Chat Transcript: Office Hours for CA Advanced Authentication [MAY 2016]

Document created by kristen.palazzolo Employee on May 3, 2016
Version 1Show Document
  • View in full screen mode

from Kristen Malzone (CA) to Everyone:

Hi Suguna! Thanks for joining!

from Suguna Ravichandran to Everyone:

Hi Kristen, NP

from Kristen Malzone (CA) to Everyone:

We'll get started in about 6 minutes.

from Kristen Malzone (CA) to Everyone:

Hi Somi! Thanks for joining!

from Kristen Malzone (CA) to Everyone:

Alright, let's get started!

from Kristen Malzone (CA) to Everyone:

Welcome to Office Hours for CA Advanced Authentication.

from Kristen Malzone (CA) to Everyone:

My name is Kristen and I am the Community Manager for CA Security.

from Kristen Malzone (CA) to Everyone:

All conversation during Office Hours happens right here in the WebEx chat window.

from Kristen Malzone (CA) to Everyone:

We have representatives from Product Management, Support, PreSales, Education, Services and Marketing present to answer you questions!

from Kristen Malzone (CA) to Everyone:

So, please ask away!

from Kristen Malzone (CA) to Everyone:

@Michael Thanks for joining!

from Kristen Malzone (CA) to Everyone:

Quiet group today!

from Kristen Malzone (CA) to Everyone:

Anyone have a question about CA Risk Authentication or CA Strong Authentication for our product experts?

from Suguna Ravichandran to Everyone:

QUick question-- durign the authentication process, there is an option to authorize the device, isn't it.. Is that info stored withi AuthMinder/RiskMinder?

from Charley Chell to Everyone:

Sugna,are you asking about defince registration, or are you asking where credentials are stored?  Not sure

from Suguna Ravichandran to Everyone:

not abt the credentials, we have an application that goes through 2 factor authentication where security QnAs are presented, whenthe user chooses to authorize the device, the QnA portion is skipped.

from Suguna Ravichandran to Everyone:

WOnderign if that info if the user authorized or not is stored anywhere in the AM/RM db

from Charley Chell to Everyone:

Okay, you're talking about using the device as a second factor

from Michael K. Craghead to Everyone:

I thought it would be more of a presentation rather than just a question and answer session, so chat only seems odd...In setting up a 2nd factor authentication is that done with a soft token on the desktop?

from Suguna Ravichandran to Everyone:

@Charley-- we are using a Challenge/response authentication

from Charley Chell to Everyone:

When we use a device for 2FA we store a credential (really a key) on the device. That is registered ont he Authentication Server, but the main point is that the credential is stored on the device.

from Kristen Malzone (CA) to Everyone:

@Michael - We do host Community Webcasts also, but Office Hours are just Q&A.

from Charley Chell to Everyone:

@Suguna, yes, you are using the CA Auth ID (fka ArcotID) credential

from Michael K. Craghead to Everyone:

@Kristen OK. Thanks

from Pipes to Everyone:

Hi, question... current authminder version only support 1 telephone and 1 email mapping... when will it support multiple telephone number and email addresses?

from Namish Tiwari to Everyone:

@Michael What is the business need it depends upon that, we have capability whereas you can use multiple devices to generate OTP from CA Mobile OTP, we provide Mobile client and Desktop client for that

from somi to Everyone:

Hi there, is it possible to develop the Code in .Net. Do you have customers that use the Custom AFM in .Net? If Yes, then isthe Install different than the Tomcat one for the App servers?

from Charley Chell to Everyone:

@Pipes, correct, we support one phone and one email. Support has some tricks to get around that, but it complicates the implementation so I don't suggest it. This is a fetaure we should add to our backlog

from Michael K. Craghead to Everyone:

@Namish Is CA Mobile OTP refer to mobile devices and to desktops? That part isn't clear.

from somi to Everyone:

What is the latest and greatest software available for Strong Auth, Risk Auth and SM Adapter? is it 8.1.2 for all of them? I did not see one for Adapter...wanted to double check with you

from Namish Tiwari to Everyone:

@Somi CA Strong Auth and CA Risk Auth provides webservices and SDK, with webservices you should be able to generate code in whatever language you need, in case of Adapter you can not have code in .Net

from Charley Chell to Everyone:

@Somi, yes 8.1.2 is the latest and greatest. It is a patch on top of 8.1.0 and thus contains only the necessry binaries

from Namish Tiwari to Everyone:

@Somi you are correct 8.1.2 is the latest and greatest and its a patch, it is a patch on AA side, Adapter should be 8.1 only

from Suguna Ravichandran to Everyone:

