2nd factor Authentication

I have run into difficulty providing dual factor authentication to a client. The situation is as follows:

The client has a new environment, hosted by a third party, that their users remotely connect to via VPN. Currently their users are connecting to the VPN environment using username and password. Understandably the security team of my client's parent company are not happy with this single method of authentication. I have been tasked to, among other things, provide a solution for an additional form of authentication, but unfortunately there are some restrictions:

* The remote users that require authentication are stationed all over the world

*The Users computers are not on the Domain, and will never be

*No software can be installed on the computers (they cannot even install active x or Java)

* No additional hardware can be given to users (so no RSA keys, Smartcards, etc)

* The client is reluctant to use more hardware server-side

*The environment hosting company are unwilling to do any user management (so no PKI using their edge firewall), and they are unable/unwilling to allow me to manage the users on their equipment for them

SO, what I have tried so far is create an internal domain CA and manually issue certificates to all their users (after a lot of push-back they conceded to installing certificates on user machines) but unfortunately this has failed to work, I think either the certificates are failing to pass through to the CA or there is some trust issue because they're not on the domain.

I have been toying with the idea of trying to implement a solution whereby we use a kind of smartcard authentication without the smartcards (using certs), but thus far this doesn't seem very promising.

Any suggestions you guys can come up with would be appreciated.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dave HoweSoftware and Hardware EngineerCommented:
Google authenticator could be your friend then.
it's free, the serverside generator is just a TOTP implementation, the clientside token is software for the user's smartphone.  Would presumably run under cygwin, but not tried it. Only real issue is getting the server to validate against the TOTP provider, which you usually do via radius.

AGoodhallAuthor Commented:
Hi Dave,

Thanks for the response. Unfortunately a lot of these users are from developing countries where smartphones are not an option.
Dave HoweSoftware and Hardware EngineerCommented:
well, you don't need an actual smartphone,  but it then gets either expensive,  awkward or both.

If they can't install the GA app to their workstation,  you will need to send them a TOTP code via SMS, email,  or some other out of band method; this increases the difficulty,  and may incur operating expenses getting the code to it's recipient.
Webinar: Cyber Crime Becomes Big Business

The rising threat of malware-as-a-service is not one to be overlooked. Malware-as-a-service is growing and easily purchased from a full-service cyber-criminal store in a “Virus Depot” fashion. Join us in our upcoming webinar as we discuss how to best defend against these attacks!

AGoodhallAuthor Commented:
Yeah I think awkward is a good description of this situation. We're incredibly limited in what we can do on the user side as even using non-smart phones is an issue. That's why we've been looking into trying to achieve this with certificates.

Your email idea is interesting though. Do you happen to know of any links where I could read up on it?
Dave HoweSoftware and Hardware EngineerCommented:
You could implement that yourself with the right tools - it is one of the features of the RSA authentication appliance platform (which obviously would require a purchase of that platform) but is a logical extension of the sending of codes by SMS, which google provides on its own services (needless to say, Google uses GA :)

the requirement is to allow the user to trigger the sending of a one time code (not hard to implement as a web service) and to gate access with that code; as the code does not actually need to be a GA style token, it would be trivial to implement the former as a web-facing service (present a simple form with username and password over https; on validation of username and password, email out a code or display it on the web page, log that in a database for the radius authenticator. I would expect coding that to take around 2-3 hours with testing (given that's how long it took me to implement something similar in perl via xinetd and the RADIUS::Packet library, and that was with full GA compatibility) and require no investment in kit at all.  Of course, I had a Ubuntu server on hand already; I suspect it would be awkward if you lacked a linux box to implement on)

The downside of all this really is this - if logging into the system triggers an email, then the entire solution is no more secure than that email, and odds are good their email is accessed with exactly the same username and password that they use now for VPN....

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
AGoodhallAuthor Commented:
Thanks for your help, this looks like a good solution.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Server OS

From novice to tech pro — start learning today.