Expiring Today—Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Loosen password requirements with 2-factor and 2-factor basics

Posted on 2012-04-03
4
Medium Priority
?
462 Views
Last Modified: 2012-04-19
Can I ask, say if your citrix access gateway is setup to require users enter domain username and password AND 2-factor ID. So they generate there code using the secureID, i.e.:

http://iphoneipadreview.com/wp-content/uploads/2011/06/SecureID-1164.jpg

1) How does the server “approve” that code is valid? Does the citrix setup have some sort of database full of approved code and as long as it matches it allows them authentication

2) Are the codes tied to a specific user? Or say for example admin A and malicious user B both had a secureID key, malicious user B knows admins username and password, so he generates his passcode, and then enters the password he has guessed for admin A, will this let him login, or is the passcode generated tied to that user? Or not really?

3) Our managers have asked if 2-factor is utilised whether password complexity requirements could be loosened, around expiry and complexity. But given your answers to 1 and 2 I suspect maybe not, as with a secureID generating codes it sounds like you could still hack colleague accounts if you guessed their password?

4) If you require 2-factor for access to citrix via the CAG, does that then extend that youd need to use 2-facor internally to access citrix, or is it typically tied to the access gateway, and internally you can just use single factor authentication?
0
Comment
Question by:pma111
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 24

Expert Comment

by:Dirk Kotte
ID: 37803009
rsa secureID or safeword are 3rd party components.
they has its own authentication server and database.
the different tokems are assignet to a specific user.
because this are used to authenticate fron external clients you should not loose your password policies.
0
 
LVL 3

Author Comment

by:pma111
ID: 37804898
So each user has a token with a unique list of generated codes specific to them.

I.e. if say a user has 5 usernames, they cant use 1 token, generate a code and then use that code to login to any account they have a password for?
0
 
LVL 24

Accepted Solution

by:
Dirk Kotte earned 1000 total points
ID: 37805914
there are differences between the vendors.
With RSA you can assign multiple Token to one User-Account
With Safeword you can assign the same token to multiple accounts.
5 Usernames == 5 accounts.
0
 
LVL 25

Assisted Solution

by:Coralon
Coralon earned 1000 total points
ID: 37806798
For RSA, the way it works is this --

RSA uses a time based algorithm to generate a pseudo-random number.  Based on a the seed value, this is a known predictable sequence, but it is not reversible looking at the numbers themselves.  (just like any other encryption scheme).

The token has a seed value (either a fixed value for a hard token, or a generated value for a seed) and that same seed is used for the RSA server.  There are agents for all kinds of platforms (web, windows, *nix, etc.) to handle this.

The user picks a code (typically 4-8 digits, but can include letters depending on the token platform) and combines that with the value from the token to create a passcode.  The passcode has a very limited lifespan (15-60 seconds depending on the purchased token - you pick the amount of time the token code is valid when you actually purchase the token).  

The agent takes the passcode, and sends it to the RSA server for validation.  Since the RSA server has the seed value, it can calculate what the passcode *should* be and uses that to validate the authentication.  It passes that code back to the agent, which then approves/disapproves the authentication.

This is your 2 factor - the part the user knows (their code) and the part they physically have - the token code.  You can combine that with their other authentication such as a Windows password, and you now have a 3-factor (or more) system.

You can use a looser authentication internally if you want, but then you are just opening it to internal threats.  Sort of like a house - the RSA 2 factor is like putting in a heavy duty steel door - it's great security, but what good does it do you, when the window right next to it is unlocked :-)

Coralon
0

Featured Post

Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
Check out what's been happening in the Experts Exchange community.
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question