Re: Two-factor Authentication

[Josh Drummond <jdrummon () UCI EDU>]

I looked into the possibilities of two-factor authentication being 
implemented with Google Authenticator / OATH protocols recently too.  It 
is simple to configure on a single machine, using an open standard, and 
its free, who can beat that.  But then I started thinking about 
enterprise wide deployment and how it compares with <insert vendor 
here>.  It is missing the infrastructure that you'd have to build 
yourself (or would make a great separate open source application I have 
yet to find) for centrally managing identities, provisioning them to a 
system, giving users a web based interface to install the seed or QR 
code onto their mobile device, activate/deactivate/regenerate the Google 
authenticator "backup codes", and then provision those out to the 
endpoints, etc.  Of course all of the Google services have this under 
the umbrella of the account security options, but that can't be reused 
for your systems.  In short, a lot of the pieces are there, it would be 
interesting to see it fully baked in an enterprise environment.

Thanks,
~Josh

On 1/15/13 3:45 PM, Drew Perry wrote:
> We are in the process of implementing Google Authenticator for 
> 2-factor authentication in both SSH and VDI authentication. A big 
> reason for choosing Google was, as a Google Apps for Education user, 
> we were already using it for email auth. And secondly, it's free. That 
> being said we have not finished implementation, so I may have more 
> thoughts at week's end.
>
> Sent from my phone.
>
> Drew Perry
> Security Analyst
> Murray State University
> (270) 809-4414
> aperry () murraystate edu <mailto:aperry () murraystate edu>
>
> On Jan 15, 2013 4:54 PM, "JR Ramirez" <jrramirez30 () gmail com 
> <mailto:jrramirez30 () gmail com>> wrote:
>
>     We currently use SafeNet SafeWord to provide stand-alone RADIUS
>     authentication for our PCI environment (we are planning to
>     integrate with our AD).  We currently use Citrix as the front-end
>     web piece; our Network Team also tie in their PCI network devices.
>      SafeNet is in the top quadrant on the Gartner scale and works
>     fairly well for us -- they have soft token apps for Blackberry and
>     iPhone (not sure about Android).
>
>     JR
>
>
>     On Tue, Jan 15, 2013 at 3:25 PM, Wright, A J (A. J.)
>     <ajw () tennessee edu <mailto:ajw () tennessee edu>> wrote:
>
>         Obviously, we first prioritized moving our SAQ-D systems to
>         less risky processes that don’t require MFA.
>
>         For the ones that were left, we’ve used Duo Security’s MFA
>         solution.  It has been pretty painless: inexpensive, easy to
>         manage, and it does what it says on the tin.  I like it enough
>         that we’re considering implementing it elsewhere.
>
>         Countdown to the Duo sales call …
>
>         ajw
>
>         --
>
>         *A. J. Wright
>         *Chief Information Security Officer
>
>         University of Tennessee – System Administration
>         2309 Kingston Pike, Suite 131C
>         Knoxville, TN  37996-1717
>         Phone: 865-974-0637 <tel:865-974-0637>
>
>         Email: ajw () tennessee edu <mailto:ajw () tennessee edu>
>
>         *From:*The EDUCAUSE Security Constituent Group Listserv
>         [mailto:SECURITY () LISTSERV EDUCAUSE EDU
>         <mailto:SECURITY () LISTSERV EDUCAUSE EDU>] *On Behalf Of
>         *McClenon, Brady
>         *Sent:* Tuesday, January 15, 2013 1:42 PM
>         *To:* SECURITY () LISTSERV EDUCAUSE EDU
>         <mailto:SECURITY () LISTSERV EDUCAUSE EDU>
>         *Subject:* [SECURITY] Two-factor Authentication
>
>         I’m wondering if anyone is willing to share what
>         methods/products their institution is using to facilitate
>         two-factor authentication for PCI-DSS compliance, or I suppose
>         even if your usage has nothing to do with PCI.
>
>         Brady McClenon
>
>         Senior Server Administrator
>
>         Applications Research & Development
>
>         Information Technology Services
>
>         SUNY College at Oneonta
>
>         607-436-3203 <tel:607-436-3203>
>
>         “Quotes found on the internet are not always accurate.”  -
>         Abraham Lincoln

--
*Josh Drummond*
Manager - IT Security & Architecture
Office of Information Technology
University of California, Irvine
Email: jdrummon () uci edu <mailto:jdrummon () uci edu>
Phone: 949.824.9574