Search

Two-Factor One-Time Password (OTP) Authentication PDF E-mail

The Business Challenges

  • The large multi-national enterprise has thousands of employees accessing many applications in a geographically distributed environment using Windows-based notebooks.
  • For compliance with global good practices and industry regulations, administrative access to applications containing sensitive data requires strong Two-Factor Authentication (2FA). However, a number of such applications are legacy in nature, and cannot be customized to support 2FA.
  • To ensure minimum disruption to the existing environment, the enterprise intends to gradually migrate each application to be protected with 2FA, and only for users who require administrative access.

The Security Challenges

  • The 2FA method will be hardware One-Time Password (OTP) tokens for high-frequency users, and for adhoc usage OTP transmitted via SMS.
  • The solution has to allow for local offline access to the notebooks while enforcing 2FA for online access to protected applications.

The Provided Solution – IBM TAM eSSO with DS3 ASM

 

IBM TAM eSSO with DS3 ASM

To comprehensively address both the business and security challenges, the solution chosen was a combination of the IBM Tivoli Access Manager for enterprise single-sign on (TAM ESSO) with the DS3 Authentication Security Module (ASM) for 2FA.

The scenario for application access is as follows:

  • Upon startup, users will login to Windows via the TAM ESSO login screen. This allows access to the notebook, and all the existing applications available on the notebook. This can happen in online (connected to the enterprise infrastructure) or offline mode.
  • When the user triggers a protected application, the Access Profile configured on the TAM ESSO Access Agent will trigger the plug-in script to query the DS3 Authentication Server and if needed, prompt the user for the 2nd-factor One-time Password (OTP). This can happen only when the user is online.
  • If the user is assigned an SMS OTP, the SMS will be automatically sent to the user’s pre-registered mobile number. If the user is assigned a hardware OTP token, then no SMS needs to be sent.
  • The user is required to enter the OTP which will be verified by the DS3 Authentication Server before the user is transparently single-signed-on into the protected application.
 

DS3 is member of

    IBM Information Governance Council  

Follow us on