Many data security applications utilize encryption as a way of obfuscating sensitive content while traversing or getting stored in cloud systems. Most, however, almost completely ignore endpoint/ host threats, leaving sensitive data that you use, every day, exposed to attackers that steal privileged credentials, impersonate authorized users, then steal information and/ or corrupt or hold for ransom resources critical to an organization's livelihood.
SSProtect was specifically designed to address these threats, providing data protection and management services that maintain business continuity while optimizing security event response and recovery. This requires aggressive use of both encryption and access control, which in turn requires fine-grained two-factor authentication (2FA) when accessing sensitive host application data.
Login and Task 2FA
SSProtect utilizes two different forms of 2FA: One form, Login 2FA, is used when establishing an SSProtect Login Session. Details are described in the article, Enhanced Login 2FA with Duo Security.
The other form, Task 2FA, is specific to Session Administration, configuration, and accessing managed/ protected content. Theoretical insight is available in the article, Hardware 2FA, while this article shows you how to configure USB tokens for Task 2FA.
Accessing 2FA Token Configuration
Privileged Organization Users and Individual Account holders can configure 2FA tokens for their own Accounts by navigating to the Account Configuration interface using the notification icon, then clicking 2FA Token.
Privileged Organization Users can configure 2FA tokens for the own Accounts, and other Organization Users, by navigating through Administer Users/ Manage then choosing the target Account before clicking 2FA Token:
This brings up the Two-Factor Auth display used to define USB token details:
2FA Token Interface and Token Types
At present, this interface shows a Generic Manufacturer compatible with OATH HMAC-based One-Time Passwords as defined in IETF RFC 4226. At present, SSProtect supports the Yubikey implementation that redirects OTP output to the keyboard. Yubikey configuration is detailed in the article, 2nd Factor Details: Yubico Yubikey. Support for FIDO and other 2FA methods can be integrated for your needs in very short order (from a few days to a few weeks). Contact Support for information on your specific needs.
To configure your hardware token, you will need the following:
Serial Number: This field associates token configuration with physical hardware. USB tokens usually have a static, unchanging Serial Number sometimes marked on the physical token. Enter this value here for the target key you want to associate with the Account you are configuring. Note that, at the present time, this value is not included in :Assess Reports. See below.
Hardware ID: This is the configurable ID programmed into each token. For an RFC 4226 OTP token, this is a 12-digit number that matches the 1st 12 digits the device provides when offering its' 2nd-factor value. This is used by KODiAC Cloud Services to insure that the incoming OTP is aligned with the proper USB token configured for a specific Account.
Moving Factor: This is the RFC 4226 OTP counter value, represented by a series of 8 hexadecimal values separated by spaces. This number does not have to be unique, but has to be within 20 counts of the hardware token's value. Each time you use the token, this number gets incremented - as does the matching value stored by KODiAC Cloud Services. If the two counters become misaligned, use the Reset operation described later in this article.
Some hardware tokens do not rollover when the maximum count is reached, SSProtect does. Be sure to keep this in mind when programming your token's initial Moving Factor/ counter.
Secret: This 20-byte secret is used for HMAC calculation, and it must match the value programmed into the key. This value must not be shared to disclosed to others. Note that SSProtect stores this - and other taken values - using KODiAC Cloud Services, though does not store information in plaintext form.
SSProtect allows you to use the same USB token with more than one Account in a single Organization, though if you attempt to use the same token in different Organizations, your Moving Factor will not remain synchronized leading to authentication failure.
Choosing Proper Values
You should avoid re-use Moving Factors or Secrets for more than one token, even across Organizations (if you act as a Privileged User for more than one). This can result in overlapping HOTP sequences, which negates the purpose of the 2nd-factor. Except when sharing, generate and use random values when setting up your hardware token.
WARNING: SSProtect cannot check and enforce configuration uniqueness beyond the Serial Number and Hardware ID since the Moving Factor and Secret are protected with information unique to an Account.
Adding the Token
Once you have entered and checked your values, choose OK to commit key data to the system and associate the USB token with the Account you chose before invoking the configuration display. If another token exists with the same Hardware ID, or if the process fails for any other reason, you will be prompted with an error message else returned to the Account Configuration or Administer Users dialog to continue.
