Solved

Loosen password requirements with 2-factor and 2-factor basics

Posted on 2012-04-03
4
450 Views
Last Modified: 2012-04-19
Can I ask, say if your citrix access gateway is setup to require users enter domain username and password AND 2-factor ID. So they generate there code using the secureID, i.e.:

http://iphoneipadreview.com/wp-content/uploads/2011/06/SecureID-1164.jpg

1) How does the server “approve” that code is valid? Does the citrix setup have some sort of database full of approved code and as long as it matches it allows them authentication

2) Are the codes tied to a specific user? Or say for example admin A and malicious user B both had a secureID key, malicious user B knows admins username and password, so he generates his passcode, and then enters the password he has guessed for admin A, will this let him login, or is the passcode generated tied to that user? Or not really?

3) Our managers have asked if 2-factor is utilised whether password complexity requirements could be loosened, around expiry and complexity. But given your answers to 1 and 2 I suspect maybe not, as with a secureID generating codes it sounds like you could still hack colleague accounts if you guessed their password?

4) If you require 2-factor for access to citrix via the CAG, does that then extend that youd need to use 2-facor internally to access citrix, or is it typically tied to the access gateway, and internally you can just use single factor authentication?
0
Comment
Question by:pma111
  • 2
4 Comments
 
LVL 23

Expert Comment

by:Dirk Kotte
ID: 37803009
rsa secureID or safeword are 3rd party components.
they has its own authentication server and database.
the different tokems are assignet to a specific user.
because this are used to authenticate fron external clients you should not loose your password policies.
0
 
LVL 3

Author Comment

by:pma111
ID: 37804898
So each user has a token with a unique list of generated codes specific to them.

I.e. if say a user has 5 usernames, they cant use 1 token, generate a code and then use that code to login to any account they have a password for?
0
 
LVL 23

Accepted Solution

by:
Dirk Kotte earned 250 total points
ID: 37805914
there are differences between the vendors.
With RSA you can assign multiple Token to one User-Account
With Safeword you can assign the same token to multiple accounts.
5 Usernames == 5 accounts.
0
 
LVL 23

Assisted Solution

by:Coralon
Coralon earned 250 total points
ID: 37806798
For RSA, the way it works is this --

RSA uses a time based algorithm to generate a pseudo-random number.  Based on a the seed value, this is a known predictable sequence, but it is not reversible looking at the numbers themselves.  (just like any other encryption scheme).

The token has a seed value (either a fixed value for a hard token, or a generated value for a seed) and that same seed is used for the RSA server.  There are agents for all kinds of platforms (web, windows, *nix, etc.) to handle this.

The user picks a code (typically 4-8 digits, but can include letters depending on the token platform) and combines that with the value from the token to create a passcode.  The passcode has a very limited lifespan (15-60 seconds depending on the purchased token - you pick the amount of time the token code is valid when you actually purchase the token).  

The agent takes the passcode, and sends it to the RSA server for validation.  Since the RSA server has the seed value, it can calculate what the passcode *should* be and uses that to validate the authentication.  It passes that code back to the agent, which then approves/disapproves the authentication.

This is your 2 factor - the part the user knows (their code) and the part they physically have - the token code.  You can combine that with their other authentication such as a Windows password, and you now have a 3-factor (or more) system.

You can use a looser authentication internally if you want, but then you are just opening it to internal threats.  Sort of like a house - the RSA 2 factor is like putting in a heavy duty steel door - it's great security, but what good does it do you, when the window right next to it is unlocked :-)

Coralon
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

#Citrix #XenApp #Citrix Scout #Citrix Insight Services #Microsoft VMMAP #Microsoft ADEXPLORE #Microsoft RAMMAP #Microsoft TCPVIEW #Microsoft AUTORUNS #Microsoft PROCESS EXPLORER #Microsoft PROCESS MONITOR
Big data transfers via information superhighways require special attention and protection. Learn more about the IT-regulations of the country where your server is located. Analyze cloud providers and their encryption systems for safe data transit. S…
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now