Authentication Archives - Version 2 Limited

CyberLink Corp. (5203.TW), a pioneer in AI and facial recognition technologies, today announced Japanese Digital Key Platform Company Bitkey Inc. (Bitkey) has adopted FaceMe® AI Facial Recognition into its Platform for managing digital keys solution. The integration provides facial identification, authentication and access control for multiple use cases, including smart access to buildings and smart security.

Japanese Digital Key Platform Company Bitkey Inc. Adopts CyberLink FaceMe® To Enable Contactless Face Authentication

Bitkey, founded in 2018, is a Japanese startup that provides various smart lock, smart access and security solutions for homes and buildings. The new Bitkey platform was designed to enable contactless facial recognition to identify individuals and enable secure entry for homes, offices as well as admission tickets at concert venues. At this stage, the technology was first deployed in an apartment building in the Koto District, Tokyo city. Residents can use their faces as keys to safely enter the house, eliminating the inconvenience of using security cards or traditional keys.

“Access, security and safety will always be a priority for smart buildings and facial recognition is one of the best technologies for identification and authentication,” said Dr. Jau Huang, CEO of CyberLink. “With the Bitkey platform now powered by FaceMe®, residents will not only have a more convenient and seamless way to enter and exit their building, but they will have confidence in the security of their home.”

“Bitkey platform” is powered by the CyberLink FaceMe® AI facial recognition engine. FaceMe® supports a wide range of IoT/AIoT technologies and platforms, such as CPUs (Intel® CPUs, supporting OpenVINO™ and ARM CPU), AI vision processing units (Intel® Movidius™) and IoT platforms (Nvidia Jetson™). For IoT/AIoT applications, FaceMe® can run on light-weight, low power consumption platforms, facilitating developers’ deployment of facial recognition across different use cases.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About CyberLink
Founded in 1996, CyberLink Corp. (5203.TW) is the world leader in multimedia software and AI facial recognition technology. CyberLink addresses the demands of consumer, commercial and education markets through a wide range of solutions, covering digital content creation, multimedia playback, video conferencing, live casting, mobile applications and AI facial recognition. CyberLink has shipped several hundred million copies of its multimedia software and apps, including the award-winning PowerDirector, PhotoDirector, and PowerDVD. With years of research in the fields of artificial intelligence and facial recognition, CyberLink has developed the FaceMe® Facial Recognition Engine. Powered by deep learning algorithms, FaceMe® delivers the reliable, high-precision, and real-time facial recognition that is critical to AIoT applications such as smart retail, smart security, and surveillance, smart city and smart home. For more information about CyberLink, please visit the official website at www.cyberlink.com

EAP
802.1X uses an Extensible Authentication Protocol (EAP) for a challenge and response-based authentication protocol that allows a conversation between a Supplicant (the wireless/wired client) and the RADIUS (the authentication server), via an Authenticator (a wired switch or wireless access point which acts as a proxy). EAP supports multiple authentication methods, some of them are secure and some of them are vulnerable (although old endpoints still support them).

802.1X authentication with Portnox CLEAR
DIAGRAM: An example of how EAP works with Portnox CLEAR.

EAP-TLS
With 802.1X authentication via EAP Transport Layer Security (or EAP-TLS), there is a mutual certificate authentication, as it relies on the Supplicant (endpoint) and RADIUS certificate’s “handshake.”

Advantages:

Mutual certificate authentication
The authentication process takes place inside a secure SSL tunnel
The user/machine certificate is linked to the relevant user/computer identity, which makes stealing attempts useless (in contrast to stolen credentials)
Disadvantages:

The identities are sent in a clear text before the certificates exchange process starts
Deployment and lifecycle maintenance of endpoint certificates might be costly in small environments

EAP-TTLS
By using 802.1X EAP Tunneled Transport Layer Security (or EAP-TTLS) is an extension of EAP-TLS. After the RADIUS is authenticated to the Supplicant by its certificate (including an optional TLS authentication of the Supplicant to the RADIUS), the Supplicant proves its identity via PAP or MSCHAPv2

Advantages:

The authentication process takes place inside a secure SSL tunnel
User identity is not exposed
Can use multiple methods to authenticate inside the tunnel – certificates / user identities
EAP-TTLS can be used for network authentication by Azure Identity when AD-DS is not enabled (MSCHAPv2 is not available)
Disadvantages:

It does not support MSCHCAPv2 without enabling Directory Services with Azure AD (a limitation of Azure AD itself)
Client-side certificate is not required, only optional

EAP-PEAP
With 802.1X authentication via EAP Protected Extensible Authentication Protocol (or EAP-PEAP), only the RADIUS needs a certificate. With that certificate, the endpoints create an encrypted TLS tunnel to pass the authentication details. The most common protocol used to authenticate the endpoints, when using PEAP, is MSCHAPv2 challenge and response, which is used to authenticate both the server (usually Active Directory / Azure AD) and the supplicant (endpoint). The process involves challenge – response where both share a random hash that’s computed with the identity’s credential without sending the password across the network.

The authentication process takes place inside a secured SSL tunnel
User identity is not exposed
Simple deployment – allow the usage of username and password which the end-user is already familiar wit,h such as Active Directory or local account credentials
Disadvantages:

This method requires a password changing policy to remain secure
If the endpoints are not hardened they are exposed to “evil twin” attacks

EAP-MD5
One of the legacy 802.1X approaches of EAP is Message Digest 5 (or EAP-MD5), the RADIUS server sends a random challenge to the Supplicant which generates an MD5 Hash of its credentials and the challenge, which is then sent back to the RADIUS for validation. By using this method of 802.1X authentication, however, the supplicants don’t send their passwords to the RADIUS for validation, but rather use hashes.

Advantages:

EAP-MD5 is compatible with legacy network equipment and older type of endpoints
Disadvantages:

It is exposed to dictionary attack – password “guessing”
Vulnerable to man-in-the-middle attacks since there is no mutual authentication

About Portnox
Portnox provides simple-to-deploy, operate and maintain network access control, security and visibility solutions. Portnox software can be deployed on-premises, as a cloud-delivered service, or in hybrid mode. It is agentless and vendor-agnostic, allowing organizations to maximize their existing network and cybersecurity investments. Hundreds of enterprises around the world rely on Portnox for network visibility, cybersecurity policy enforcement and regulatory compliance. The company has been recognized for its innovations by Info Security Products Guide, Cyber Security Excellence Awards, IoT Innovator Awards, Computing Security Awards, Best of Interop ITX and Cyber Defense Magazine. Portnox has offices in the U.S., Europe and Asia. For information visit http://www.portnox.com, and follow us on Twitter and LinkedIn.。

Portnox 802.1X EAP Authentication