2 factor authentication

Hi,

We need to implement two factor authentication.  We currently use :

- chromebooks - PDO6 - pd02/3 terminals and VMware VDI for desktops - Win 7 laptops.

Is anyone using two factor authentication ?.. If so could you share what you are using ?  We have looked at OKTA and Duo Security thus far.

thanks you - josh
ossjzbAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
likely have to be OOB type and save the trouble of installing hardware driver if possible, so google authenticator or Yubikey ( FIDO U2F specifications which is an open standard for 2FA). It is alright with Chromebooks. It is much lite weight compared to smartcard

from FIDO FAq
What can I do with FIDO technologies right now?
FIDO authentication technologies are deployed in hundreds of millions of devices today with increasing numbers of equipped devices expected through 2015. FIDO authentication is already enabled through early deployments from PayPal,
Samsung, Nok Nok Labs, Synaptics, Alipay, Google, PlugUp and Yubico. Anyone with a FIDO authenticator can start authenticating wherever FIDO authentication is supported, such as through the Chrome browser and Google Accounts as announced in October 2014: Strengthening 2-Step Verification with Security Key.
https://fidoalliance.org/about/faq
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Dirk KotteSECommented:
we prefer sms passcode wit vmware-view.
the options: token per SMS/Mail or hardwareToken or Soft-Token installed at the mobile-phone.
http://www.smspasscode.com/media/1833/vmware-horizon-view-configuration-for-sms-passcode.pdf
0
btanExec ConsultantCommented:
another few that support wide range service include
SAASPASS (very flexible and adaptable in various platform and support developer use)
 - https://www.saaspass.com/how-to-set-up-saaspass-and-use-it.html

WiKID (has a Community and Enterprise ver)
 - https://www.wikidsystems.com/learn-more/features
0
Top Threats of Q1 & How to Defend Against Them

WEBINAR: Join WatchGuard CTO and our Threat Research Team on Aug. 2nd to hear the findings from our Q1 Internet Security Report! Learn more about the top threats detected in the first quarter and how you can defend your business against them!

Rich RumbleSecurity SamuraiCommented:
Why do you need 2 factor? It can help secure one side of the equation, but it doesn't help secure all sides... The biggest caveat of 2-factor-authentication (2FA) is that once 2FA has taken place, the "network level" authentication is still wide open. This is especaily true in a windows environment, I wrote an article about it here:
 http://www.experts-exchange.com/Security/Misc/A_12368-Two-Factor-Authentication-Added-layers-are-not-always-added-security.html
We use 2FA in a few places, VPN logins, and the wifi access spots. Guest wifi does not require a password even, but the corporate network won't let you on the wifi unless you have a certificate and a valid domain login. The VPN is the same, a cert and u/pass to login. Once a user is logged in the VPN for instance, if they got a remote access trojan installed, the person controlling my users machine can get anywhere in the network our user could. \\file_server\share cannot be protected by 2FA, so the attacker could get there if they take over the computer after 2FA has taken place. So we have strict file permissions all over, and the user have "need to know" access only. They can only access what they need to know. Do not let 2FA give you a warm and fuzzy feeling, you need to press on and go deeper, 2FA is only a small "help".
-rich
0
btanExec ConsultantCommented:
To add, do not overkill or overdo with 2FA and use case tends to have 2FA for privileged access, remote access (include cloud access and external apps admin interface) and sensitive transaction dealing with data (esp in Financial and Govt side). It is good to share a bit of the use case and see if 2FA is worthwhile, the lifecycle to maintain and manage also need diligence too. If that is neglected, it even lower the security posture overall.
0
PberSolutions ArchitectCommented:
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.

I have recommended this question be closed as follows:

Split:
-- btan (https:#a40636831)
-- Dirk Kotte (https:#a40645123)
-- btan (https:#a40645992)
-- Rich Rumble (https:#a40651595)


If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.

Pber
Experts-Exchange Cleanup Volunteer
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.