Re: Recommendation for a good two-factor authentication product



Vin McLellan (me) wrote:

(RSA, for several years, sold a solution that implemented domain
enforcement of the SecurID authentication, however it turned out to
not scale. Some competitors copied that architecture, and built the
same offering. RSA's evaluation of these products is that they will
inevitably experience same scalability issues that bedeviled RSA's
solution, since the OS integration points are the same.)

DaveMo, steeped in his experience as a MS developer and program
manager, responded:

With all due respect, this is because RSA (and apparently everyone
else) didn't use the correct solution.

And, pray tell, whose fault was that? I was working for the govt
while this solution was in development, but I came back to work for
RSA,
as a consultant, on the day this product was announced. I well
remember, the RSA product manager celebrating the close working
relationship between his developers and their counterparts at MS.
As scaling issues arose, it also became clear that the MS folks RSA
had worked with were as surprised and dismayed as the RSA guys in
Bedford. At the time, it didn't seem that anybody speaking for MS
knew anything about any alternative interface options.

While working with a 2 factor
ISV, my team implemented a solution that enforces use of the 2 factor
authentication mechanism and it scales just fine.

As you noted, there were a whole bunch of companies which apparently
took the wrong turn. Can you please point to the interfaces that
would allow anyone to most effectively implement centrally-managed
2FA? I trust they are public and accessible to anyone who can
search MSDN? Or maybe not?

As a security person, I find this to be an important aspect of the
overall solution. If the 2 factor solution can be circumvented simply
by removing or disabling the client-side component, then it isn't much
of a security solution IMO.

I'm sure your guidance on interface options will be appreciated by a
lot of other security persons, both within MS and without.

I take mild umbrage at your suggestion that the alternatives RSA came
up with are somehow lacking in effective access control. With either
RSA's certificates or with the "hardened" passwords in play,
"removing
or disabling" the client-side component from the end-point machine
will
not allow an attacker illicit access to the protected resources. I
think this
is apparent to most objective observers. Customers buy it.

RSA, I humbly suggest, has a suite of effective solutions for
Microsoft
Windows. There are different RSA Authentication Agents that play
within
these solutions to provide trustworthy 2FA access controls for the
enterprise: remote, local, and web access.

Suerte,
_Vin

.



Relevant Pages

  • [NT] RSA SecurID Web Agent Heap Overflow
    ... Get your security news from a reliable source. ... RSA SecurIDis a popular strong authentication ... * RSA SecurID web Agent version 5.3 and prior ...
    (Securiteam)
  • Re: Recommendation for a good two-factor authentication product
    ... this solution was in development, but showed up at RSA, on an outside ... authentication mechanism and it scales just fine. ... lot of other security persons, ... up with are somehow lacking in effective access control. ...
    (microsoft.public.windows.server.security)
  • OWA not working.
    ... security. ... Check your authentication and access control. ... > Mail using Outlook works fine but OWA is not. ...
    (microsoft.public.exchange.setup)
  • Re: security on linux
    ... A recent poster's queries on security have made me question how secure ... You shouldn't allow password access to ssh, you should always require RSA ... authentication then you should be safe. ...
    (comp.os.linux.misc)
  • Re: security on linux
    ... A recent poster's queries on security have made me question how secure ... You shouldn't allow password access to ssh, you should always require RSA ... authentication then you should be safe. ...
    (comp.os.linux.misc)