We help IT Professionals succeed at work.

2 factor authentication

ossjzb asked

We need to implement two factor authentication.  We currently use :

- chromebooks - PDO6 - pd02/3 terminals and VMware VDI for desktops - Win 7 laptops.

Is anyone using two factor authentication ?.. If so could you share what you are using ?  We have looked at OKTA and Duo Security thus far.

thanks you - josh
Watch Question

Exec Consultant
Distinguished Expert 2018
likely have to be OOB type and save the trouble of installing hardware driver if possible, so google authenticator or Yubikey ( FIDO U2F specifications which is an open standard for 2FA). It is alright with Chromebooks. It is much lite weight compared to smartcard

from FIDO FAq
What can I do with FIDO technologies right now?
FIDO authentication technologies are deployed in hundreds of millions of devices today with increasing numbers of equipped devices expected through 2015. FIDO authentication is already enabled through early deployments from PayPal,
Samsung, Nok Nok Labs, Synaptics, Alipay, Google, PlugUp and Yubico. Anyone with a FIDO authenticator can start authenticating wherever FIDO authentication is supported, such as through the Chrome browser and Google Accounts as announced in October 2014: Strengthening 2-Step Verification with Security Key.
we prefer sms passcode wit vmware-view.
the options: token per SMS/Mail or hardwareToken or Soft-Token installed at the mobile-phone.
btanExec Consultant
Distinguished Expert 2018
another few that support wide range service include
SAASPASS (very flexible and adaptable in various platform and support developer use)
 - https://www.saaspass.com/how-to-set-up-saaspass-and-use-it.html

WiKID (has a Community and Enterprise ver)
 - https://www.wikidsystems.com/learn-more/features
Rich RumbleSecurity Samurai
Top Expert 2006
Why do you need 2 factor? It can help secure one side of the equation, but it doesn't help secure all sides... The biggest caveat of 2-factor-authentication (2FA) is that once 2FA has taken place, the "network level" authentication is still wide open. This is especaily true in a windows environment, I wrote an article about it here:
We use 2FA in a few places, VPN logins, and the wifi access spots. Guest wifi does not require a password even, but the corporate network won't let you on the wifi unless you have a certificate and a valid domain login. The VPN is the same, a cert and u/pass to login. Once a user is logged in the VPN for instance, if they got a remote access trojan installed, the person controlling my users machine can get anywhere in the network our user could. \\file_server\share cannot be protected by 2FA, so the attacker could get there if they take over the computer after 2FA has taken place. So we have strict file permissions all over, and the user have "need to know" access only. They can only access what they need to know. Do not let 2FA give you a warm and fuzzy feeling, you need to press on and go deeper, 2FA is only a small "help".
btanExec Consultant
Distinguished Expert 2018

To add, do not overkill or overdo with 2FA and use case tends to have 2FA for privileged access, remote access (include cloud access and external apps admin interface) and sensitive transaction dealing with data (esp in Financial and Govt side). It is good to share a bit of the use case and see if 2FA is worthwhile, the lifecycle to maintain and manage also need diligence too. If that is neglected, it even lower the security posture overall.
PberSolutions Architect

No comment has been added to this question in more than 21 days, so it is now classified as abandoned.

I have recommended this question be closed as follows:

-- btan (https:#a40636831)
-- Dirk Kotte (https:#a40645123)
-- btan (https:#a40645992)
-- Rich Rumble (https:#a40651595)

If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.

Experts-Exchange Cleanup Volunteer