Soft Tokens Explained
Soft Tokens are typically apps that run on phones or laptops
SecurAccess SoftToken functionality:
- Soft Token application available for: iPhone, Blackberry Android, Mac, Windows 7 mobile as well as Microsoft Windows XP, Vista and 7 operating systems
- Seamlessly move between devices securely with no additional cost
- QR codes speed deployment (Quick Response Code) for rapid user enrolment
- Automatically handles international time zones changes when travelling
- Enhanced Copy protection
Why use Soft Tokens
Ideal for smart device users.
Complimentary to SMS based authentication
Allow the end use the freedom to choose between SMS based authentication or a Soft Token application and switch between them.
Soft Token application
The latest SecurEnvoy server V7 allows users far greater choice of security – either tokenless SMS two factor authentication, secure Blackberry email, a voice call or a soft token downloaded as an application.
Available free of charge add-on to the SecurEnvoy suite of products. Users can elect to use a soft token application from either SecurEnvoy or Google. Authentication soft tokens are suitable for most types of mobile devices:
- iPhone’s, iPad’s (IOS4 or greater)
- Blackberry (OS5 and greater)
- Android (2.1 and greater)
- Mac OS
- Windows 7 mobile
- Windows XP, Vista and 7 operating system (P.C.)
Multiple soft tokens can be enrolled and used within the same app for multiple SecurEnvoy servers eliminating the need to carry multiple hardware tokens or install multiple soft token apps.
Users can self migrate to a new phone model by simply enrolling their new phone. They use their old phone app or SMS to make a two factor authentication to the enrolment portal. Then simply scan the QR Code to provision the new phone with a new seed record at no additional cost. The security server automatically deletes the old phone’s seed record rendering the old phone safe to dispose of or resell.
Support for Google Authenticator
SecurEnvoy soft tokens for your phone or desktop can be used to generate one time passcode (OTP) for two factor authentication that can be checked by your companies SecurEnvoy server or Google’s cloud login.
Deployment with Quick Response codes 100,000 users can be deployed within one hour
Quick Response codes are an excellent method to display a bar code matrix for the deployment of the “seed record” for the end users Soft Token. The user only has to scan the QR code with their phones camera to ensure a fully automatic enrolment process to a Soft Token. Either using an app or an SMS deployment capability is 30 per second, 100,000 users per hour.
Simple QR Code Enrolment
End user convenience of enrolment and a simple process. For the organisation there is nothing they need to do. It is the choice of the user to choose whether they want their two factor authentication passcode sent via what device and by what method!
User Administration is significantly reduced, as SecurEnvoy’s “Deployment Wizard” can automate user deployment, and allows the user to be in control of which device they use and the type of authentication method they prefer.
User deployment can be achieved on Group membership, OU or any other LDAP filtering. The SecurEnvoy “Reporting Wizard” provides detailed information about what mode of operation each user is setup for, allowing Administrators to control and monitor their 2FA estate.
Soft Token Security
SecurEnvoy Soft token, is OATH TOTP compliant, but with additional security enhancements to the OATH specification. These are:
Secure Copy protection locks the Seed record for generating passcodes to the phone. The innovative approach allows the SecurEnvoy security server to generate the first part of the seed, the second part of the seed is generated from a “Fingerprint” from the phone when time the Soft Token application is run for enrolment and each time the Soft Token application is run to generate a passcode.
Protection of the Seed records. The Seed records are dynamically generated by the Server/phone are and are stored with a FIPS 140 approved encryption algorithm, this encrypted data is generated and stored at the customer premise. SecurEnvoy do not store or keep any sensitive customer seed records.
Stored DATA. All stored authentication data is generated and encrypted with AES 256-bit encryption and is kept within the customer LDAP server. SecurEnvoy support all LDAP v2 and v3 compliant directory servers, including:
Microsoft Active Directory, Microsoft ADLDS. Novell e-Dir, Sun/Oracle One Directory server IBM and Linux Open LDAP
The SecurEnvoy Security Server deletes the used passcode and any previous passcodes from the system, thereby alleviating any replay attacks from any used or any previous unused passcodes. This process is known as “Watermarking”.
Automatic Time Re-sync
When a user travels overseas, typically their phone will sync to the new country time once they have arrived at destination. The OATH compliant algorithm then derives passcodes based upon this new time, which could be many hours forward or backwards in time. SecurEnvoy have a unique approach that will handle users in this conundrum, where it allows complete unhindered World Wide travel for the user.
Soft Token Cost
All SecurEnvoy customers can utilise the latest Soft token at no additional cost. This allows users who may have issues with SMS deliverability to use a soft token, or for customer who wish to managed and reduce their existing SMS costs.