1. TriCipher Armored Credential System™ (TACS)
Strong Authentication for SalesForce.com
Integration Benefits you know (such as a password or PIN),
TriCipher enhances SalesForce.com by something you have (such as an
seamlessly adding multi-factor functionality authentication token), or something you are
to the Username / Password method (biometrics, such as a retina scan, or
currently used today. Organizations will fingerprint). Consumers are used to a multi
continue to derive the benefits from factor authentication model with ATM cards
SalesForce.com and will now have the - the PIN being something you know, the
additional capability to transition their ATM card is what you physically have.
organizations from weaker password
protection to something much stronger. Employing Multi Factor authentication for
use online, however, is much more
Benefits challenging because it typically requires the
user to carry or present something physical.
Strong authentication for SalesForce.com
that prevents identity theft and fraud Historically, traditional Multi-Factor
authentication methods have been too hard
Prevents man-in-the middle (MITM) and to deploy and manage for large consumer
complex phishing attacks bases, due not only to the high costs
associated with initial purchase, but also the
Seamless integration with a transition path overhead of initial deployment,
from weak password systems to strong lost/replacement, management and
authentication customer support. Add to this the fact that
many users are not yet ready or prepared
Choose from an array of strong multi factor to deal with hardware tokens, scratch cards,
authentication methods from the TriCipher client software downloads and extra
Authentication Ladder. authentication steps, even if it protects their
bank account and identity information.
Compliance with stringent audit and
TACS Solution
regulations such as FFIEC, HIPAA, GLB, etc.
The TriCipher Armored Credential System™
(TACS) provides a comprehensive
Multi Factor Authentication infrastructure that can be used to address
Multi factor authentication by definition is many of these risks. Its unique Multi-part
the use of a combination of more than one credential and Flexible Factor technologies
factor for the purpose of user enable a single infrastructure to issue
authentication. A “factor” can be something credentials of different strengths. This
2. allows the enterprise to tailor the type of download strong authentication solution. In
credential to the specific level of risk B2F, the 2nd factor in the form of an
without having to deploy multiple costly encrypted cookie or a browser certificate is
infrastructures. transparently given to the users’ browser.
Also, as a part of the activation process, the
The system architecture is designed to allow user selects an image or a secret text
TACS to be easily deployed for external phrase they will recognize when they come
Software as a Service (SaaS) applications back to the web site. TriCipher is unique in
like SalesForce.com and also to protect this clientless offering by going up the
internal web applications. Servicing some of ladder with the B2F Certificate option (as
the highest volume financial services cookies are susceptible to certain attacks
applications for demanding customers, and can be deleted or copied).
TACS provides high reliability, availability
and scalability. In addition B2F has advantages as:
• Requires no change in user behavior.
TACS provides a variety of Multi Factor The user is completely unaware of
authentication options (see TriCipher the change and migration to his type
Authentication Ladder below), allowing you of credential from a password-only
to balance security, cost and ease of use system is transparent (even their
based on the results of your risk password remains the same).
assessment.
• No client software. Browser 2 factor
requires no client side software.
• Phishing protection. Browser 2 factor
protects against phishing attacks
whose aim is credential theft.
• Authenticate your web site. Showing
a welcome message reassures the
user that they have reached your
site, not a phisher's replica.
Device 2 Factor (B2F) strong
authentication
Perhaps the easiest to use, deploy and
manage is using the login device as second
factor. With this type of credential, the
Browser 2 Factor (B2F) strong second factor is stored securely on the PC.
authentication
The user has nothing new to carry, but does
The Browser 2 Factor rung of the TriCipher
need a small piece of client side software,
Authentication Ladder offers a zero
3. the TACS ID Tool. The device 2nd factor Additional credential types
provides strong protection against all types TACS provides for other credential types,
of phishing including man-in-the-middle. including smart cards and using three or
The client software also provides the more authentication factors.
additional benefit of performing an optional
security presence check before TriCipher Authentication Gateway
authentication. Device 2 factor is often used (TAG) strong authentication
for high net worth consumers, business The TAG is an integral part of the TriCipher
banking customers, active traders, Armored Credential System (TACS), The
administrators at individual branches (or at TriCipher Authentication Gateway (TAG)
client companies) and channels such as acts as a services layer for web applications.
