Post on 01-Sep-2019
Authentication solution - SXSSxS
www.asseco.com/see
.
SxS Single Point of AuthenticationSolution
Key business benefits
Asseco Authentication Server (SxS) is a two-factor authentication solution specifically designed to meet the regulatory and business requirements of any enterprise (financial institutions, managed service providers, and other organizations). Asseco SxS enables the use of multi-vendor and different types of end-user devices as well as OTP standards, simplifies user experience, increases security, and reduces cost by enabling organizations to apply consistent strong authentication and authorization over multiple service channels, including web and mobile.
Compliance with the EU Directive on Payment Services (PSD2) – SxS is a two-factor authentication solution which supports transaction signing (Sign-What-You-See).
Advanced two factor authentication – based on biometry technologies (TouchID, FaceID, Fingerprint Scan) with state-of-the-art user experience
Proven authentication solution – more than fifteen years of development, improvements and deploy-ments.
Agnostic to token manufacturers – SxS supports end-user devices from different vendors.
Multitenancy - SxS server is able to serve multiple client-organizations (tenants) in a single instance (headquarters serves its subsidiaries).
SxS SaaS – the SxS complete authentication solution functionalities available and deployed in data center which complies with the highest industry standards.
End-user experience high on the priority list – SxS supports Login by QR code, QR code and Push notification authentication.
Prepared to meet the demands of millions of online users – solution modularity as well as high availability and scalability allow meeting the demands for millions of online users (e.g. retail banking).
System flexibility – the system is completely configu-rable and allows you to combine different authentica-tion schemes with different authentication devices.
Easy user acceptance – reliance on mechanisms familiar to customers - ‘now and tomorrow’ - which means less investment in training campaigns, registra-tion and help desk support.
Return on investment – a single point of authentication service, consolidated across separate business units into a single solution supporting different types of token devices, is a cost-effective solution on the operational level.
Lower deployment costs – supports the OATH standard, supports different combinations of targeted hardware and software platforms.
Key technical advantages
Black box concept – the solution acts as a “black box” towards 3rd-party applications, thus enabling smooth integration and limiting modifications on 3rd party systems in the environment.
Multi-Token support – support for Gemalto, Vasco, ActivIdentity (HID), RSA, Ireth, SmartDisplayer, Feitan, NegraID, EMV CAP.
Authentication methods – One-time Passwords, Challenge/Response (CR), Message Authentication Codes (MAC), Multiple Data Signature (MDS), Host Verification (HV), Login by QR code, QR code authentication, Push notification authentication for the OATH standard. Mode1, Mode2, Mode2 with TDS, Mode 3 and Mode3 with TDS for MasterCard CAP (Chip Authentication Program) and PLA (Perso/PIN less), and VISA DPA (Dynamic Passcode Authentication) support.
Support for the latest MasterCard’s AA4C (Advanced Authentication for Chip) PLA 2010 and CTGS 2010 specification.
Mobile token support – support for iPhones, Android mobile phones.
Administration – rich-featured administration enables easy personalization and monitoring, as well as card profile setups, HSM keys management, detailed transaction history, token synchronization, etc.
Auditing – all transactions are logged, both authentication requests and results, as well as administrator activities; and each log is tamper-proof, digitally signed and time-stamped.
High availability – the solution architecture enables clustering and load-balancing, resulting in high reliability and authentication request workloads.
Platform independency – Java development toolkits provide support for multiple server platforms and Operating Systems.
DeviceAuthentication
Channel / Application / System
Internet banking
Mobile bankingPhone banking
e-CommerceBroakerage
Government servicesEnterprise application and system
User & device administration
SxS Web services
Authentication
User managament
Device managament
Administrators managament
Statistics and Reporting
Hardware SecurityModule
Risk-Based authentication and fraud
detection solutions
SxS WS - Authentication service• Validates authentication requests (OTP, C/R, MAC,MDS, Host Verification, QR code authentication, Pushnotification),• Digitally signs and stores authentication - Audit Log,• Attack Notification (OTP Brute-Force Attack, UserBehavior Monitoring).
