Seven common misconceptions about two-factor authentication

Posted by:

admin 9 years, 10 months ago

We get a lot of questions from enterprises as they deploy two-factor authentication. There are a good number of misconceptions out there about how to do it. Here's are six that we see frequently as enterprises first start to think about two-factor authentication:

• "Will your two-factor authentication work with my Cisco, Juniper, Fortinet, etc, etc?"

This less a misconception than a a mis-direction. For years vendors have promoted their proprietary connections and Microsoft pushed direct connections to AD. However, the right question to ask is "Does your product support the standard authentication protocols we need". For inside the firewall, RADIUS is just about all you need. While you may need TACACS+ for switches, most companies do not. RADIUS does all you need.  All business-oriented remote access solutions support RADIUS. So basically all enterprise-class two-factor solutions support all enterprise-class remote access solutions.  If your remote access solution doesn't,   you need to put it behind something that does.

• "Authorization vs authentication."

Authorization is "who can do what" and is done in the directory using groups and permissions. Authentication is "who are you". It's a subtle difference, but it exists for a reason.

• "How can I synchronize with AD?"

You do not need to. What you want is for AD to perform authorization and for your two-factor auth server to do authentication. You do this by using the NPS radius plugin. Same goes for LDAP. This means that every authentication request is validated by AD/LDAP. Once a user is disabled in AD/LDAP they are locked out. Isn't that simpler than synchronizing?   The username in WiKID needs to match the username in AD, but you can easily do that using our self-enrollment scripts.

• "How can I keep users out of AD?"?

Easy, just have your remote access solution send RADIUS requests directly to your 2FA server.  This came up recently.  A retail company needed to allow 3rd parties to access their networks with two-factor authentication (because Target).  But they didn't want to have to add their users into AD.

• "I want to secure the Windows login."

I feel you. Except this is very hard. You will need to modify the GINA (for Win 7 and before) or the Credential Provider. You can go with smart cards, but unless you have a bunch of money and require everyone to use corporate laptops, it will be very tough.  It is probably better to go with a virtual desktop solution like VMWare View or X2Go

• "First they login with their AD passwords and then they give the OTP."

Not necessarily.   This is product specific. Some one-time passcode systems provide you with one factor. Unlike WiKID, Google authenticator and other TOTP systems do not ask for a PIN before delivering the OTP. This means that you need to add the "what you know" in your authentication process.  This adds a step for your users and more importantly, does not reduce password use.

• "Two-factor authentication is inconvenient for users."

This is no longer necessarily the case. Passwords are much more inconvenient for users because they have so many accounts.   Password fatigue is now universal.   If you require your users to login with a password and a one-time password, then yes, it. But that is an implementation issue.

 

• Tags:
• Information Security,
• Two Factor Authentication

• ← Build your own cloud-based two-factor authentication service
• 4 Steps to Mitigate 95% of Known Vulnerabilities →