Welcome to the

Password-Free
Enterprise
 Welcome to the Password-Free Enterprise

Contents
Secret Double Octopus’ Password-Free Authentication......................................................................3

High Assurance...................................................................................................................................................3

Exceptional User Experience............................................................................................................................ 3

Reduced Operational Costs.............................................................................................................................. 3

Secret Double Octopus Authentication System..................................................................................5

Octopus Authenticator.......................................................................................................................6

High-Assurance Authentication...................................................................................................................... 7

The Octopus Authentication Server....................................................................................................8

Active Directory Workstation and Network Logon...................................................................................... 9

Password-Free Cloud and Remote Access Services................................................................................10

Octopus Cloud.................................................................................................................................10

Secret Sharing................................................................................................................................. 11

Secret Sharing applied to Authentication....................................................................................................12

About Secret Double Octopus..................................................................................................................................13

Contact us....................................................................................................................................................................13

Appendix A: Models in the Octopus Authentication Server ...............................................................................14

Appendix B: Active Directory Password-less Alternatives .................................................................................15

Copyright © Secret Double Octopus | All Rights Reserved www.doubleoctopus.com 2

 Welcome to the Password-Free Enterprise

Secret Double Octopus’

Password-Free Authentication
Today’s work environment combines on-premise and cloud-based resources, which employees must
access from anywhere, anytime and from any device. This creates the need for tighter, more granular
authentication policies on the one hand, while providing users with seamless and frictionless experience on
the other. But with passwords as a primary form of authentication, password management has become a
daunting task for users. Multiple passwords are to be made longer and changed more frequently; Security
is undermined as users search for real-world shortcuts; and password-associated costs (refreshes and
resets) becomes an expensive headache for the company.

Secret Double Octopus offers a groundbreaking, high-assurance, password-free authentication solution

that addresses the needs of the modern workplace. Octopus Authentication uses provably unbreakable
cryptography to replace passwords. It presents the user with a friendly mobile application that works across
all enterprise resources, whether on-premise, remotely accessed or in the cloud.

High Assurance
Octopus authenticator utilizes a provably unbreakable cryptography that is quantum-safe and highly resistant
to common attacks such as phishing, MITM and cracking. When used on Active Directory domains, Octopus
implements automated, high-frequency password rotation for systems that are dependent on passwords,
so users are never exposed to passwords, and any attempt to recover and reuse a password to carry out an
attack (i.e. lateral movement) will fail, as the password is valid only for a single session.

Exceptional User Experience

Secret Double Octopus is
Users never have to recall or type-in another password. To authenticate,
the user simply enters a PIN or touches the fingerprint sensor on raising the bar on password-
his phone. The rest happens automatically behind the scenes. free authentication using
The Octopus single-sign-on feature (SSO) means users need to strong, provably secure
authenticate only once to access all systems.
cryptography to enable a
Reduced Operational Costs password-free solution that
provides high-assurance
Reduce passwords costs including helpdesks calls for password
resets, employees down-time due to forgotten passwords, phishing authentication and
prevention and password-education budgets. exceptional user experience
for accessing all enterprise
resources

Copyright © Secret Double Octopus | All Rights Reserved www.doubleoctopus.com 3

 Welcome to the Password-Free Enterprise

Secret Double Octopus is the only solution offering a high assurance

password-free authentication with:

Access to all applications, High frequency auto rotation Multi-factor authentication

Legacy and cloud for Active Directory using quantum-safe
Passwords algorithms

Secret Double Octopus is raising the bar on password-free authentication using strong, provably secure
cryptography to enable a password-free solution that provides high-assurance authentication and
exceptional user experience for accessing all enterprise resources.

