Posted by:
admin
10 years, 9 months ago
Krebs on Security is pointing a finger to a third-party vendor with remote access as the entry point for the Target hackers. PCI requirement 8.3 states that you must incorporate two-factor authentication for remote network access by all personnel and all "third parties, (including vendor access for support or maintenance)."
So, how does a company manage these users? There are two options: internally or externally.
Internally, there are two options. First, put them in your directory. Their RADIUS authentication requests from the remote access system are authorized by the directory and then proxied to the two-factor authentication server. Removing them from the directory or the auth server removes their access. We recommend this as the best way to implement two-factor authentication in general in our (registration-free!) eGuide. Alternatively, you can have them only in your two-factor server. Your network access point would then authenticate directly without any authorization. This setup means that your vendor management process would not go through your directory. It might mean that your 2FA server admin has to manage the vendor's users, depending on the capabilities of the server. (More on this later.)
Third party users can also be managed externally. (Now, I'm moving to WiKID-specific capabilities.) With the WiKID API, you can create a very simple application that allows 3rd parties to manage users on the WiKID server. The application is specific to the network client for that vendor, meaning that they can only manage their users. The WiKID server admin still has ultimate control over the users. Their application requires an p12 client certificate from the WiKID server for encryption. If you terminate the relationship with the vendor, you can delete their users and their certificate. This capability was developed to proved multi-tenancy in the WiKID server, pushing control of the users where it should be. It is also very useful if you have a trusted vendor with a large number of users or high-turnover.
You can also use this capability for internal use. You can create a simple application and allow internal vendor managers to add and delete the the vendor's users without giving them admin rights on the WiKID server or putting the users into your directory.
User management, enrollment and disablement in particular are big cost drivers for two-factor authentication. A simple API provides an easy way to keep these costs in check. That's why our API is LGPL-licensed, works with both the Enterprise version and the open-source Community version and is easily downloaded by anyone.
Share on Twitter Share on FacebookRecent Posts
- Blast-RADIUS attack
- The latest WiKID version includes an SBOM
- WiKID 6 is released!
- Log4j CVE-2021-44228
- Questions about 2FA for AD admins
Archive
2024
2022
- December (1)
2021
2019
2018
2017
2016
2015
2014
- December (2)
- November (3)
- October (3)
- September (5)
- August (4)
- July (5)
- June (5)
- May (2)
- April (2)
- March (2)
- February (3)
- January (1)
2013
2012
- December (1)
- November (1)
- October (5)
- September (1)
- August (1)
- June (2)
- May (2)
- April (1)
- March (2)
- February (3)
- January (1)
2011
2010
- December (2)
- November (3)
- October (3)
- September (4)
- August (1)
- July (1)
- June (3)
- May (3)
- April (1)
- March (1)
- February (6)
- January (3)
2009
- December (4)
- November (1)
- October (3)
- September (3)
- August (2)
- July (5)
- June (6)
- May (8)
- April (7)
- March (6)
- February (4)
- January (427)
2008
- December (1)
Categories
- PCI-DSS (2)
- Two-factor authentication (3)
Tags
- wireless-cellular-mobile-devices (7)
- Two-factor authentication (10)
- Wireless, cellular, mobile devices (6)
- NPS (1)
- Phishing and Fraud (111)
- Active Directory (1)
- pam-radius (3)
- privileged access (2)
- Cloud Security (10)
- Mutual Authentication (60)
- Web Application Authentication (1)
- Authentication Attacks (99)
- pci (50)
- Security and Economics (97)
- WiKID (133)
- pam (2)
- VPN (1)
- Installation (2)
- RADIUS Server (1)
- Open Source (64)
- Tutorial (2)
- Strong Authentication (35)
- Information Security (137)
- Transaction Authentication (13)
- Miscellaneous (100)
- Linux (2)
- transaction-authentication (6)
- Two Factor Authentication (254)