Educause Security Discussion mailing list archives
Re: Two factor authentication questions
From: Mike Wiseman <mike.wiseman () UTORONTO CA>
Date: Wed, 14 Oct 2009 09:00:10 -0400
My IT organization is considering two factor authentication. We have not been able to implement a central PKI environment. Lacking a central certificate structure, we decided to begin the project with a review of products that use tokens with rapidly changing passwords. We completed a very detailed review of a product that used password tokens and provided limited integration with Windows/Active Directory but very good integration with RACF. The first product was substandard. We will be reviewing RSA's product next. A few us old-time Windows consultants have been critical of solutions that grafted their own GINA (login environment) and schema onto Windows Active Directory. These products didn't offer a very comprehensive solution. Some solutions were very Windows-centric and ignored IBM RACF, Mac OS and Linux. We need to consider all of these systems too. We suspect that our first recipients of two factor authentication will be important system admins and important campus data stewards. That user group has not been finalized. A number of you have been using two factor authentication for a long time. I have questions: 1. What product are you using?
My institution currently uses the RSA SecurID pinpad token/server product for staff access to ERP and student records systems only (2500 users). Strong security, but expensive and I'd like to offer it to a wider group. A couple of years ago we started looking at alternatives and chose to pursue a X.509 PKI/smart card project: OpenCA, some locally developed tools to do cert enrolment, renewal, temporary access and smart card password recovery, and the Aladdin (Safenet now) eToken. Why? good client support for X.509 authentication: TLS client auth in web servers, OpenVPN which we use to shim legacy apps that don't support X.509, great support in Microsoft domain environments, desktop login, RDC, admin login. Also, support for MacOS, Linux but I haven't done much there. RACF supports X.509 I believe. As a central IT person, theoretically, I can run the issuance, renewal, revocation, and other token needs services but stay out of the application server authentication interface - the local IT staff can manage authorization and the authentication configuration. We have a pilot group of about 60 people doing application authentication. There's another group of about 20 running a separate CA (issued by an internal root CA) and doing Windows domain admin access. The Windows CA environment looks a lot easier to use than my setup - I may move to that at some point.
2a. Does it use native Windows two factor authentication support? 2b. Or does it require you to push out a separate GINA (login interface) and special active directory schema changes? 3. Is it a Windows only product? Or will it handle Linux, Mac OS and IBM RACF too? 4. Finally, what sort of initial user group have you chosen for the project? (for example: System admins only?, system admins and important data stewards?, all of campus?) Your experience will be valuable to our 2 factor authentication committee.
Mike Mike Wiseman Manager, Network & Server Security Department of Information Security University of Toronto
Current thread:
- Two factor authentication questions Wayne J. Hauber (Oct 13)
- <Possible follow-ups>
- Re: Two factor authentication questions Scott Dier (Oct 13)
- Re: Two factor authentication questions Greg Vickers (Oct 13)
- Re: Two factor authentication questions Mike Wiseman (Oct 14)