Loosen password requirements with 2-factor and 2-factor basics

Can I ask, say if your citrix access gateway is setup to require users enter domain username and password AND 2-factor ID. So they generate there code using the secureID, i.e.:

http://iphoneipadreview.com/wp-content/uploads/2011/06/SecureID-1164.jpg

1) How does the server “approve” that code is valid? Does the citrix setup have some sort of database full of approved code and as long as it matches it allows them authentication

2) Are the codes tied to a specific user? Or say for example admin A and malicious user B both had a secureID key, malicious user B knows admins username and password, so he generates his passcode, and then enters the password he has guessed for admin A, will this let him login, or is the passcode generated tied to that user? Or not really?

3) Our managers have asked if 2-factor is utilised whether password complexity requirements could be loosened, around expiry and complexity. But given your answers to 1 and 2 I suspect maybe not, as with a secureID generating codes it sounds like you could still hack colleague accounts if you guessed their password?

4) If you require 2-factor for access to citrix via the CAG, does that then extend that youd need to use 2-facor internally to access citrix, or is it typically tied to the access gateway, and internally you can just use single factor authentication?
LVL 4
pma111Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dirk KotteSECommented:
rsa secureID or safeword are 3rd party components.
they has its own authentication server and database.
the different tokems are assignet to a specific user.
because this are used to authenticate fron external clients you should not loose your password policies.
pma111Author Commented:
So each user has a token with a unique list of generated codes specific to them.

I.e. if say a user has 5 usernames, they cant use 1 token, generate a code and then use that code to login to any account they have a password for?
Dirk KotteSECommented:
there are differences between the vendors.
With RSA you can assign multiple Token to one User-Account
With Safeword you can assign the same token to multiple accounts.
5 Usernames == 5 accounts.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
CoralonCommented:
For RSA, the way it works is this --

RSA uses a time based algorithm to generate a pseudo-random number.  Based on a the seed value, this is a known predictable sequence, but it is not reversible looking at the numbers themselves.  (just like any other encryption scheme).

The token has a seed value (either a fixed value for a hard token, or a generated value for a seed) and that same seed is used for the RSA server.  There are agents for all kinds of platforms (web, windows, *nix, etc.) to handle this.

The user picks a code (typically 4-8 digits, but can include letters depending on the token platform) and combines that with the value from the token to create a passcode.  The passcode has a very limited lifespan (15-60 seconds depending on the purchased token - you pick the amount of time the token code is valid when you actually purchase the token).  

The agent takes the passcode, and sends it to the RSA server for validation.  Since the RSA server has the seed value, it can calculate what the passcode *should* be and uses that to validate the authentication.  It passes that code back to the agent, which then approves/disapproves the authentication.

This is your 2 factor - the part the user knows (their code) and the part they physically have - the token code.  You can combine that with their other authentication such as a Windows password, and you now have a 3-factor (or more) system.

You can use a looser authentication internally if you want, but then you are just opening it to internal threats.  Sort of like a house - the RSA 2 factor is like putting in a heavy duty steel door - it's great security, but what good does it do you, when the window right next to it is unlocked :-)

Coralon
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Remote Access

From novice to tech pro — start learning today.