I am interested in exploring all of the options to enable multi-factor domain authentication on an Active Directory network. I exclude no technologies from this question however I do prefer simpler implementations to elaborate configurations. Fingerprint readers would be ideal since the end-user is generally up to speed on not losing their fingers. Small hard tokens would also work such as smart cards, usb tokens etc...
5 Answers
Personally I would avoid fingerprint readers they are not as reliable as you would think - the glass gets smudges, the user cuts thier figers, etc. Also they can be defeated by a Gummy Bear.
The standard right now seems to be Smart Cards or some sort of Token with a random number - RSA being the biggest name. Personally I am partial to Tokens as I can hook them to my key chain and not have to worry about another card. I would start with RSA since they are the biggest name, and would be the most likely to integrate into all of your systems.
- 36,995
- 5
- 52
- 95
-
upvote for this. One of my favorite in this regard is http://www.aladdin.com/etoken/devices/default.aspx – cstamas Jul 23 '09 at 17:54
-
Gummy bear? Really? I am going to try that one myself. – user13846 Jul 23 '09 at 17:58
-
@axxmasterr: yep I had fun when my security guy put a fingerprint reader on his desktop :) ... Apparently the same guy did it with "photoshop" (and more importantly evaporated glue a la CSI) so i left that one off. – Zypher Jul 23 '09 at 18:07
-
+1 for the recommendation for RSA. We use their keychain devices and they work great for two factor authentication – Kevin Kuphal Jul 23 '09 at 18:21
I've worked a bit with the ActivIdentity 4Tres AAA solution and using it for Citrix remote access. It allows the use of the usual PIN-entry fobs/cards, this single button credit card-sized generator, and also SMPP text messaging. Since the tokens can be pricey, it may be desirable to use SMPP messaging to deliver the one-time password to the cell phone registered with the Active Directory user.
- 2,173
- 5
- 22
- 30
Phone Factor. Works especially well in environments where employees have cell phones, blackberries.
- 962
- 1
- 6
- 18
As an end user, I found the Yubikey (http://www.yubico.com/products/yubikey/) much easier to use than the RSA SecurID (http://www.rsa.com/node.aspx?id=1156).
End user experience is not the only consideration, and as others have pointed out, there is an ecosystem of products supporting SecurID. Looking over the IT fence to the security guys, however, SecurID never seemed particularly easy to manage.
As for "something you are" component, it does seem that the current set of widely available fingerprint readers may not be as securely implemented as a CSO would require.
- 1,650
- 1
- 14
- 22
-
Here's another vote for Yubikey. We're looking at pairing it with some software from rohos.com to protect our Enterprise admin accounts. We will most likely be installing and setting up our own OTP validation server on campus for this as well. Looks to be about $50 per admin cost. Not bad. – Tatas Jul 23 '09 at 19:00
I'm also a fan of one time password type tokens like RSA's SecurID as they are basically quite simple and generally easy to manage at large scales. The traditional key-fob token provides a good level of authentication that is better than plain old passwords but they fail to authenticate both ends of the transaction and unless they are wrapped in a decent outer layer that ensures mutual authentication the overall system isn't robust. Using such tokens over any unsecured network without a secure wrapper is just asking for a Man-In-The middle attack. Active USB type tokens \ Smart Cards do a much better job of this but they are much harder to support - resetting\re-issuing\initial provisioning are all a lot more work but for high value situations they are a much better solution.
- 19,579
- 4
- 37
- 55