0

There is a requirement for users to remotely access one of my corporate servers from internet. Policy wise, i would want them to at least use 2FA for communication,eg VPN Tokens, password+SMS etc. However, i also recognized that some users may not have the budget to implement at least 2FA. Hence, would like to gather feedback from people in the industry, what could be a good enough alternative to 2FA that could also adequately enable similar type of protection for remote access. thanks

dorothy
  • 715
  • 1
  • 7
  • 18

2 Answers2

3

The good news is two-factor can be free. Google authenticator is free and mixed with FreeRadius should work with just about any access device.

It is not as fancy or secure as RSA's or some of the others but it is pretty simple to implement and does satisfy a second factor to username and password.

From what I can tell it looks to be certificate based since it does not need a server to talk to on the authentication side, just accurate time. It does not have the extra protection of RSA for guessing OTP's or pin's but some of that can be accomplished with intruder detection on the device utilizing the authentication.

One thing to watch for, if your using your phone to access the servers and to access the OTP for GA, I do not believe it is considered a 2nd factor from a NIST perspective, as the thing you have should be separate from the device you login from unless there is a defined trusted path.

If money is a concern, it is worth a look:)

Brett Littrell
  • 355
  • 2
  • 10
2

The Google Authenticator needs a remote system to validate the entered otp value. This could be a remote site, a server or in the easiest case it is the pam-google-authenticator, which stores the secret key in the home directory of the user.

You can have OTP for free and as open source. Take a look at privacyidea. It works as a backend, can assign different kind of authentication devices to users from some user sources. You can roll hardware tokens, smartphone apps (google authenticator), email or sms to the users. As each user can have a different type, you can decide which user gets which security level. You can mix hardware tokens and smartphone apps etc...

cornelinux
  • 1,993
  • 8
  • 11