Educause Security Discussion mailing list archives
Re: Two factor authentication questions
From: Greg Vickers <g.vickers () QUT EDU AU>
Date: Wed, 14 Oct 2009 09:50:10 +1000
Hi Wayne, Wayne J. Hauber wrote:
My IT organization is considering two factor authentication. We have not been able to implement a central PKI environment. Lacking a central certificate structure, we decided to begin the project with a review of products that use tokens with rapidly changing passwords.
<snip>
A number of you have been using two factor authentication for a long time. I have questions: 1. What product are you using?
RSA SecurID.
2a. Does it use native Windows two factor authentication support? 2b. Or does it require you to push out a separate GINA (login interface) and special active directory schema changes?
Don't know, we aren't implementing it the way SecurID recommend, see below for deatils.
3. Is it a Windows only product? Or will it handle Linux, Mac OS and IBM RACF too?
Able to be applied to other environments, with the caveats outlined below.
4. Finally, what sort of initial user group have you chosen for the project? (for example: System admins only?, system admins and important data stewards?, all of campus?)
We chose VPN access to the corporate environment, but it has taken so long to figure out how to do the configuration that our goalposts have changed and we will probably deploy it in a very different way during the pilot - unknown at this time.
Your experience will be valuable to our 2 factor authentication committee.
We are in the process of implementing the RSA SecurID product. We found that we would have had to chuck out our existing credential set (authenticating to an LDAP backend) and rely solely on the SecurID system as our authentication system. Since our LDAP solution is integral to the entire University (40,000+ students and 4,000+ staff), we didn't really want to ask our pilot group to remember two sets of credentials (existing user/pass as well as the PIN/token for the SecurID system), so we looked at how to leverage our FreeRADIUS system to do real two factor authentication. What we came up with was having the FreeRADIUS system configured so that it receives the username and then the LDAP password and tokencode (we are not going to use the PIN functionality of the SecurID system) concatenated together on the password field. The FreeRADIUS server will pull the password and tokencode apart, and send the user/tokencode to SecurID, then user/LDAP password to our LDAP system. We had to employ Alan deKok (project founder and co-leader of FreeRADIUS) to do the configuration for us and are about to test it. Doing what we are doing with SecurID is possible with other radius systems like Radiator, but we didn't want to have another radius system in place solely to support this pilot. If you really want to do proper two factor authentication (something you know, something you have, something you are, pick two) then you can use SecurID so long as you are happy only authenticating to the SecurID infrastructure. Any questions about what we are doing, feel free to ask me :) Cheers, -- Greg Vickers Phone: +61 7 3138 6902 Project Manager, IT Security Program Queensland University of Technology, CRICOS No. 00213J
Current thread:
- Two factor authentication questions Wayne J. Hauber (Oct 13)
- <Possible follow-ups>
- Re: Two factor authentication questions Scott Dier (Oct 13)
- Re: Two factor authentication questions Greg Vickers (Oct 13)
- Re: Two factor authentication questions Mike Wiseman (Oct 14)