Figure 1: Secret Double Octopus authentication equation: Improving the user experience while enhancing security

Copyright © Secret Double Octopus | All Rights Reserved www.doubleoctopus.com 4

 Welcome to the Password-Free Enterprise

Secret Double Octopus

Authentication System
The Secret Double Octopus Authentication System is uniquely combining two critical capabilities:
\\ High-assurance user authentication that eliminates passwords as a vulnerable single point of failure
\\ Password-free access to all enterprise environments

The System is comprised of four main components:

1. Octopus Authenticator
A mobile application that enables a secure user authentication.

2. Octopus Authentication Server

Responsible for handling authentication requests and enforcing authentication policies.
It is typically deployed on-premise.

3. Octopus Cloud
A stateless cloud service that helps facilitate authentication sessions with the mobile device.
Octopus cloud is not exposed to any customer information or key material and is fully managed by
Secret Double Octopus.

4. Octopus Authentication for Windows / MacOS

A Credential Provider agent running on user or server machines, enabling password-free or multi
factor logon to the machine itself and to the company’s network.

Figure 2: Secret Double Octopus high level architecture

1
Octopus
Authenticator
3

Copyright © Secret Double Octopus | All Rights Reserved www.doubleoctopus.com 5

 Welcome to the Password-Free Enterprise

Octopus Authentication Server authenticates users using the Octopus Authenticator app and attests to
relying parties that users have presented authentic credentials. In this capacity, the Authentication Server
supports multiple standards and integrates with multiple systems. Notable standards supported include
RADIUS, SAML, LDAP, REST, etc. Supported systems include Windows, MacOs, Microsoft Active Directory,
VPN systems, cloud services, legacy applications and more. Octopus Authenticator is responsible for securely
storing and transmitting authentication secrets in a manner that prevents them from being compromised.

Octopus Authenticator
The Octopus Authenticator app is – per NIST definitions –
a Multifactor Cryptographic Software for conducting high
assurance user authentication. It is the only application
of its kind to leverage Shamir Secret Sharing to prevent
MITM, key theft and cloud attacks. It is this high level of
security that makes the solution high-assurance, and
enables eliminating passwords without compromising
security. As a result, enterprises who are using Secret
Double Octopus becomes a password-free workplace
while improving their security posture.

High Assurance
Protection
Seamless
User Experience
Smooth integration
All Use Cases

Copyright © Secret Double Octopus | All Rights Reserved www.doubleoctopus.com 6

 Welcome to the Password-Free Enterprise

High-Assurance Authentication
The Octopus Authenticator provides high-assurance authentication:

1. Its authentication session-key is tightly bound to the mobile device (something the user has).
2. Using the authenticator requires on-device authentication based on a biometric signature and/or PIN
(something the user is or something the user knows).

3. The authentication secret itself is made resistant to interception using the secret sharing cryptography.
As well as anti tampering, anti reverse-engineering and obfuscation.

When using the Octopus Authentication solution, the user experiences an intuitive, hassle-
free authentication process. To authenticate, the user simply provides a PIN or touches the
fingerprint sensor on his phone, and all the rest happens automatically and transparently behind
the scenes. When compared to traditional password-based authentication, the user never has
to recall a hard password, and never has to type anything on their computer.

Figure 3: Octopus’s Multi-layered Authentication process, high assurance in a friendly package.

Copyright © Secret Double Octopus | All Rights Reserved www.doubleoctopus.com 7

 Welcome to the Password-Free Enterprise

The Octopus Authentication Server

The Octopus Authentication Server authenticates
an Octopus Authenticator using a secret sharing
protocol, at the end of which shares are securely
exchanged and a shared secret established. Once
the secret is verified, the user is authenticated.
From there, the Authentication Server can provide
attestations to relying parties for the user identity.
The Authentication Server is typically deployed
on the enterprise domain, where it is configured
to access the directory service, and to work with
relying parties that are either on-premise or off.
Connecting to the directory service allows the
administrator to assign Octopus Authenticators to
users and define authentication policies. Connecting
with the relying parties can be done by configuring
standard interfaces (i.e. RADIUS, SAML, etc.) or
defining a non-standard interface.
In some cases, the Authentication Server authenticates
the user, and produces the required attestation for
the relying party. In other cases, the Authentication
Server may need to also facilitate the exchange
of a session secret required by the relying party.
For example, legacy systems that are still heavily
dependent on passwords, may require that a password
be produced. In such cases, the Authentication Server
will provide a temporary session password that will
be reset at the end of the session and refreshed
when a new session is established.