mortgage brokers. The TAG reduces the time to deploy strong
authentication, increases authentication
Portable 2 Factor
performance, and ensures the security of
Portable 2 factor takes advantage of the
the login process by providing a single
security of multi-part credentials to use
standardized strong authentication service
commodity storage products or consumer
for use by every application within an
electronics as a 2nd factor for
organization. The TAG, based on patent
authentication. Users can choose something
pending technology, manages the
they carry already such as an MP3 player or
authentication for every level of the
USB memory stick, or the financial
TriCipher Authentication Ladder including
institution can issue something branded.
passwords, browser cookies/certifications,
The 2nd factor in this case is protected by
PCs, portable devices, tokens, smart cards
rolling key technology to defeat would-be
and biometrics to provide a unified
thieves. Portable 2 Factor provides strong
authentication infrastructure. When users
protection against all types of phishing
log into any web application, they are
including man-in-the-middle. The TACS ID
handed off to the TAG to manage the entire
Tool is required for this type of credential
authentication process and verify the
and provides the additional benefit of
credentials of each user with the ID Vault.
performing an optional security presence
Once authenticated through the ID Vault,
check before authentication.
the TAG delivers a SAML token to the SaaS
Armored Token 2 Factor solution like SalesForce.com which either
Armored Token 2 factor protects one time validates the SAML assertion or passes it via
password tokens from man-in-the-middle a back trusted channel to the TAG for re-
attacks. This type of credential also requires validation and then provides the user the
the TACS ID Tool and provides the option of appropriate level of access.
a security presence check. Armored Token 2
How does the integration work?
factor is often used to protect existing one
time password deployments.
The TACS solution consists of the TAG and
the ID Vault. The solution can either be
4. hosted internal to the organization or as a 2) User then strongly authenticates to TAG.
hosted service. TAG validates the users’ strong
authentication credentials with the ID Vault.
Users are initially given a strong credential
before the single sign-on feature for 3) Once the TAG authenticates the users’
SalesForce.com is turned on. This involves strong credential, it submits the user id and
batch loading the users into the TriCipher a SAML token (as password) to
system and generating a one-time-use SalesForce.com.
activation code that can be sent to the
users via email, SMS or even a phone call. 4) SalesForce.com then validates the user id
and then sends a SOAP/XML message with
Based on the type of licensed user id and SAML token (the one we passed
SalesForce.com Edition you may need to them in step 3) to a web service on the
request SalesForce.com to turn on single TAG.
sign-on (SSO) AFTER your users have
registered for strong authentication. The 5) TAG then validates the SAML token and if
Enterprise and Unlimited Editions are more valid it returns a SOAP/XML message
flexible and allow you to turn on single sign- confirming the user authentication to
on on a per user basis by creating a new SalesForce.com
profile for SSO. You can turn on SSO before
the users register and enable SSO 6) SalesForce.com then allows the user to
individually for each user by clicking on a access (single sign-on) to their
checkbox in SalesForce.com SalesForce.com application.
Users go through a registration period
where they login to the TAG and are given
their second factor for strong
authentication. On the cut-over day, single
sign-on is turned on for the users and they
are provided the HTTP link to login to
SalesForce.com – this can be on an internal
customer portal where users click on a URL
to login to SalesForce.com securely.
The process flow for the user to login to
salesforce.com is as below:
1) User clicks on the URL for Strong
Authentication to SalesForce.com. User
lands on TAG and inputs their username. Users are now required to login to
5. SalesForce.com using TriCipher strong
authentication. Users that try to go directly
to SalesForce.com will not succeed as they
are required to login securely via TriCipher.
Summary
The TriCipher solution gives organizations
powerful, seamless and flexible strong
authentication capabilities to secure access
to SalesForce.com. Customers can further
leverage this central authentication
infrastructure to secure access to internal
and external web applications.
Contact
TriCipher Headquarters:
750 University Avenue, Suite 260
Los Gatos, CA 95032
Phone: +1.650.372.1300
Fax: +1.650.376.8301
TriCipher US sales:
Email: sales@tricipher.com
Phone: +1.650.376.8326
Fax: +1.650.376.8301
TriCipher EMEA sales:
Email: emea@tricipher.com
Phone: +44 (0) 1223 451 075
Fax: +44 (0)1223 451 1