Can I ask, say if your citrix access gateway is setup to require users enter domain username and password AND 2-factor ID. So they generate there code using the secureID, i.e.:
1) How does the server “approve” that code is valid? Does the citrix setup have some sort of database full of approved code and as long as it matches it allows them authentication
2) Are the codes tied to a specific user? Or say for example admin A and malicious user B both had a secureID key, malicious user B knows admins username and password, so he generates his passcode, and then enters the password he has guessed for admin A, will this let him login, or is the passcode generated tied to that user? Or not really?
3) Our managers have asked if 2-factor is utilised whether password complexity requirements could be loosened, around expiry and complexity. But given your answers to 1 and 2 I suspect maybe not, as with a secureID generating codes it sounds like you could still hack colleague accounts if you guessed their password?
4) If you require 2-factor for access to citrix via the CAG, does that then extend that youd need to use 2-facor internally to access citrix, or is it typically tied to the access gateway, and internally you can just use single factor authentication?