, PEAP (v0 & v1), and EAP-GTC (Token) for WLAN and LAN security on 32-bit and 64-bit systems.
Deployed in Fortune 500 and Global 2000 companies and available in fifteen (15) languages, SecureW2 offers best-in-class security features and leading ROI for enterprise customers. SecureW2 Client provides IT administrators with a provisioning solution that delivers immediate centralized management cost benefits. A highly reliable and robust end-user solution that dramatically lowers long term operating costs at the helpdesk with features to manage and maintain your deployment.
Contact us today to request a demo, receive additional information, or to learn more about WPA2-Enterprise and 802.1X and how SecureW2 can help.