Re: Recommendation for a good two-factor authentication product



On Aug 2, 9:19 am, Vin McLellan <vin.mclel...@xxxxxxxxx> wrote:
"DLN" <dnadon_no...@xxxxxxxxxxx> queried the Listocracy:

I'm wondering if anybody out there can recommend a good
two-factor authentication solution that meets the following
criteria:

1. Accommodates domain level logons
2. Can be used to secure custom IIS applications
3. Can be used to secure OWA
4. Can be used for VPN authentication
5. Scales so that one or more authentication servers can be
placed in multiple sites (both for redundancy and load
balancing).
6. Excellent customer support (with some of the solutions
I've been testing with, customer support is severely lacking)

Hi DLN, Steve:

Since DLN asked specifically about the RSA story, I'll claim some
bandwidth to sort that out. I've been a consultant to RSA for many
years, and I'm obviously biased -- but your RSA salesperson or SSE
should be able to offer more detail on all of these points. E-mail me
directly if you need a higher-level RSA contact.

Let me parse the RSA options, pegged to your criteria:

1. Accommodates domain level logons?

RSA provides three kinds of the solutions here. One is based on the
SecurID with RSA's Local Authentication Client. The second is PKI. The
third is a hybrid

1) SecurID solution with Local Authentication client

With this RSA agent installed on the machine, any local or domain user
account can be configured to be challenged with SecurID two-factor
authentication (2FA). The RSA agent can also be configured to include
the domain name in the login ID sent to server if the AuthMgr data is
organized for it. (The AuthMgr user data can be synchronized with AD
to have the AM database users automatically created.)

The point of enforcement is at the local machine, not at the domain
controller. This means that if user knows his password and there is a
machine that does not have agent installed he would be able to log
in.

(RSA, for several years, sold a solution that implemented domain
enforcement of the SecurID authentication, however it turned out to
not scale. Some competitors copied that architecture, and built the
same offering. RSA's evaluation of these products is that they will
inevitably experience same scalability issues that bedeviled RSA's
solution, since the OS integration points are the same.)

If the end users are not required to know their Windows' passwords for
use with other applications, the user passwords can be "hardened."
With RSA's latest agent hot-fix rollup -- to be releasing this month
-- there will also be a capability to capture password changes on the
domain controllers and replicate them to the RSA Authentication
Manager.

This is the sequence of operations that would protect the domain from
a user who sought to access it with just a password.

Initial state:
User has a Windows password and no software is installed on the client
machines

A) User is provisioned with a SecurID token
B) Client software is installed
C) User (via groups) is configured to pass SecurID and a PIN (2FA)
upon desktop logon
D) User starts using his token and submits his 2FA passcode
E) User is prompted for a Windows' password
F) With the login password integration feature enabled on the RSA
Authentication Manager, the Windows' password will be captured and
stored in the RSA Authentication Manager database for the future use.
Next time, the user will not be prompted for a password since the
system already knows it and will use it behind the scenes.
G) If the RSA agent is not installed on the system, the password can
be used to log into such system. (To prevent this, the Admin can
either install agent or centrally change the user password to
something long and strong so that user does not know it any more.)
RSA's new password-filter component, available this month, will
automatically replicate all the password changes made centrally. This
means that next time the user logs into the system he will use his
SecurID token... and his updated Windows' password will be supplied by
the server.

This RSA SecurID solution provides a transparent user experience, both
when a user is connected to the network, and when he is working off-
line.

2) PKI solution

RSA has a solution that allows using a certificate on the smart card
for the windows logon. There are a couple of different options. One,
with RSA Authentication Client, allows local management of the
certificates on the smart card. Another, with the RSA Card Manager,
allows centralized management of a large smart card deployment.

3) Hybrid

The RSA SID800 token, a SecurID in a USB plug, can act as either an
hand-held OTP token and/or as a USB-format "smart card." This allows
RSA's customers use a SID800 as hand-held token for remote access via
VPNs and Web, while still providing USB "smart card" functionality for
boot encryption, signing e-mails, or desktop certificate logons.

2. Can be used to secure custom IIS applications?

The RSA Authentication Agent for Web can protect any application
running inside IIS with SecurID authentication. The RSA Access Manager
Agent can also provide access control to different web resources.

3. Can be used to secure OWA?

Yes. With the RSA Authentication Agent for Web. MSFT even provides a
guide for this at: <http://www.microsoft.com/technet/isa/2004/
owapubwithrsasecurid.mspx>.

4. Can be used for VPN authentication?

RSA provides a plug-in for the Microsoft VPN. Most (all?) major VPN
vendors support SecurID authentication. These vendor partnerships are
among RSA's greatest strengths. For documentation from other prominent
VPN vendors, see:

Cisco:
<http://www.cisco.com/univercd/cc/td/doc/product/vpn/client/rel4_0/
osxgui
de/connect.htm>
Juniper:
<http://www.juniper.net/solutions/literature/solutionbriefs/
351051.pdf>
F5:
<http://www.f5.com/solutions/sb/securid_sb.html>
Celestix:
<http://www.celestix.com/press/pressrelease.asp?SRC=pr050304.htm>
CheckPoint:
<http://www.checkpoint.com/press/2006/rsa_021406.html>

5. Scales so that one or more authentication servers can be placed in
multiple sites (both for redundancy and load balancing)?

RSA supports one Primary Server and up to 10 Replicas. The RSA agent
provides built-in support for load-balancing, server fail-over, and
the discovery of new servers.

6. Excellent customer support?

RSA Customer Support is 24x7. There are probably third-party
evaluations available somewhere, but the RSA folks are very proud of
their professionalism and the evaluations they get from their
customers in surveys.

Hope this is helpful.

Suerte,
_Vin

This is a nice summary of the RSA story, but I feel compelled to
comment on one part of the answer:

(RSA, for several years, sold a solution that implemented domain
enforcement of the SecurID authentication, however it turned out to
not scale. Some competitors copied that architecture, and built the
same offering. RSA's evaluation of these products is that they will
inevitably experience same scalability issues that bedeviled RSA's
solution, since the OS integration points are the same.)

With all due respect, this is because RSA (and apparently everyone
else) didn't use the correct solution. While working with a 2 factor
ISV, my team implemented a solution that enforces use of the 2 factor
authentication mechanism and it scales just fine. There is, of course,
a small bandwidth and CPU impact on the domain controller, but it is a
percentage of the resources consumed by any authentication attempt. In
other words, yes it is possible to implement such a feature in a
manner that will not scale, but it is not neccessarily the case that
any such implementation will not scale.

As a security person, I find this to be an important aspect of the
overall solution. If the 2 factor solution can be circumvented simply
by removing or disabling the client-side component, then it isn't much
of a security solution IMO.


HTH,
Dave

.