Editing an Existing Token
When you revisit this interface after associating a token with an Account, however you will not see the Moving Factor or Secret. This data is in never again shared with the :Foundation Client after initial configuration, avoiding local disclosure. If your Moving Factor ends up out of sync, use a Reset operation to adjust.
Else, you cannot make changes to an existing token - you must instead Remove it then reconfigure new values from scratch.
Adding a Shared Token
To share a token between two Accounts in the same Organization, you can configure the 2nd Account by manually entering all fields with matching values, or you can alternatively navigate to the configured Account's 2FA Token display, click C (for Copy), then navigate to the sharing Account's 2FA Token display and click M (for Match): Values will be replicated for you. Choose OK to save (and activate) changes.
As soon as token data is accepted (using OK from the 2FA Token dialog after entering valid inputs), the 2nd-factor hardware token replaces the simulated software token - if any - and goes into effect. When you need to perform 2FA, you will be prompted with a 2nd-Factor Authentication dialog specific to the type of 2FA token you have configured. For the Yubico Yubikey, you will see the following:
Yubikey Runtime Operation
When prompted, insert your Yubikey and touch the sensor on the device. This will generate keyboard output that starts with the 12-digit HardwareID and ends with the computed 6-digit OTP that uses the Secret and Moving Factor you configure, above.
IMPORTANT: Because the Yubikey uses redirected keyboard output, this dialog must have input focus when you touch the sensor. Though rare, you may need to click the dialog to recapture input (and perhaps even the input field itself). Contact Support with related issues.
Individual Account Holders: Managing 2nd-Factor Tokens
Individual Users can only Remove an existing token using the 2FA Token display noted in prior text. This requires the token to authenticate the request. If your token is lost, stolen, or no longer functional, contact Support who can authenticate your request and disable it - or your Account - for you.
Privileged Organization Users: Managing 2nd-Factor Tokens
Privileged Organization Users can manage 2FA Tokens with Administer Users/ Manage available from the notification icon's context menu. Choose the target Account then one of the options noted below.
Click Sync 2Factor to update the SSProtect Moving Factor when the target Account's Moving Factor is out of sync. When you perform this operation, the next time the target User presents 2nd-factor credentials, the system will search a much greater span of counts to find the proper value before updating its' internal count. This searches across thousands of Moving Factor values, and for most situations will be sufficient when the Moving Factor drifts beyond the normally accepted count tolerance.
Choose Edit then click No 2nd Factor (then Save) to disable (hardware) 2nd-factor processing. This will revert back to software-simulated 2FA without a software prompt. Use the same procedure to enable 2FA, noting that you cannot enable software-simulated prompts for an Account that has a configured hardware token.
Token Provisioning Precautions
When programming 2FA tokens, be sure to do so offline, using a host computer that is not connected to the Internet. It's best not to transmit secrets electronically or store them in any way other than by using the User Interface presented here after programming and on a difference Internet-connected Host.
Note that configuration presents a (theoretical but small) opportunity for attackers if they have a presence on your local host. As such, be sure to use a secured host anytime you manage SSProtect Account configuration (of any form).
IMPORTANT: Take care when modifying your own Account's 2FA configuration, as it's not hard to lock yourself out. You can of course contact Support for assistance, though it's best to configure 2FA using a different Delegate or Administrator Account.
Important Note about Sensitive Token Data
DefiniSec isolates token Secret and Moving Factor data from KODiAC Cloud Services. This information is only available on cloud hosts for a brief moment when required to calculate a One-Time Password for comparison with hardware token data presented by the :Foundation Client. This data is immediately securely scrubbed from memory and never stored in plaintext.
This process in fact utilizes an encrypted form of OTP credentials entered into the described dialogs, decrypted in the cloud with Account-specific and client-managed keying information that is specially-purposed for 2FA data protection.
For More Information
For information regarding product features and content, consult the Document Index, or send email with specific questions to firstname.lastname@example.org.
This article was updated w/ v9.1.3 of the :Foundation Client