smart card and token for windows login

We are currently in process of implementing smart card windows login , we need to have a secondary login using token (Ex. RSA) in case an employee forget/lose his smart card
what is the possibility to have token as a secondary login and how to switch between smart card login and token
Who is Participating?
btanConnect With a Mentor Exec ConsultantCommented:
Actually I am thinking the question is better answer as just install it as another credential provider based on provider e.g. For RSA SecurID (OTP token) has its own software and the other Smartcard provider will also have another software (cum token driver and Crypto provider). Depending on which hardware used by user on login through the tile selected will authenticated against the smartcard or token.  The provider can be filtered as well. Look at the RSA suggestion
Navigate to Start --- > Run --- >. "gpedit.msc" > Computer Configuration > Policies > Administrative Templates > Classic Administrative Templates > RSA Desktop > Credential Provider Filter Settings
This can be accomplished by enabling the exclusion on third-party credential providers. You can leave all the rest of credential providers as not configured which is a default setting.
Exclude the Microsoft Password Credential Provider =Not configured
Exclude the RSA Credential Provider for disconnect auth =Not configured
Exclude the RSA Smart Card Credential Provider =Not configured
Exclude the Third-party Credential Providers = Enabled

As whole, it should be viable to answer the query.
btanConnect With a Mentor Exec ConsultantCommented:
Likely you need the fallback plan to be fronted by some sort of "intelligent" proxy such that it is able to execute the plan according. I see maybe can leverage on Application delivery controller (ADC which is also at same time load balancer capable) such as F5 APM, or Forefront TMG (or ISA) or the Cisco ACS like type of approach.

I dont think you can indicate fallback via the active directory on Windows login account beside having back to login via user/password out of windows box, which is more of a downgrade...RSA OTP can also in part of windows login gina as most enterprise has used it, but likely you need to cater for Enterprise SSO (recall there is IBM Tivoli and Oracle IDM) which is part of a identity mgmt suite

Pls see the below:

(F5 APM for AAA servers and it is able to has flexibility to configure various authentication means using policy editor. But it tends to work with your org IDM provider )

(see "Methods for validation of client credentials" onwards, e.g. If authentication fails, Forefront TMG provides the server's failure notice to the client. If the server requires a different type of credentials, Forefront TMG triggers an alert. Also 2nd link talks on SecurID and ISA)

(see the HA configuration but for your case of user fallback maybe too tedious to do it specific to single user, I was thinking maybe ACS can act as directory to check and fallback according to user mapping - need to explore further on 2nd link's "Unknown user policy External database Mapping RSA")
Rich RumbleConnect With a Mentor Security SamuraiCommented:
I don't think you've thought this through, why does a user need two logins? With active directory there are no secondary passwords or fall-backs, it's the users password or nothing. You can use tokens to be the passwords or authenticators like Yubikey's standard token, it is basically a USB device that replays a password when you want it to. Place the USB in, put the cursor in the password field, click a button on the USB device and it "types" the password in. It's almost 100% universal. That is the only thing I can think of using, the yubikey would have the same password they user knows however, so it's only going to work as a backup not an alternate.
I think I don't understand the question really, I can't picture this fallback working for anything. But I'm a security guy and that sounds like bad bad bad security.
btanExec ConsultantCommented:
This is more like having the user recovery if he/she forget their password too, self service reset of password. There are many means to have it and likewise if PIN is forgotten and not due to backend outage or errors, user has to bear the ownership to recover via helpdesk as per norm, this is similar to revoke those expired cert or token is spoilt. I do agree there shouldnt be so many login especially for OS, it is either smartcard or the normal username/passwd but as shared it is security downgrade. Go for maintaining the change mgmt process in user awareness and resiliency in backend. Appl login can varied but not OS (including preboot) login as that is the critical juncture to access all possible service vai the machine
btanExec ConsultantCommented:
Can I suggest that the below are consider for the solution.
http://#ID:41704627 (tile based selection by user)
http://#ID:39737492 (another means using a proxy to manage which login approach)
htto://#ID:39743465 (another form factor)

This is in understand it is not asking for multifactor authentication e.g. not to restrict only with 2nd factor as well as not asking for HA configuration. But more of user is able to use either smartcard or token if I read it correctly
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.