• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1390
  • Last Modified:

Deepnet, PhoneFactor, Safenet 2 factor authentication

Hello EE,

We are looking at 3 solutions for our 2nd factor of VPN client into a Cisco ASA 5525 using Radius.  We don't wnat to use any hard tokens and were advised of these and wanted to see if anyone was using any or used to use any of the above would could offer pros/cons, etc.
0
bergquistcompany
Asked:
bergquistcompany
  • 4
  • 4
1 Solution
 
kevinhsiehCommented:
I use PhoneFactor to secure user VPN connections through my ASA. It works very well and is straighforward. You just need to configure the ASA to point to your PhoneFactor agent(s) as the RADIUS server. Setup your shared secret like you normally would. Change the timeout from the default 10 seconds to 60.

The PhoneFactor agent(s) then get configured as RADIUS clients to your real RADIUS servers. I use Microsoft Network Protection Services (NPS) that is built into Windows 2008.

I have had only 1 issue with PhoneFactor where we had to recover the database because another administrator didn't know what they were doing. Tech Support was awesome, and recovery was pretty simple. We have never experienced an outage in the service (besides the self-inflicted one). User training has been basically zero, other than telling people to expect and answer the call. I have configured PhoneFactor to appear as if it is coming from our main phone number. The available reporting and searching is pretty darn good. You can see who authenticated to which service and when, which is more visibility into VPN access than what most organizations have.

For me the only downside with PhoneFactor is that I wish it was cheaper. It is nice that the pricing is for the number of active users in a month. If you have 500 potential users but only 25 users who actually connect in a given month, you only need the 25 licenses.

I have never heard of the other two products you mentioned.
0
 
bergquistcompanyAuthor Commented:
Excellent thank you.  Have you any experience with the others or does anyone else?

How about issues with paying per text or limitations on coverage with carrier?
0
 
kevinhsiehCommented:
As I said before, I don't have experience with two factor other than Phonefactor.

Phonefactor doesn't use text messaging. What do you mean by carrier coverage limitations?
0
NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

 
bergquistcompanyAuthor Commented:
No I was trying to see if I could get any additional feedback on the others.
You have great information on phonefactor.

I was told by their sales "Text Message
PhoneFactor sends the user a text message containing a passcode. The user replies to the text message with the passcode."
0
 
kevinhsiehCommented:
That is not how Phonefactor works. It works by placing a phone call. You need to answer the call and respond by hitting the * key. The higher level can also require that you respond to the call by entering a PIN code into the phone keypad. Phonefactor works with POTS land lines, PBX systems, cell phones, and possibly Skype phones as well. There is no text message option that I am aware of, though there is an app for Android and IOS. I am not exactly sure how the app works, but I know that you need to deploy a web server to make it work, and I don't know if it is as secure as the standard method of authentication. I can imagine a piece of malware causing the Phonefactor app to authenticate a user improperly, but it seems a lot harder to write malware that would silently answer and respond to a phone call, especially since that phone call can come from an administrator selected phone number.
0
 
bergquistcompanyAuthor Commented:
Ok that was another option they had but they were pushing the text.
So with the phone call you don't have users complain about minutes if it's calling their cell phone?
0
 
kevinhsiehCommented:
It takes about 3 seconds of airtime. How many times a day do you authenticate? You can always deploy the app, which will take a little bit of data instead of minutes, but the implementation is a little more involved on the backend to setup the web server.
0
 
bergquistcompanyAuthor Commented:
Ok thanks
0

Featured Post

Prep for the ITIL® Foundation Certification Exam

December’s Course of the Month is now available! Enroll to learn ITIL® Foundation best practices for delivering IT services effectively and efficiently.

  • 4
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now