Solved

Loosen password requirements with 2-factor and 2-factor basics

Posted on 2012-04-03
4
458 Views
Last Modified: 2012-04-19
Can I ask, say if your citrix access gateway is setup to require users enter domain username and password AND 2-factor ID. So they generate there code using the secureID, i.e.:

http://iphoneipadreview.com/wp-content/uploads/2011/06/SecureID-1164.jpg

1) How does the server “approve” that code is valid? Does the citrix setup have some sort of database full of approved code and as long as it matches it allows them authentication

2) Are the codes tied to a specific user? Or say for example admin A and malicious user B both had a secureID key, malicious user B knows admins username and password, so he generates his passcode, and then enters the password he has guessed for admin A, will this let him login, or is the passcode generated tied to that user? Or not really?

3) Our managers have asked if 2-factor is utilised whether password complexity requirements could be loosened, around expiry and complexity. But given your answers to 1 and 2 I suspect maybe not, as with a secureID generating codes it sounds like you could still hack colleague accounts if you guessed their password?

4) If you require 2-factor for access to citrix via the CAG, does that then extend that youd need to use 2-facor internally to access citrix, or is it typically tied to the access gateway, and internally you can just use single factor authentication?
0
Comment
Question by:pma111
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 24

Expert Comment

by:Dirk Kotte
ID: 37803009
rsa secureID or safeword are 3rd party components.
they has its own authentication server and database.
the different tokems are assignet to a specific user.
because this are used to authenticate fron external clients you should not loose your password policies.
0
 
LVL 3

Author Comment

by:pma111
ID: 37804898
So each user has a token with a unique list of generated codes specific to them.

I.e. if say a user has 5 usernames, they cant use 1 token, generate a code and then use that code to login to any account they have a password for?
0
 
LVL 24

Accepted Solution

by:
Dirk Kotte earned 250 total points
ID: 37805914
there are differences between the vendors.
With RSA you can assign multiple Token to one User-Account
With Safeword you can assign the same token to multiple accounts.
5 Usernames == 5 accounts.
0
 
LVL 25

Assisted Solution

by:Coralon
Coralon earned 250 total points
ID: 37806798
For RSA, the way it works is this --

RSA uses a time based algorithm to generate a pseudo-random number.  Based on a the seed value, this is a known predictable sequence, but it is not reversible looking at the numbers themselves.  (just like any other encryption scheme).

The token has a seed value (either a fixed value for a hard token, or a generated value for a seed) and that same seed is used for the RSA server.  There are agents for all kinds of platforms (web, windows, *nix, etc.) to handle this.

The user picks a code (typically 4-8 digits, but can include letters depending on the token platform) and combines that with the value from the token to create a passcode.  The passcode has a very limited lifespan (15-60 seconds depending on the purchased token - you pick the amount of time the token code is valid when you actually purchase the token).  

The agent takes the passcode, and sends it to the RSA server for validation.  Since the RSA server has the seed value, it can calculate what the passcode *should* be and uses that to validate the authentication.  It passes that code back to the agent, which then approves/disapproves the authentication.

This is your 2 factor - the part the user knows (their code) and the part they physically have - the token code.  You can combine that with their other authentication such as a Windows password, and you now have a 3-factor (or more) system.

You can use a looser authentication internally if you want, but then you are just opening it to internal threats.  Sort of like a house - the RSA 2 factor is like putting in a heavy duty steel door - it's great security, but what good does it do you, when the window right next to it is unlocked :-)

Coralon
0

Featured Post

Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
Let's recap what we learned from yesterday's Skyport Systems webinar.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question