Server

Modules

DB
Management Authentication Server Databases
End-Point

RADIUS REST API SAML LDAP

Secret Share Engine

Generates new shares and sends them to the mobile app via muliple channels

Figure 4: Components of the Octopus Authentication Server

Copyright © Secret Double Octopus | All Rights Reserved www.doubleoctopus.com 8

 Welcome to the Password-Free Enterprise

Active Directory Workstation and Network Logon

For most enterprises, the most sensitive credentials are those of the Workstation and the Network logon
passwords, because they are a gateway to sensitive company assets. For many enterprises, Active Directory
(AD) is the almost ubiquitous identity backbone. Secret Double Octopus’ Authentication System is tightly
integrated with AD, to ensure its password-free authentication can work everywhere the AD is responsible
for access control.

Octopus Authentication for Windows and MacOS enables users to logon to the domain from their
workstations using their Octopus Authenticator. A Credential Provider client running on the workstation,
enables the user to authenticate to the machine and the network domain, using only their Authenticator.
Attempts to recover the password and re-use it to carry out an attack (i.e. lateral movement) will fail, as the
password is automatically changed at high frequency while the user doesn’t handle the password at all.

Figure 5: Active Directory password-free Authentication process

Randomized Password
4

4
2 Device factor 3 5
User factor

Randomized Password Windows Login

User: user@domain.com
1

PASSWORD FREE
MORE SECURE

1. Octopus 2. Secret Sharing 3. User identity 4. Octopus 5. Domain logon

Credential protocol established Authentication established
Provider initiates establishes user Server provides
authentication identity a complex, short
protocol lived credential

Copyright © Secret Double Octopus | All Rights Reserved www.doubleoctopus.com 9

 Welcome to the Password-Free Enterprise

Password-Free Cloud and Remote Access Services

The Octopus authentication system also supports
authentication to cloud services. Through simple
configuration, employees can authenticate to any
cloud service that support web authentication
standards such as SAML and OpenID Connect
(ODIC). Employees accessing the corporate network
remotely (using various remote access tools such
as VPNs, SSL VPNs, Citrix, VMWare, and other
solutions) can benefit from the same high-assurance,
password-free authentication that they can use
when accessing the network on-premise. Standard
interfaces supported by remote access solutions
(i.e. RADIUS) are also supported by Octopus to
ensure a robust, effort free integration.

Octopus Cloud
The cloud component of the Octopus Authentication System
is a transparent module that is fully managed by Secret Double
Secret Double Octopus
Octopus. Its role is to support a push notification channel between
the Authentication Server and the Authenticator. Push notifications provides a high-assurance
are used to trigger the app into action, and also as another channel authentication alternative
for communicating the secret shares. Octopus Cloud is a stateless
to passwords that works
service that does not hold any customer information.
across all enterprise services.
By using the Octopus
Interact with Mobile’s providers’ (Apple and Google)
Authenticator on their mobile
push service. device, users can logon to the
Authentication/Enrollment Engine domain, access it remotely
Handles enrollment and authentication process with and also access cloud-based
the mobile app, enroll and authenticate user and
send back the response to the mobile provider services. Octopus ensures
server
that all relying parties accept
one authenticator so users
enjoy simple, hassle-free
authentication for all their
workplace needs

