Increased Security

01.03.06

SAP Enterprise Portal Authentication (E-3 issue 3/2006)

Here you can find the printversionpfeil

Complicated and expensive; that's the common opinion about strong two-factor authentication. Especially in the context of authentication security is of double importance:  On the one hand, sensitive data must securely be protected against unauthorized access. On the other hand, a sound trust relationship needs to be established between a company and its partners, customers and suppliers. If portals are only protected by a username and password authentication, this might lead to uncertainty with the users who are awake to these risks.

Additional importance is added to the security aspect against the background that companies also provide Single Sign-On (for reasons of user-friendliness) with the portal implementation; thus, customers can after initial authentication visit different areas of the portal without having to enter their user credentials again. The bigger the access area for users, the higher will be the damage caused by unauthorized, criminal access. As a result the initial authentication must be designed as secure as possible.

So far, portal operators had the option to enhance access security using two different methods: one-time password token and the PKI (Public Key Infrastructure, X.509 Certificates). Both methods guarantee for highest security standard. But costs and logistic efforts - like shipping the hardware to frequently changing users - put a non-negligible burden on operators.

A more cost-efficient, strong two-factor authentication has been developed with the IdentityGuard by Entrust. The SI EP/Agent by SecurIntegration GmbH enables the use of this solution for authentication on the SAP Enterprise Portal 6.0.

As usually, the user at initial registration receives a username and subsequent password. Furthermore, a unique, personal Grid Card that is connected to the user's profile is issued for every user. On the Grid Card numbers and letters are arranged in a manner comparable to a Bingo Card. During authentication the user first enters his password. In the second step he is asked to enter three (or more) changing coordinates that can be read off the Grid Card. Thus, the combination of knowledge (password) and ownership (Grid Card) makes unauthorized access much more difficult.

In order to further minimize security risks, password and Grid Card should be distributed using different media. The password, for example, may be sent to the user by email, while the Grid Card is send by regular post, fax or as TIF file to the user's mobile.

Portal operators, who postponed the topic of access security because of financial reasons, may now (possibly) find the desired cost-value ratio - enhancing security but keeping the costs low - with Entrust IdentityGuard. Hardware and shipping costs are favorable, the use is simple and training unnecessary.

Guido Schneider, SecurIntegration GmbH

<- Back to: Publications