@Charley: yes we use ArcotID, but also have a step up authentication which can by by-passed by authorizing the device.  Trying to see if this data if the user authorized the device or not is stored in the AM db

from Namish Tiwari to Everyone:

@Michael CA Mobile OTP is credential name, it can be used using a client in Mobile device or it can be used using the Desktop client for Desktop

from Charley Chell to Everyone:

@Somi, by the way, I understand that you are looking for TLS 1.2. This is slated for our next release, 8.1.3 and is being worked on now. We'll publish a date as we get closer to the release

from somi to Everyone:

@namish: thats great news. Yes we have been slammed by our ITS bigtime for TLS. Thank you! But I do have a question though wrt to the .NET Web Custom Code.

from Michael K. Craghead to Everyone:

I have a situation where our client hasn't picked an authentication platform yet. What options does CA Adv. Auth. provide for integrating with non-CA products?

from Pipes to Everyone:

@Charley, for our initial implementation we can go by without multiple telephone/email, but a larger roll out currently under way to everybody requires multiple tele/email addresses, I am afraid we have to pick up your "support tricks" to provide that functionality

from somi to Everyone:

@namish: Does it require to have a different installation for .NET for the AA App servers? does it has to be in Tomcat and NO IIS, Correct?

from Charley Chell to Everyone:

To Michaels question on integrating with other products, AdvAuth has a full complement of APIs and RADIUS support.

from Namish Tiwari to Everyone:

@Somi, You can leverage the Webservices , we have for CA Strong Auth and CA Risk Auth both, Using web services you can generate code in any language you wish to, the infrastrucre should be .NET related and i do not think Tomcat can host that

from somi to Everyone:

If we call the Web Services from .NET App, do you have a documentation for this what the Services are and whad dowe need to call?

from Charley Chell to Everyone:

Yes, all the APIs are documented. There are WebServices and Java Dev Guides

from somi to Everyone:

ok great, Thank you so much!

from Michael K. Craghead to Everyone:

There seems to be a distinction within CA Adv. Auth. related to Strong Auth. and Risk Auth. Are both needed to setup MFA?

from Charley Chell to Everyone:

Strong Auth and Risk Auth complement each other. Technically you can meet MFA with Strong Auyth only, but the addition of Risk assessment allows you to improve the customer experience and add an additional layer of protection.

from Namish Tiwari to Everyone:

@Suguna AuthMinder aka CA Strong Authentication has two factor credentials like CA Auth ID aka ArcotID and CA Mobile OTP aka Arcototp, these are two factor credentials which are stored on the client machine may be in browser or in file system depending upon the implementation, CA RiskMinder aka CA Risk Authentication generates DeviceID which is stored on the browser as a cookie and in database as well, so unless the browser cookie is not removed the authorization will keep on going else you need to generate a new deviceid in next request, this is implicit.

from Michael K. Craghead to Everyone:

@Charley Improve the customer experience how?

from somi to Everyone:

@namish: Just wanted to clarify one small thing. When I say .NET App, I am talking about the Custom Code for the AA Flows. But when it comes  down  Web Fort and Risk Fort, they are only supported by the app server Tomcat, right?

from Charley Chell to Everyone:

Sure I'll say more on improving customer experience. Risk assessment is used both to identify good people and bad people. So you can fast track good people, e.g., where the risk is assessed as very low, and of course you can add additional authentication steps or perform other actions (like alert the back office) if risk is assessed as high.

from somi to Everyone:

What is Roaming Auth and how is it implemnted form a security standpoint within the Multi-factor Authentication of the AA solution?

from Namish Tiwari to Everyone:

@Somi, On the Admin and UDS side we support Tomcat, Websphere and Weblogic but for your application which is developed using the Web services you have to host on app server or web server which supports .NET infrastructure, it can be IIS, you have to manage that infrastructre as you are developing those things and you can take help through Services engagement as well

from Namish Tiwari to Everyone:

@Somi, Roaming Auth has multiple advantages like you want to login from your other desktop or travelling and need to login from a remote machine, in that case you should be able to login successfully, suppose i am travelling and i have a laptop which i do not use but to do my day to day activity i have to login to the website, so you can acess the website and as we could not find your credentials on the cleint machine, we will ask the secondary authentication and upon successful authentication the two factor credential will be downloaded and you should be able to access the site

from Namish Tiwari to Everyone:

Roaming is only for two factor credentials like CA AUthID aka ArcotID or CA Mobile OTP aka ArcotOTP

from Namish Tiwari to Everyone:

@Suguna do you have any question or you understood the explanation

from Kristen Malzone (CA) to Everyone:

