Here’s SecurePass, a cloud-based service for multi-platform authentication based on One Time Passwords.
Password management inside a company is always one of the most delicated and debated topics, and it gets even worse as the number of employees and services to be managed grows. GARL, a Swiss company specialized in security systems, offers SecurePass, a centralized service for identity management.
This offer is composed of four different types of subscriptions that differ in the features included and, of course, the price. The entry-level offer (Personal) is free but has a maximum number of two users and only SSO authentication; as price increases, we have the Business, Enterprise+ and Service Provider plans; the details of the number of users included and the authentication modes supported are available at this link. We’d like to point out that all the prices are quite cheap (3 or 7 € at month per user).
The implementation uses a One Time Password (OTP) and Single Sign-On (SSO) system for unified authentication; a common smartphone or PC can be used as an authentication device, coupled with the free app SecurePass (available for Android, iOS, Blackberry, PC and Mac) that helps to have all the access tokens available without having a dedicated unit.
The device must be authorized using a procedure called Provisioning, then it can be used to generate a temporary 6-number password that is valid for circa 30 seconds.
Secure Pass prevede l’integrazione con i principali servizi che necessitano l’autenticazione remota online: VPN, Content Management Systems (CMS come Joomla e Wordpress) e applicazioni Web. E' possibile infatti utilizzare questo sistema per il collegamento sia a sistemi operativi Microsoft (con protezione dell'accesso e della connessione Remote Desktop verso macchine Windows Server e Desktop) sia a sistemi Linux (direttamente o tramite SSH).
Installation and first approaches
We used the Business plan for our tests: as it’s a centralized authentication service, regardless of the specific system on which we’ll use it, the first fundamental step is the access to the account management panel. From this panel you can create users (admins or normal users) and Devices, that is, the devices on which you will authenticate with SecurePass; Devices are identified by an IP address (static IPs only), FQDN (Fully Qualified Domain Name) and a secret key. From the same panel you can monitor the state of the service and Provisioning.
The documentation of SecurePass is available in the personal area.
We used SecurePass to protect the access on three different systems: Windows Server 2012 R2, Windows 8.1 and Ubuntu Server 14.04. SecurePass is easily installed on the Windows platform with pGINA, a fee application that acts as a medium between the user and the operating system and handles all the authentication management processes. pGINA uses a set of plugins - which are included in the installer. One of them is the RADIUS protocol, implemented in Secure Pass. The configuration of this particular plugin is not complex, indeed it just asks the reference server and some additional parameters to enable it. Once activated, we managed to connect to it even with remote desktop using the numeric password provided by the application on our smartphone.
The installation on Ubuntu is slightly less intuitive because it’s done through the command line instead of graphical interface. However only a few commands are needed to enable a functioning configuration: after that we were able to establish a secured connection via SSH.
SecurePass contrasts with the use of a traditional password manager, of which it overcomes some main limits: the need of having it updated manually, the absence of a centralized control and the impossibility of having the complete control of the diffusion of passwords and users, for instance when some sets of credentials are shared among one or more employees or contractors.
Obviously an implementation of this kind has got some limits, which are fundamental to ponder upon when making a decision: on top of all, the need of an Internet connection. Besides that we must applaud GARL for having created a management infrastructure that is geographically redundant and extremely sturdy.