Multifactor Authentication

apoole15

Hey everyone -

So after being off for the last week for my annual vacation, I was notified this morning that I need to come up with a multifactor authentication solution for our organization. I need to provide at least 3 viable options on Friday.

Our organization deals in the healthcare industry and this request stems from the data breach Aetna experienced. We have around 400 employees with around 100 working remotely across the US. We send our remote workers home with thin client devices (mostly 10-Zig) and VOIP phones.

I know every environment is different, etc. but I am looking for recommendations for multifactor authentication solutions that may work in my environment. My VMware environment (including Horizon) is hosted on a Cisco UCS and a Dell M1000e chassis. We use Avaya for our phone system.

Any solutions you guys can suggest I research would be fantastic!

Thanks!

PJ_Sneakers

Is this kind of like what you're looking for? Two-Factor Authentication - e-Identity - PKI Solutions

fuz1on

This is actually a pretty important topic/thread! I've seen many job openings call for Multi-factor Auth and/or SSO. I'm pretty curious about best practices and techniques.

colemic

Look at RSA as well... no idea whether it would be a fit for you or not, but it is a pretty popular option.

Chivalry1

I think given your time frame RSA is probably be your best option. RSA integration and setup is fairly easy and quick. In my experience, other multi factor authentication providers/application sometime have problems intergrating with other various applications. Seems you can always find documentation of apps integrating with RSA. Cant really beat the RSA SecureID soft-token. Available on virtual any platform or mobile device.

However Microsoft Azure Multi-factor Authentication has been making great strides. But requires a little more planning and design.

apoole15

Thanks for the advice. A friend of mine also suggested looking into https://www.duosecurity.com Does anyone have experience with them? Ease of implementation/use and what their support is like?

Thanks again everyone or your advice! It's nice to know there's such a great community willing to help each other out - not just with achieving certifications but with anything IT related.

colemic

OP, what recommendations did you make, and what did you implement?

SecureWorks uses Duo and I am seriously considering putting a demo in to try and replace RSA... their pricing model sucks, since it's subscription based, it will cost more in the long run, but that can be overcome by the ease of use vs. RSA tokens.

It's basically a phone app, you click yes or no when you log in, and logs you in automatically. No need for an RSA pincode to remember! Just click the big green button! My users would love that. I am all about ease of use that maintains the same functionality.

philz1982

apoole15 wrote: »

Hey everyone -

So after being off for the last week for my annual vacation, I was notified this morning that I need to come up with a multifactor authentication solution for our organization. I need to provide at least 3 viable options on Friday.

Our organization deals in the healthcare industry and this request stems from the data breach Aetna experienced. We have around 400 employees with around 100 working remotely across the US. We send our remote workers home with thin client devices (mostly 10-Zig) and VOIP phones.

I know every environment is different, etc. but I am looking for recommendations for multifactor authentication solutions that may work in my environment. My VMware environment (including Horizon) is hosted on a Cisco UCS and a Dell M1000e chassis. We use Avaya for our phone system.

Any solutions you guys can suggest I research would be fantastic!

Thanks!

Open source or paid solutions?

JBrown

apoole15 wrote: »

Thanks for the advice. A friend of mine also suggested looking into https://www.duosecurity.com Does anyone have experience with them? Ease of implementation/use and what their support is like?

Thanks again everyone or your advice! It's nice to know there's such a great community willing to help each other out - not just with achieving certifications but with anything IT related.

Duo is quite easy to implement with VPN, RDP, and even Horizon View. I have a Terminal Server running with Duo on it. took about 30 mins to setup. Depends how you configure it,but my RDP env setup the following way, a user logs in with his username/password, DUO intercepts the logon, sends an Aprove/Deny request to your (user's) phone. You (as the user, not administrator) must allow or deny the request for a user (yourself) to be able to log in.
You could set it up with a View as well, where you will need to pin in your code as 2nd password, before it lets you pass the login screen.

they have great manuals, get a 30 day trials, takes 2 mins to sign up.

NetworkNewb

Nice, that does sound pretty slick ^

joebanny

I actually completed a 6 months project to implement MFA for the cloud application I manage recently here is my take on this and a few suggestions.
Multifactor Authentication (MFA) is an improved, more secured authentication mechanism over the single factor authentication (SFA) such as a username/password option. MFA must be at least 2 factors, but can be 3 or more.

The implementation must use a combination of the following:

1) What the user knows- e.g. password, PIN, passphrase
2) What the user has- Cellphone, PIV card,
3) what the user is- Biometric such as Retina, Thumbprint etc

1) If you're talking about a government environment, the easiest way to meet MFA is PIV cards. All government agencies are mandated to implement HSPD-12 (PIV authentication) requirement for MFA - a requirement for more than 10 years. However not all are compliant despite the long time requirement. Typically most agencies would have the cards in place and the capabilities for MFA enabled, in theory, you should be able to work with agencies POCs to make MFA happen in a short while (there is a few things to be done here).

2) But it sounds like you're not dealing with a government environment and my next suggestion will be to use Time-based one time token (TOTP) over the username/password in place. Simply speaking, TOTP will require a SMS token to be sent over a cellphone (something you have) to be used with the default username/password already in place.

There are many solutions out there, you will have to see what works for you and what is affordable but this is relatively simply and affordable process.
I like TOTP/SMS because most people already have a cellphone that they can register to obtain the SMS code. There is a minor cost of sending SMS with most organizations can easily pick up.

Someone mentioned RSA above, this is good but very expensive, one RSA tokens costs over $50!

All the best on your project.