AGoodhall
asked on
2nd factor Authentication
I have run into difficulty providing dual factor authentication to a client. The situation is as follows:
The client has a new environment, hosted by a third party, that their users remotely connect to via VPN. Currently their users are connecting to the VPN environment using username and password. Understandably the security team of my client's parent company are not happy with this single method of authentication. I have been tasked to, among other things, provide a solution for an additional form of authentication, but unfortunately there are some restrictions:
* The remote users that require authentication are stationed all over the world
*The Users computers are not on the Domain, and will never be
*No software can be installed on the computers (they cannot even install active x or Java)
* No additional hardware can be given to users (so no RSA keys, Smartcards, etc)
* The client is reluctant to use more hardware server-side
*The environment hosting company are unwilling to do any user management (so no PKI using their edge firewall), and they are unable/unwilling to allow me to manage the users on their equipment for them
SO, what I have tried so far is create an internal domain CA and manually issue certificates to all their users (after a lot of push-back they conceded to installing certificates on user machines) but unfortunately this has failed to work, I think either the certificates are failing to pass through to the CA or there is some trust issue because they're not on the domain.
I have been toying with the idea of trying to implement a solution whereby we use a kind of smartcard authentication without the smartcards (using certs), but thus far this doesn't seem very promising.
Any suggestions you guys can come up with would be appreciated.
The client has a new environment, hosted by a third party, that their users remotely connect to via VPN. Currently their users are connecting to the VPN environment using username and password. Understandably the security team of my client's parent company are not happy with this single method of authentication. I have been tasked to, among other things, provide a solution for an additional form of authentication, but unfortunately there are some restrictions:
* The remote users that require authentication are stationed all over the world
*The Users computers are not on the Domain, and will never be
*No software can be installed on the computers (they cannot even install active x or Java)
* No additional hardware can be given to users (so no RSA keys, Smartcards, etc)
* The client is reluctant to use more hardware server-side
*The environment hosting company are unwilling to do any user management (so no PKI using their edge firewall), and they are unable/unwilling to allow me to manage the users on their equipment for them
SO, what I have tried so far is create an internal domain CA and manually issue certificates to all their users (after a lot of push-back they conceded to installing certificates on user machines) but unfortunately this has failed to work, I think either the certificates are failing to pass through to the CA or there is some trust issue because they're not on the domain.
I have been toying with the idea of trying to implement a solution whereby we use a kind of smartcard authentication without the smartcards (using certs), but thus far this doesn't seem very promising.
Any suggestions you guys can come up with would be appreciated.
ASKER
Hi Dave,
Thanks for the response. Unfortunately a lot of these users are from developing countries where smartphones are not an option.
Thanks for the response. Unfortunately a lot of these users are from developing countries where smartphones are not an option.
well, you don't need an actual smartphone, but it then gets either expensive, awkward or both.
If they can't install the GA app to their workstation, you will need to send them a TOTP code via SMS, email, or some other out of band method; this increases the difficulty, and may incur operating expenses getting the code to it's recipient.
If they can't install the GA app to their workstation, you will need to send them a TOTP code via SMS, email, or some other out of band method; this increases the difficulty, and may incur operating expenses getting the code to it's recipient.
ASKER
Yeah I think awkward is a good description of this situation. We're incredibly limited in what we can do on the user side as even using non-smart phones is an issue. That's why we've been looking into trying to achieve this with certificates.
Your email idea is interesting though. Do you happen to know of any links where I could read up on it?
Your email idea is interesting though. Do you happen to know of any links where I could read up on it?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for your help, this looks like a good solution.
Adam
Adam
it's free, the serverside generator is just a TOTP implementation, the clientside token is software for the user's smartphone. Would presumably run under cygwin, but not tried it. Only real issue is getting the server to validate against the TOTP provider, which you usually do via radius.
http://en.wikipedia.org/wiki/Google_Authenticator