Check out this great blog post in the CA Security Community, "OAuth 2.0, OpenID Connect and JWT – What are they and why do you care? - Pt1" -> https://communities.ca.com/community/ca-security/blog/2016/04/29/oauth-openid-connect-and-jwt-what-are-they-and-why-do-you-care-part-1-of-2

from Suguna Ravichandran to Everyone:

@Namish: your explanation made sense but what I am trying to see is is there any data/log on the server that would tell  tells us in the user logged in a roaming scenario  or  not.

from somi to Everyone:

I have the same question as Suguna

from somi to Everyone:

How would I know if the user has logged in as Roaming or regular. What would be the secondary authentication for Roaming? Could we have OTAC/OTP as part of the roaming?

from Charley Chell to Everyone:

"Roaming" is when the user adds their credential to a second, third,... device. It's a one-time thing. Once they've added the credential they have 'Roamed" their credential to that device and they can use it just like any other device that they have used previously.

from Charley Chell to Everyone:

Namish tells me that you can obtain a report of these events

from Suguna Ravichandran to Everyone:

IN our case-- when they are in a roaming scenario, they will presented with step up authentication (QnA) but want to know on the backend is there any info that will tell if the user logged in a roaming scenario or not?

from Charley Chell to Everyone:

@Namish, what report should they use?

from Charley Chell to Everyone:

@Suguna, yeah, that's the typical scenario. In order to use a new device the user must pass some additional authentication like QnA or OTP via SMS

from Namish Tiwari to Everyone:

@Soni for secondary authentication you can choose any credentials, OOTB we provide QnA, OTP over SMS, OTP over email, ArcotOTP on mobile device, this will be a process where we are ascertaining that the user is who he/she calling to be and once that is done we can download the cred on the new device or if the cred is deleted then on the same device

from somi to Everyone:

ok, thats great. Thanks a lot!

from Suguna Ravichandran to Everyone:

Thanks  Charley, Namish.. pls share the report name that would provide the info

from Michael K. Craghead to Everyone:

Thanks for the answers to all the great questions everyone asked.

from Namish Tiwari to Everyone:

@Somi @Suguna You can run the Authentication activity report as all the data is logged with respect to a user transaction, you have to filter out the report for that user to see if they are going through additional Auth, suppose QnA is set for secondary auth then we have to see if the user is going through QnA because in a regular scenario you will only see data related to Authentication but if secondary Auth cred is called that will tell you that user is roaming or trying to re download the credentials

from Namish Tiwari to Everyone:

You will not see anything getting printed as Roaming and a due diligence is needed but all the data is caltured with respect to a transaction

from Suguna Ravichandran to Everyone:

ok, Thanks Namish

from Kristen Malzone (CA) to Everyone:

10 minutes left! Get your final questions in now!

from Dudley Cadet to Everyone:

Wouldn't that report be skewed if users are not authorizing their regular machines?

from Dudley Cadet to Everyone:

For example, users logging in from shared work machine.

from Charley Chell to Everyone:

What do you mean by "a regular machine?"  Remember, once you've roamed your credential to a device, it's there, and you can use that device in the future.  (Though note, there is a provision to temporarily use a device, fur use with public computers)

from Charley Chell to Everyone:

Okay, we were typing at the same time

from Charley Chell to Everyone:

Maybe if we ask "What are you going to do with the information?" it would help us understand what the real goal is here. Optimize the user experinece, look for attacks, or something else? Maybe we can pick this up at a later time. I think we're out now

from Kristen Malzone (CA) to Everyone:

That's all the time we have for today. We will take this last question offline.

from Kristen Malzone (CA) to Everyone:

I'll post the transcript for today's session in the CA Security Community -> https://communities.ca.com/community/ca-security

from Dudley Cadet to Everyone:

Thanks.

from Kristen Malzone (CA) to Everyone:

The next Office Hours sessions for Advanced Authentication with be Tuesday, June 7th!

from Charley Chell to Everyone:

Thanks everyone

from Kristen Malzone (CA) to Everyone:

mark you calendar!

from Pipes to Everyone:

@Charley, how do I engage with support to gauge what customization will be required to provide multi phone/email feature? Open a ticket?

from Charley Chell to Everyone:

Yes

from Charley Chell to Everyone:

Yes

from Kristen Malzone (CA) to Everyone:

@Pipes - Or post to the community -> https://communities.ca.com/community/ca-security

from Pipes to Everyone:

thank you @Charley

from somi to Everyone:

thank you!

from Kristen Malzone (CA) to Everyone:

Thanks everyone! Have a great rest of your week!

Attachments

    Outcomes