Authentication

Access control is critical to maintaining our strong security posture, and we can provide our authentication service – which includes private, dedicated two-factor authentication – on a secure platform, dedicated to your organisation. Our access control system has been built upon entirely open source components and developed over five years of operational experience, providing the necessary blend of practicality and security. Contact us for a quote.

At the heart of the system is OpenLDAP, the open source version of Microsoft's Active Directory. In fact, because OpenLDAP and Active Directory are so similar, integrating with your Microsoft user directory for authentication purposes is straightforward.

The LDAP protocol is a very well established and accepted means of exchanging authentication information, and most applications your organisation works with will likely support LDAP integration out of the box. For applications where you need an extra level of security, we provide Yubikey authentication, developed by Yubico:

Yubikey

At the heart of the system is OpenLDAP, the open source version of Microsoft's Active Directory. In fact, because OpenLDAP and Active Directory are so similar, integrating with your Microsoft user directory for authentication purposes is straightforward.

The Yubikey itself is a simple USB device that behaves as a keyboard when plugged in. There is a small gold disk on top which, when pressed, generates a One Time Password (OTP) – a long string of random characters. This string is generated using a public encryption key held on the device itself, and the private encryption key – used to confirm the OTP is valid – is kept securely in your organisation's private keystore, only accessible via an API. Once associated with a user account, the Yubikey offers a secure alternative or augmentation to password-based security. With the Yubikey it is entirely possible to remove passwords from your organisation entirely and replace them with a handy and easy-to-use device.

Yubico provide their secure second factor authentication system's code as open source, so while you can use their public YubiCloud to authenticate against popular services, you can also run your own Yubico authentication endpoint within your own infrastructure. It consists of three parts:

  • An extension of the LDAP directory classes to allow storage of Yubikey identifying data (so you can identify a specific device as belonging to a specific person).
  • An endpoint server, which provides a simple API for verifying if a Yubikey is known to the system or not (returning a binary yes/no response).
  • A private keystore, for securely storing the identity of every registered Yubikey in your organisation.

As with LDAP, there are already numerous ready integrations for Yubikeys in popular software, for example, we run an open source PAM (todo: name) module on all Linux servers which allows us to enable the option requiring users to have a valid Yubikey in order to login or operate as the root user. We also use an open source Symfony component for identifying Yubikeys from PHP applications based on Symfony, such as Drupal 8.

If you want to integrate your own application, the workflow is simple. You can either choose to insist on three factors or authentication (username, password and Yubikey OTP) – as is more usual – or rest with two, thus passwordless (just username and Yubikey OTP).

* excludes set-up costs, assumes 2 x small private cloud servers for API and keystore and 1 x medium private cloud server for OpenLDAP.