Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 469
  • Last Modified:

Loosen password requirements with 2-factor and 2-factor basics

Can I ask, say if your citrix access gateway is setup to require users enter domain username and password AND 2-factor ID. So they generate there code using the secureID, i.e.:

http://iphoneipadreview.com/wp-content/uploads/2011/06/SecureID-1164.jpg

1) How does the server “approve” that code is valid? Does the citrix setup have some sort of database full of approved code and as long as it matches it allows them authentication

2) Are the codes tied to a specific user? Or say for example admin A and malicious user B both had a secureID key, malicious user B knows admins username and password, so he generates his passcode, and then enters the password he has guessed for admin A, will this let him login, or is the passcode generated tied to that user? Or not really?

3) Our managers have asked if 2-factor is utilised whether password complexity requirements could be loosened, around expiry and complexity. But given your answers to 1 and 2 I suspect maybe not, as with a secureID generating codes it sounds like you could still hack colleague accounts if you guessed their password?

4) If you require 2-factor for access to citrix via the CAG, does that then extend that youd need to use 2-facor internally to access citrix, or is it typically tied to the access gateway, and internally you can just use single factor authentication?
0
pma111
Asked:
pma111
  • 2
2 Solutions
 
Dirk KotteSECommented:
rsa secureID or safeword are 3rd party components.
they has its own authentication server and database.
the different tokems are assignet to a specific user.
because this are used to authenticate fron external clients you should not loose your password policies.
0
 
pma111Author Commented:
So each user has a token with a unique list of generated codes specific to them.

I.e. if say a user has 5 usernames, they cant use 1 token, generate a code and then use that code to login to any account they have a password for?
0
 
Dirk KotteSECommented:
there are differences between the vendors.
With RSA you can assign multiple Token to one User-Account
With Safeword you can assign the same token to multiple accounts.
5 Usernames == 5 accounts.
0
 
CoralonCommented:
For RSA, the way it works is this --

RSA uses a time based algorithm to generate a pseudo-random number.  Based on a the seed value, this is a known predictable sequence, but it is not reversible looking at the numbers themselves.  (just like any other encryption scheme).

The token has a seed value (either a fixed value for a hard token, or a generated value for a seed) and that same seed is used for the RSA server.  There are agents for all kinds of platforms (web, windows, *nix, etc.) to handle this.

The user picks a code (typically 4-8 digits, but can include letters depending on the token platform) and combines that with the value from the token to create a passcode.  The passcode has a very limited lifespan (15-60 seconds depending on the purchased token - you pick the amount of time the token code is valid when you actually purchase the token).  

The agent takes the passcode, and sends it to the RSA server for validation.  Since the RSA server has the seed value, it can calculate what the passcode *should* be and uses that to validate the authentication.  It passes that code back to the agent, which then approves/disapproves the authentication.

This is your 2 factor - the part the user knows (their code) and the part they physically have - the token code.  You can combine that with their other authentication such as a Windows password, and you now have a 3-factor (or more) system.

You can use a looser authentication internally if you want, but then you are just opening it to internal threats.  Sort of like a house - the RSA 2 factor is like putting in a heavy duty steel door - it's great security, but what good does it do you, when the window right next to it is unlocked :-)

Coralon
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

NEW Internet Security Report Now Available!

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out this quarters report on the threats that shook the industry in Q4 2017.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now