7 common misconceptions about enterprise two-factor authentication
TRANSCRIPT
7 Common Misconceptions about Enterprise Two-factor Authentication
IRC: # wikid on freenode.net@wikidsystems
www.wikidsystems.com
7 COMMON MISCONCEPTIONS ABOUT ENTERPRISE TWO-FACTOR AUTHENTICATION www.wikidsystems.com
7 Common Misconceptions about Enterprise Two-factor Authentication
1
SHARE THIS eBOOK
We get a lot of questions from
enterprises as they deploy two-factor
authentication. There are a good
number of misconceptions out there
about how to do it.
Overview
7 COMMON MISCONCEPTIONS ABOUT ENTERPRISE TWO-FACTOR AUTHENTICATION www.wikidsystems.com
7 Common Misconceptions about Enterprise Two-factor Authentication
2
SHARE THIS eBOOK
This less a misconception than a a mis-direction. For years vendors have promoted their proprietary connections and Microsoft pushed direct connections to AD. However, the right question to ask is “Does your product support the standard authentication protocols we need”.
For inside the firewall, RADIUS is just about all you need. A feworganizations may need TACACS+ for switches, but most do not. Allbusiness-oriented remote access solutions support RADIUS. So basically all enterprise-class two-factor solutions support all enterprise-class remote access solutions. If your remote access solution doesn’t, you need to put it behind something that does.
Will it work with my VPN
For more on this see our eGuide on adding 2FA to your network.
7 COMMON MISCONCEPTIONS ABOUT ENTERPRISE TWO-FACTOR AUTHENTICATION www.wikidsystems.com
7 Common Misconceptions about Enterprise Two-factor Authentication
3
SHARE THIS eBOOK
Authorization is “who can do what” and is done in the directory using groups and permissions. Authentication is “who are you”. It’s a subtle difference, but it exists for a reason.
Authorization is handled in your directory. Authentication can be done there or in an authentication server for two-factor authentication.
Authorization vs Authentication
7 COMMON MISCONCEPTIONS ABOUT ENTERPRISE TWO-FACTOR AUTHENTICATION www.wikidsystems.com
7 Common Misconceptions about Enterprise Two-factor Authentication
4
SHARE THIS eBOOK
How can I synchronize with AD?
You do not need to. What you want is for AD to perform authorization and for your two-factor auth server to do authentication. You do this by using the NPS radius plugin. Same goes for LDAP. This means that every authentication request is validated by AD/LDAP. Once a user is disabled in AD/LDAP they are locked out. Isn’t that simpler than synchronizing? The username in WiKID needs to match the username in AD, but you can easily do that using our self-enrollment scripts.
See information on one way to configure NPS for two-factor authentication
7 COMMON MISCONCEPTIONS ABOUT ENTERPRISE TWO-FACTOR AUTHENTICATION www.wikidsystems.com
7 Common Misconceptions about Enterprise Two-factor Authentication
5
SHARE THIS eBOOK
Easy, just have your remote access solution send RADIUS requests directly to your 2FA server. This came up recently. A retail company needed to allow 3rd parties to access their networks with two-factor authentication. But they didn’t want to have to add their users into AD.
How can I keep users out of AD?
We feel your pain. Except this is very hard. You will need to modify the GINA (for Win 7 and before) or the Credential Provider. You can go with smart cards, but unless you have a bunch of money and require everyone to use corporate laptops, it will be very tough. It is probably better to go with a virtual desktop solution like VMWare View or X2Go
I want to secure the Windows login.
7 COMMON MISCONCEPTIONS ABOUT ENTERPRISE TWO-FACTOR AUTHENTICATION www.wikidsystems.com
7 Common Misconceptions about Enterprise Two-factor Authentication
6
SHARE THIS eBOOK
First they login with their AD passwords
Not necessarily. This is product specific. Some one-time passcode systems provide you with one factor. Unlike WiKID, Google authenticator and other TOTP systems do not ask for a PIN before delivering the OTP. This means that you need to add the “what you know” in your authentication process. This adds a step for your users and more importantly, does not reduce password use.
This is no longer necessarily the case. Passwords are much more inconvenient for users because they have so many accounts. Password fatigue is now universal. If you require your users to login with a password and a one-time password, then yes, it. But that is an implementation issue.
Two-factor is inconvenient for users
7 COMMON MISCONCEPTIONS ABOUT ENTERPRISE TWO-FACTOR AUTHENTICATION www.wikidsystems.com
7 Common Misconceptions about Enterprise Two-factor Authentication
7
SHARE THIS eBOOK
www.wikidsystems.com
IRC: # wikid on freenode.net
Twitter: @wikidsystems
Contact Us