Inexpensive two-factor authentication?

Posted on 2009-05-27
Medium Priority
Last Modified: 2013-12-04
Hi there

A small-fry client of ours acquired an RSA appliance with standard digital tokens for terminal server/active directory authentication a few years ago. Recently, the harddisk in the appliance malfunctioned, and without a support contract with RSA, the options to get back up and running are a bit more expensive than what our client is comfortable with spending at this time.

Thusly, I am on the prowl - looking for a more inexpensive and less "fancy" solution than the RSA appliance/server. I was thinking along the lines of a pre-generated one-time password solution where the users could perhaps be issued wallet-sized preprinted one-time password cards.

The whole idea is trying to find something which improves on standard user/password mechanics in Active Directory without basing it on the built-in aging and complexity rules in standard policies. The users are simple minds, and the RSA token authentication was spot on.

Any thoughts or suggestions would be greatly appreciated!

Oh, and this should be compatible with a Windows 2008 Active Directory/Terminal Server environment. (Yes, they killed Gina..)
Question by:greyscale
  • 2
LVL 19

Accepted Solution

CoccoBill earned 1500 total points
ID: 24500894
LVL 31

Expert Comment

ID: 24518855
USB smart tokens would be my suggestion.  Similar to smart cards, but less expensive in general since they use a software driver to make the USB port a card reader.  I would suggest shopping around or contacting sales people in person - these tend to be a bit high on retail, but you can usually negotiate down a little bit since their profit margin tends to be very high.  The company I used to work for retailed for about $80 down to $35 or so for large bulk, but cost about $10 to manufacture.  Of course, each company will vary, but try negotiating a bit on these - can usually drop about 10-20 bucks off easily from full retail since you're not looking for large bulk I wouldn't expect a huge markdown - this is where they make their money afterall, the middleware is usually at cost for the price of the development team salary and pretty cheap.

Many VPN devices, terminal services, etc. will support certs.  If nothing else, you can issue software certs without hardware, but there is a huge security hit to that.

Author Comment

ID: 24522816
Thanks for both your responses! I'll dig a little deeper into both suggestions and see how much wiser I get! Security isn't top of their agenda, and with only 30ish users, it's not a huge endeavour.

Author Closing Comment

ID: 31586047
I haven't managed to land on any technology yet, and this is also outside the scope of a small company like this, but it's the closest I've gotten to a workable answer, so thank you!

Featured Post

We Need Your Input!

WatchGuard is currently running a beta program for our new macOS Host Sensor for our Threat Detection and Response service. We're looking for more macOS users to help provide insight and feedback to help us make the product even better. Please sign up for our beta program today!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Understanding the various editions available is vital when you decide to purchase Windows Server 2012. You need to have a basic understanding of the features and limitations in each edition in order to make a well-informed decision that best suits …
In this article, we will discuss how you can secure Active Directory using free tools, and how you can choose a safe and secure Active Directory security auditing tool.
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question