SxS Admin - Administration web application• Authentication properties configuration (Authentica-tion types, HSM configuration, Key management,Authentication parameters),• Authentication device management (Initialization,Enrolment, Status tracking / Blocking, Unlocking,Synchronizing),• User management (Enrolment, Authentication deviceassigning, Initial PIN printing, Status tracking/Blocking),• Administrator management (Roles, Access rights),• Statistics & Reporting..
Product components
SxS Importer• Used for importing token files and licensesinto the SxS database.
SxS Print component• Used for printing secret PINs and activationcodes.
SxS Integration• Integration API:
• XML/SOAP,• C#,• Java,
• SxS MQ connector,• SxS File Importer.
SxS Provisioning• Mobile token: application distribution (OTA),activation code generation, application activation,• Hardware tokens: token import, token,personalization.
01 Kerberos agent
Pluggable AuthenticationModule02
03 Credential provider
04 Pluggable Authentication and Authorization service
05 RADIUS module
Cisco: ASA, PIX, ISR Routers (1800,2800,2900), VPNFortinet: Fortigate 60C, 100DOpenVPN ServerMikrotik v4, v5Checkpoint
Access to corporate domain on Windows OS workstation.
Authentication to Linux/Unix systems
Kerberos module – native support on theWindows platform (Citrix, OWA, CRM, ERP)
Microsoft VDI – secure access to virtual desktops and applications
Extension modules
SxS enables smooth integration and implementation of strong authentication services, to enhance security of the clients existing infrastructure with the Asseco SxS extension modules:
SxS
Technical detailsOperating systems:• Redhat Enterprise Linux ver. 6, 7• MS Windows 2008/2012 Server• IBM AIX ver. 7.0
Hardware Security Module:• Thales payShield 9000• Thales nShield Connect• SafeNet Payment HSM
Application Server:• JBoss AS 7• Oracle WebLogic ver. 12c (EE7)
Databases:• Oracle ver. 11, 12• MS SQL ver. 2012• PostgreSQL ver 9+
Devices:• Asseco Mobile token (event & time based)• Vasco Digipass tokens• ActivIdentity (HID) OTP tokens• Gemalto OATH tokens• Feitian OATH tokens• SmartDisplayer OATH display cards• Ireth HW tokens and Display cards• RSA Secure ID• Gemalto and Vasco PCRs• CAP/DPA compliant EMV smart card
Authentication framework is extendable to support:• Other token vendors• ODBC/JDBC data stores• Remote RADIUS servers
Administration features:• Device management• Synchronize• Unlock• Assign/un-assign• Redistribute (mToken)• Import• Credential management• Status (enable/disable)• Usage statistics• User and permission management• User management• Role management• Secure audit• Digitally signed tamper-evident log• Audit log queries• Archive and purge• History validation
sales@asseco-see.com www.asseco.com/see
HighlightsTwo-factor authentication solution.
Wide range of authentication methods and standards: OTP, C/R, MAC, MDS, HV, QR code, Push noti�cation.
Hardware tokens (OATH based devices: ActivIdentity (HID), Vasco, Gemalto, RSA, Ireth, Feitan),EMV CAP/DPA card based authentication (PCRs: Vasco, Gemalto),Mobile token application– Android, iPhoneDisplay Cards (CAP and OATH based: HID, SmartDisplayer, NagraID, Ireth),SMS OTP, SMS C/R, SMS MAC.
Prevention of client-side attacks: the use of two-factor user & transaction authentication prevents Trojan horse attacks, Phishing, Man-in-the-middle attacks, inside attacks (Man-in-the-browser).
Fully centralized lifecycle management: User credentials management (ID, PIN),Physical device management (token, card reader),Mobile application single point of management.
Multiple banking channels: Internet banking, Mobile banking, Phone banking, e-commerce, ATM using a single authentication platform, Enterprise applications and systems: Windows and Linux logon, Microsoft VDI, Kerberos, Radius module for network access components.
Easy to integrate and maintain: service-oriented architecture integration with 3rd-party applications and modular system administration.