a) How does 2 FA is achieved.
Simply, see 2FA as a security process used to confirm an authorised user's identity using 2 distinct factors — (choose two)
>what you are (biometric features such as fingerprint, facial etc) ,
>what you know (username/passwd, preshared secret string/pass phrase),
>what you have (typically hardware token, smartcard, etc).
Associate it to real life scenario such as
>ebanking (you may be asked for One time password from token on top of your username/PIN). This is 2FA but personally, the OTP can be considered 2FA if well implemented - use of Public Key Infrastructure (PKI) keys
>normal day to day login into OS (if you use smart card to login together with PIN prompt, that is 2FA)
b) Do I need a separate server for the USB digital signature.
Lets move back a bit, digital signature is the use of PKI platform where there is a pair of public/private
key pair. Signature is created using private key and public key is used to verify it is indeed signed by using its other pair. It is used to verify integrity of message, content and etc. S/MIME, 2 way SSL uses PKI keys.
I will assume that USB digital signature refer to use of USB token (h/w). Hence it will contain your private key generated by a certificate server (such as commercial server from verisign, and open community example such as OpenSSL, CACert and OpenCA). It also support the X509v3 certificate that will be issued by CA for the key pair generated. It is essential to ensure the pair issued by trusted 3rd party (CA) else it can be replayed and abused by unauthorised party
@
http://en.wikipedia.org/wiki/Certificate_authority @
http://sial.org/howto/openssl/ca/@
http://www.cacert.org/@
http://www.openca.org/In summary, you will need 3rd party server to issue the trusted cert for your key pair in the USB token, it will have its cert mentioned to be signed by this CA. During application execution, it will check for its status mainly on expiry and revoke.
Having said that, typically token comes with crypto libraries that would be either CAPI or PKCS#11 compliant, the server will be able to use the appropriate crypto provider (your USB provider) to generate the cert and keys to be injected into your usb token. Be caution as there are token that do not support such key pair and would simply be just a secure storage (like thumbdrive) e.g. typically in di`gita
Do protect the server with 2FA login as well and typically it is offline (esp for the enterprise server) to reduce exposure surface (from the web).
c) is 2 FA possible to achieve through USB digital signature.
In the 2FA Internet and Mobile Banking login process, in addition to entering your usual Access Code and PIN, you will also be required to enter a One-Time Password (OTP), generated by your 2FA Token, which acts as a 2nd level of authentication.