Re: Two factor authentication questions

[Greg Vickers <g.vickers () QUT EDU AU>]

Hi Wayne,

Wayne J. Hauber wrote:
> My IT organization is considering two factor authentication. We have
> not been able to implement a central PKI environment. Lacking a
> central certificate structure, we decided to begin the project with a
> review of products that use tokens with rapidly changing passwords.

<snip>

> A number of you have been using two factor authentication for a long
> time. I have questions:
>
> 1. What product are you using?

RSA SecurID.

> 2a. Does it use native Windows two factor authentication support?
> 2b. Or does it require you to push out a separate GINA (login
> interface) and special active directory schema changes?

Don't know, we aren't implementing it the way SecurID recommend, see
below for deatils.

> 3. Is it a Windows only product? Or will it handle Linux, Mac OS and
> IBM RACF too?

Able to be applied to other environments, with the caveats outlined below.

> 4. Finally, what sort of initial user group have you chosen for the
> project? (for example: System admins only?, system admins and
> important data stewards?, all of campus?)

We chose VPN access to the corporate environment, but it has taken so
long to figure out how to do the configuration that our goalposts have
changed and we will probably deploy it in a very different way during
the pilot - unknown at this time.

> Your experience will be valuable to our 2 factor authentication committee.

We are in the process of implementing the RSA SecurID product.  We found
that we would have had to chuck out our existing credential set
(authenticating to an LDAP backend) and rely solely on the SecurID
system as our authentication system.  Since our LDAP solution is
integral to the entire University (40,000+ students and 4,000+ staff),
we didn't really want to ask our pilot group to remember two sets of
credentials (existing user/pass as well as the PIN/token for the SecurID
system), so we looked at how to leverage our FreeRADIUS system to do
real two factor authentication.

What we came up with was having the FreeRADIUS system configured so that
it receives the username and then the LDAP password and tokencode (we
are not going to use the PIN functionality of the SecurID system)
concatenated together on the password field.  The FreeRADIUS server will
pull the password and tokencode apart, and send the user/tokencode to
SecurID, then user/LDAP password to our LDAP system.

We had to employ Alan deKok (project founder and co-leader of
FreeRADIUS) to do the configuration for us and are about to test it.

Doing what we are doing with SecurID is possible with other radius
systems like Radiator, but we didn't want to have another radius system
in place solely to support this pilot.

If you really want to do proper two factor authentication (something you
know, something you have, something you are, pick two) then you can use
SecurID so long as you are happy only authenticating to the SecurID
infrastructure.

Any questions about what we are doing, feel free to ask me :)

Cheers,
--
Greg Vickers
Phone: +61 7 3138 6902
Project Manager, IT Security Program
Queensland University of Technology, CRICOS No. 00213J