I have run into difficulty providing dual factor authentication to a client. The situation is as follows:
The client has a new environment, hosted by a third party, that their users remotely connect to via VPN. Currently their users are connecting to the VPN environment using username and password. Understandably the security team of my client's parent company are not happy with this single method of authentication. I have been tasked to, among other things, provide a solution for an additional form of authentication, but unfortunately there are some restrictions:
* The remote users that require authentication are stationed all over the world
*The Users computers are not on the Domain, and will never be
*No software can be installed on the computers (they cannot even install active x or Java)
* No additional hardware can be given to users (so no RSA keys, Smartcards, etc)
* The client is reluctant to use more hardware server-side
*The environment hosting company are unwilling to do any user management (so no PKI using their edge firewall), and they are unable/unwilling to allow me to manage the users on their equipment for them
SO, what I have tried so far is create an internal domain CA and manually issue certificates to all their users (after a lot of push-back they conceded to installing certificates on user machines) but unfortunately this has failed to work, I think either the certificates are failing to pass through to the CA or there is some trust issue because they're not on the domain.
I have been toying with the idea of trying to implement a solution whereby we use a kind of smartcard authentication without the smartcards (using certs), but thus far this doesn't seem very promising.
Any suggestions you guys can come up with would be appreciated.