Posted by:
admin
12 years, 1 month ago
For a long time I have been meaning to pull together some of the top tips when setting up two-factor authentication. I expect this will be a moving target. Obviously, two-factor authentication is central to your network deployment, so even if that PCI QSA is breathing down your throat, take some time to do a bit of planning!
The Basics
- Read the fine manual. While we certainly cater to a quick install with our cheat-sheet, our installation manual is quite short too. You'll avoid some misteps.
- If you don't know what it does, you can probably leave it blank. A good example is Radius return attributes. Just forget about them if you're not using them. Another is the Registered URL - it is only used for mutual https authentication.
- Start simple. We highly recommend you route your two-factor authentication through a radius server such as NPS or Freeradius to separate authorization from authentication. This adds security in the long run. In the short run, it's extra complexity. Start by testing seeing if your network client (VPN, Webapp, SSH, e.g.) can talk Radius to WiKID directly, then add complexity.
- Test the server using the example.jsp page. This will let you know if you have a working server and it will expose you to the functionality in our API.
The next level
- Turn on debugging and see what is going on. Better to be familiar with this now when you don't need it. Chances are you will need to maintain your logs for compliance reasons. We recommend you not keep the logs in debug mode when in production though as they can quickly get big. Test archiving the logs,
- Check out the ADRegister scripts. They allow users to add their own tokens after they authenticate with their AD credentials. You'll want to set this up in your own directory or back it up. RPM updates may overwrite any changes you make.
- Separate Authentication and authorization using NPS or Freeradius. The WiKID server is not a real "radius server". It just talks radius to perform authentication.
- Configure the server to start automatically using the provided script and setting the server passphrase in /etc/WiKID/security
The Big Time.
- See what you can do with a custom jw.properties file for the PC token. (Hint: run in debug mode, limit the token to a single domain, configure pre-registration, etc.)
- Write your own WiKID software token a la Hurricane Labs!
- Write your own Network Client code using one of our wAuth components!
Recent Posts
- Blast-RADIUS attack
- The latest WiKID version includes an SBOM
- WiKID 6 is released!
- Log4j CVE-2021-44228
- Questions about 2FA for AD admins
Archive
2024
2022
- December (1)
2021
2019
2018
2017
2016
2015
2014
- December (2)
- November (3)
- October (3)
- September (5)
- August (4)
- July (5)
- June (5)
- May (2)
- April (2)
- March (2)
- February (3)
- January (1)
2013
2012
- December (1)
- November (1)
- October (5)
- September (1)
- August (1)
- June (2)
- May (2)
- April (1)
- March (2)
- February (3)
- January (1)
2011
2010
- December (2)
- November (3)
- October (3)
- September (4)
- August (1)
- July (1)
- June (3)
- May (3)
- April (1)
- March (1)
- February (6)
- January (3)
2009
- December (4)
- November (1)
- October (3)
- September (3)
- August (2)
- July (5)
- June (6)
- May (8)
- April (7)
- March (6)
- February (4)
- January (427)
2008
- December (1)
Categories
- PCI-DSS (2)
- Two-factor authentication (3)
Tags
- wireless-cellular-mobile-devices (7)
- Two-factor authentication (10)
- Wireless, cellular, mobile devices (6)
- NPS (1)
- Phishing and Fraud (111)
- Active Directory (1)
- pam-radius (3)
- privileged access (2)
- Cloud Security (10)
- Mutual Authentication (60)
- Web Application Authentication (1)
- Authentication Attacks (99)
- pci (50)
- Security and Economics (97)
- WiKID (133)
- pam (2)
- VPN (1)
- Installation (2)
- RADIUS Server (1)
- Open Source (64)
- Tutorial (2)
- Strong Authentication (35)
- Information Security (137)
- Transaction Authentication (13)
- Miscellaneous (100)
- Linux (2)
- transaction-authentication (6)
- Two Factor Authentication (254)