Posted by:
admin
9 years, 11 months ago
We get a lot of questions from enterprises as they deploy two-factor authentication. There are a good number of misconceptions out there about how to do it. Here's are six that we see frequently as enterprises first start to think about two-factor authentication:
- "Will your two-factor authentication work with my Cisco, Juniper, Fortinet, etc, etc?"
- "Authorization vs authentication."
- "How can I synchronize with AD?"
- "How can I keep users out of AD?"?
- "I want to secure the Windows login."
- "First they login with their AD passwords and then they give the OTP."
- "Two-factor authentication is inconvenient for users."
This less a misconception than a a mis-direction. For years vendors have promoted their proprietary connections and Microsoft pushed direct connections to AD. However, the right question to ask is "Does your product support the standard authentication protocols we need". For inside the firewall, RADIUS is just about all you need. While you may need TACACS+ for switches, most companies do not. RADIUS does all you need. All business-oriented remote access solutions support RADIUS. So basically all enterprise-class two-factor solutions support all enterprise-class remote access solutions. If your remote access solution doesn't, you need to put it behind something that does.
Authorization is "who can do what" and is done in the directory using groups and permissions. Authentication is "who are you". It's a subtle difference, but it exists for a reason.
You do not need to. What you want is for AD to perform authorization and for your two-factor auth server to do authentication. You do this by using the NPS radius plugin. Same goes for LDAP. This means that every authentication request is validated by AD/LDAP. Once a user is disabled in AD/LDAP they are locked out. Isn't that simpler than synchronizing? The username in WiKID needs to match the username in AD, but you can easily do that using our self-enrollment scripts.
Easy, just have your remote access solution send RADIUS requests directly to your 2FA server. This came up recently. A retail company needed to allow 3rd parties to access their networks with two-factor authentication (because Target). But they didn't want to have to add their users into AD.
I feel you. Except this is very hard. You will need to modify the GINA (for Win 7 and before) or the Credential Provider. You can go with smart cards, but unless you have a bunch of money and require everyone to use corporate laptops, it will be very tough. It is probably better to go with a virtual desktop solution like VMWare View or X2Go
Not necessarily. This is product specific. Some one-time passcode systems provide you with one factor. Unlike WiKID, Google authenticator and other TOTP systems do not ask for a PIN before delivering the OTP. This means that you need to add the "what you know" in your authentication process. This adds a step for your users and more importantly, does not reduce password use.
This is no longer necessarily the case. Passwords are much more inconvenient for users because they have so many accounts. Password fatigue is now universal. If you require your users to login with a password and a one-time password, then yes, it. But that is an implementation issue.
Recent Posts
- Blast-RADIUS attack
- The latest WiKID version includes an SBOM
- WiKID 6 is released!
- Log4j CVE-2021-44228
- Questions about 2FA for AD admins
Archive
2024
2022
- December (1)
2021
2019
2018
2017
2016
2015
2014
- December (2)
- November (3)
- October (3)
- September (5)
- August (4)
- July (5)
- June (5)
- May (2)
- April (2)
- March (2)
- February (3)
- January (1)
2013
2012
- December (1)
- November (1)
- October (5)
- September (1)
- August (1)
- June (2)
- May (2)
- April (1)
- March (2)
- February (3)
- January (1)
2011
2010
- December (2)
- November (3)
- October (3)
- September (4)
- August (1)
- July (1)
- June (3)
- May (3)
- April (1)
- March (1)
- February (6)
- January (3)
2009
- December (4)
- November (1)
- October (3)
- September (3)
- August (2)
- July (5)
- June (6)
- May (8)
- April (7)
- March (6)
- February (4)
- January (427)
2008
- December (1)
Categories
- PCI-DSS (2)
- Two-factor authentication (3)
Tags
- wireless-cellular-mobile-devices (7)
- Two-factor authentication (10)
- Wireless, cellular, mobile devices (6)
- NPS (1)
- Phishing and Fraud (111)
- Active Directory (1)
- pam-radius (3)
- privileged access (2)
- Cloud Security (10)
- Mutual Authentication (60)
- Web Application Authentication (1)
- Authentication Attacks (99)
- pci (50)
- Security and Economics (97)
- WiKID (133)
- pam (2)
- VPN (1)
- Installation (2)
- RADIUS Server (1)
- Open Source (64)
- Tutorial (2)
- Strong Authentication (35)
- Information Security (137)
- Transaction Authentication (13)
- Miscellaneous (100)
- Linux (2)
- transaction-authentication (6)
- Two Factor Authentication (254)