Copyright © Secret Double Octopus | All Rights Reserved www.doubleoctopus.com 10


Secret Sharing
At its core, the Octopus authentication solution
uses Shamir’s Secret Sharing, a cryptographic
algorithm created by Prof. Adi Shamir (the ‘S’ in
RSA). It enables transforming a secret into a number
of useless codes, also referred to as ‘shares’. In
order to reconstruct the secret, a minimum number
of shares are needed. Any number of shares less
than the minimum cannot reconstruct the secret.
More specifically, the holder of a secret, sometimes
Figure 6: The cryptographic logics of Secret Sharing model
Copyright © Secret Double Octopus | All Rights Reserved
Welcome to the Password-Free Enterprise
referred to as the dealer, creates N shares of a
secret and defines a threshold K for the number of
shares that are required to reconstruct the secret.
The dealer then proceeds to distribute the shares
so they are controlled by different parties. In secret
sharing schemes, an attacker that gains access to
fewer shares of the secret than the K defined as
the threshold, cannot gain any information about
the secret.
Wikipedia/Information-theoretic-security
www.doubleoctopus.com 11

Secret Sharing applied to Authentication
Secret Double Octopus’ patent-pending technology
offers a practical adaptation for the powerful
concepts of secret sharing to the world of
user authentication. In its implementation, the
authentication service divides a session-specific
authentication secret (an AES 256 bit key) into
parts and sends them over multiple communication
Figure 7: Authentication process leveraged by Secret Sharing
Copyright © Secret Double Octopus | All Rights Reserved
Welcome to the Password-Free Enterprise
paths to the authenticator device. One of the shares
initially arrives on the device via an enrollment QR
code, and is constantly replaced, which means that
even in the highly unlikely event that the attacker
intercepts all shares communicated during an
authentication session, he is still unable to obtain
useful key material.
www.doubleoctopus.com 12
 Welcome to the Password-Free Enterprise

About Secret Double Octopus

Secret Double Octopus is pioneering the password-free workplace. Its high-assurance authentication
solutions are built on provably unbreakable cryptography that is highly resistant to common attacks such
as phishing, MITM and cracking. With passwords out of the way, Secret Double Octopus delivers a superior
user experience and substantial cost savings.

The Octopus Authenticator is an enterprise-grade solution that supports access to all enterprise resources,
whether on-premise, remotely accessed or in the cloud. The solution is fully integrated with Microsoft Active
Directory to enable password-free authentication to the enterprise domain, and security within the domain.

Secret Double Octopus is a Gartner Cool Vendor, Business Insider ‘Startup that will boom in 2018’, PwC
game-changer for Global Financial Services Innovation, and recipient of the Frost and Sullivan ‘Technology
Innovation Award‘. Its customer-base includes US, European and Asian companies.

Copyright © Secret Double Octopus | All Rights Reserved www.doubleoctopus.com 13

 Welcome to the Password-Free Enterprise

Appendix A
Modules in the Octopus
Authentication Server
Octopus Authentication Server contains the following modules

\\ Management module \\ SAML IdP module

Used to manage the Octopus Authenticator
settings, users, services and all other
components. Administrators use a web
interface to interact with the system
\\ Web module
Used as the web interface for any web activities
To authenticate any SAML services.
\\ LDAP Server/Proxy module
to authenticate any application designed to
use LDAP Bind for authentication. As a proxy,
Octopus can front-end the existing directory (eg
AD) and obtain needed user parameters.

\\ DB module \\ ActiveSync/OWA Proxy module

Manage user and setting information enabling web/mobile email client access

\\ RADIUS Server \\ ActiveSync/OWA Exchange

For RADIUS authentication (typically VPN, VDI Agent
and Unix systems) enabling web/mobile email client access via
plug-in
\\ REST API module
To authenticate any custom application,
including both login and step-up / transaction
approval

Copyright © Secret Double Octopus | All Rights Reserved www.doubleoctopus.com 14

 Welcome to the Password-Free Enterprise

Appendix B
Active Directory
Password-Less Alternatives

Copyright © Secret Double Octopus | All Rights Reserved www.doubleoctopus.com 15