Two factor authentication questions

["Wayne J. Hauber" <wjhauber () IASTATE EDU>]

My IT organization is considering two factor authentication. We have
not been able to implement a central PKI environment. Lacking a
central certificate structure, we decided to begin the project with a
review of products that use tokens with rapidly changing passwords.
We completed a very detailed review of a product that used password
tokens and provided limited integration with Windows/Active Directory
but very good integration with RACF. The first product was
substandard. We will be reviewing RSA's product next.

A few us old-time Windows consultants have been critical of solutions
that grafted their own GINA (login environment) and schema onto
Windows Active Directory. These products didn't offer a very
comprehensive solution.

Some solutions were very Windows-centric and ignored IBM RACF, Mac OS
and Linux. We need to consider all of these systems too.

We suspect that our first recipients of two factor authentication
will be important system admins and important campus data stewards.
That user group has not been finalized.

A number of you have been using two factor authentication for a long
time. I have questions:

1. What product are you using?
2a. Does it use native Windows two factor authentication support?
2b. Or does it require you to push out a separate GINA (login
interface) and special active directory schema changes?
3. Is it a Windows only product? Or will it handle Linux, Mac OS and
IBM RACF too?
4. Finally, what sort of initial user group have you chosen for the
project? (for example: System admins only?, system admins and
important data stewards?, all of campus?)

Your experience will be valuable to our 2 factor authentication committee.


Wayne Hauber (515) 294-9890
GCWN GCFA
Information Technology Services
IT Security and Policies
297 Durham Center, ISU, Ames, Iowa 50011
wjhauber () iastate edu