Re: Two factor authentication questions

[Mike Wiseman <mike.wiseman () UTORONTO CA>]

> My IT organization is considering two factor authentication. We have
> not been able to implement a central PKI environment. Lacking a
> central certificate structure, we decided to begin the project with a
> review of products that use tokens with rapidly changing passwords.
> We completed a very detailed review of a product that used password
> tokens and provided limited integration with Windows/Active Directory
> but very good integration with RACF. The first product was
> substandard. We will be reviewing RSA's product next.
>
> A few us old-time Windows consultants have been critical of solutions
> that grafted their own GINA (login environment) and schema onto
> Windows Active Directory. These products didn't offer a very
> comprehensive solution.
>
> Some solutions were very Windows-centric and ignored IBM RACF, Mac OS
> and Linux. We need to consider all of these systems too.
>
> We suspect that our first recipients of two factor authentication
> will be important system admins and important campus data stewards.
> That user group has not been finalized.
>
> A number of you have been using two factor authentication for a long
> time. I have questions:
>
> 1. What product are you using?

My institution currently uses the RSA SecurID pinpad token/server product for staff access to ERP and student records 
systems only (2500 users). Strong security, but expensive and I'd like to offer it to a wider group. A couple of years 
ago we started looking at alternatives and chose to pursue a X.509 PKI/smart card project: OpenCA, some locally 
developed tools to do cert enrolment, renewal, temporary access and smart card password recovery, and the Aladdin 
(Safenet now) eToken. Why? good client support for X.509 authentication: TLS client auth in web servers, OpenVPN which 
we use to shim legacy apps that don't support X.509, great support in Microsoft domain environments, desktop login, 
RDC, admin login. Also, support for MacOS, Linux but I haven't done much there. RACF supports X.509 I believe. 

As a central IT person, theoretically, I can run the issuance, renewal, revocation, and other token needs services but 
stay out of the application server authentication interface - the local IT staff can manage authorization and the 
authentication configuration.

We have a pilot group of about 60 people doing application authentication. There's another group of about 20 running a 
separate CA (issued by an internal root CA) and doing Windows domain admin access. The Windows CA environment looks a 
lot easier to use than my setup - I may move to that at some point.



> 2a. Does it use native Windows two factor authentication support?
> 2b. Or does it require you to push out a separate GINA (login
> interface) and special active directory schema changes?
> 3. Is it a Windows only product? Or will it handle Linux, Mac OS and
> IBM RACF too?
> 4. Finally, what sort of initial user group have you chosen for the
> project? (for example: System admins only?, system admins and
> important data stewards?, all of campus?)
>
> Your experience will be valuable to our 2 factor authentication committee.

Mike



Mike Wiseman
Manager, Network & Server Security
Department of Information Security
University of Toronto