Multifactor Authentication

apoole15apoole15 Member Posts: 64 ■■■□□□□□□□
Hey everyone -

So after being off for the last week for my annual vacation, I was notified this morning that I need to come up with a multifactor authentication solution for our organization. I need to provide at least 3 viable options on Friday.

Our organization deals in the healthcare industry and this request stems from the data breach Aetna experienced. We have around 400 employees with around 100 working remotely across the US. We send our remote workers home with thin client devices (mostly 10-Zig) and VOIP phones.

I know every environment is different, etc. but I am looking for recommendations for multifactor authentication solutions that may work in my environment. My VMware environment (including Horizon) is hosted on a Cisco UCS and a Dell M1000e chassis. We use Avaya for our phone system.

Any solutions you guys can suggest I research would be fantastic!

Thanks!

Comments

  • PJ_SneakersPJ_Sneakers Member Posts: 884 ■■■■■■□□□□
  • fuz1onfuz1on Member Posts: 961 ■■■■□□□□□□
    This is actually a pretty important topic/thread! I've seen many job openings call for Multi-factor Auth and/or SSO. I'm pretty curious about best practices and techniques.
    timku.com(puter) | ProHacker.Co(nsultant) | ITaaS.Co(nstultant) | ThePenTester.net | @fuz1on
    Transmosis | http://transmosis.com | LinkedIn | https://linkedin.com/in/t1mku
    If evil be spoken of you and it be true, correct yourself, if it be a lie, laugh at it. - Epictetus
    The only real failure in life is not to be true to the best one knows. - Buddha
    If you are not willing to learn, no one can help you. If you are determined to learn, no one can stop you. - Unknown
  • colemiccolemic Member Posts: 1,569 ■■■■■■■□□□
    Look at RSA as well... no idea whether it would be a fit for you or not, but it is a pretty popular option.
    Working on: staying alive and staying employed
  • Chivalry1Chivalry1 Member Posts: 569
    I think given your time frame RSA is probably be your best option. RSA integration and setup is fairly easy and quick. In my experience, other multi factor authentication providers/application sometime have problems intergrating with other various applications. Seems you can always find documentation of apps integrating with RSA. Cant really beat the RSA SecureID soft-token. Available on virtual any platform or mobile device.

    However Microsoft Azure Multi-factor Authentication has been making great strides. But requires a little more planning and design.
    "The recipe for perpetual ignorance is: be satisfied with your opinions and
    content with your knowledge. " Elbert Hubbard (1856 - 1915)
  • apoole15apoole15 Member Posts: 64 ■■■□□□□□□□
    Thanks for the advice. A friend of mine also suggested looking into https://www.duosecurity.com Does anyone have experience with them? Ease of implementation/use and what their support is like?

    Thanks again everyone or your advice! It's nice to know there's such a great community willing to help each other out - not just with achieving certifications but with anything IT related.
  • colemiccolemic Member Posts: 1,569 ■■■■■■■□□□
    OP, what recommendations did you make, and what did you implement?

    SecureWorks uses Duo and I am seriously considering putting a demo in to try and replace RSA... their pricing model sucks, since it's subscription based, it will cost more in the long run, but that can be overcome by the ease of use vs. RSA tokens.

    It's basically a phone app, you click yes or no when you log in, and logs you in automatically. No need for an RSA pincode to remember! Just click the big green button! My users would love that. I am all about ease of use that maintains the same functionality.
    Working on: staying alive and staying employed
  • philz1982philz1982 Member Posts: 978
    apoole15 wrote: »
    Hey everyone -

    So after being off for the last week for my annual vacation, I was notified this morning that I need to come up with a multifactor authentication solution for our organization. I need to provide at least 3 viable options on Friday.

    Our organization deals in the healthcare industry and this request stems from the data breach Aetna experienced. We have around 400 employees with around 100 working remotely across the US. We send our remote workers home with thin client devices (mostly 10-Zig) and VOIP phones.

    I know every environment is different, etc. but I am looking for recommendations for multifactor authentication solutions that may work in my environment. My VMware environment (including Horizon) is hosted on a Cisco UCS and a Dell M1000e chassis. We use Avaya for our phone system.

    Any solutions you guys can suggest I research would be fantastic!

    Thanks!

    Open source or paid solutions?
  • JBrownJBrown Member Posts: 308
    apoole15 wrote: »
    Thanks for the advice. A friend of mine also suggested looking into https://www.duosecurity.com Does anyone have experience with them? Ease of implementation/use and what their support is like?

    Thanks again everyone or your advice! It's nice to know there's such a great community willing to help each other out - not just with achieving certifications but with anything IT related.

    Duo is quite easy to implement with VPN, RDP, and even Horizon View. I have a Terminal Server running with Duo on it. took about 30 mins to setup. Depends how you configure it,but my RDP env setup the following way, a user logs in with his username/password, DUO intercepts the logon, sends an Aprove/Deny request to your (user's) phone. You (as the user, not administrator) must allow or deny the request for a user (yourself) to be able to log in.
    You could set it up with a View as well, where you will need to pin in your code as 2nd password, before it lets you pass the login screen.

    they have great manuals, get a 30 day trials, takes 2 mins to sign up.
  • NetworkNewbNetworkNewb Member Posts: 3,298 ■■■■■■■■■□
    Nice, that does sound pretty slick ^
  • joebannyjoebanny Member Posts: 84 ■■■□□□□□□□
    I actually completed a 6 months project to implement MFA for the cloud application I manage recently here is my take on this and a few suggestions.
    Multifactor Authentication (MFA) is an improved, more secured authentication mechanism over the single factor authentication (SFA) such as a username/password option. MFA must be at least 2 factors, but can be 3 or more.

    The implementation must use a combination of the following:

    1) What the user knows- e.g. password, PIN, passphrase
    2) What the user has- Cellphone, PIV card,
    3) what the user is- Biometric such as Retina, Thumbprint etc

    1) If you're talking about a government environment, the easiest way to meet MFA is PIV cards. All government agencies are mandated to implement HSPD-12 (PIV authentication) requirement for MFA - a requirement for more than 10 years. However not all are compliant despite the long time requirement. Typically most agencies would have the cards in place and the capabilities for MFA enabled, in theory, you should be able to work with agencies POCs to make MFA happen in a short while (there is a few things to be done here).

    2) But it sounds like you're not dealing with a government environment and my next suggestion will be to use Time-based one time token (TOTP) over the username/password in place. Simply speaking, TOTP will require a SMS token to be sent over a cellphone (something you have) to be used with the default username/password already in place.

    There are many solutions out there, you will have to see what works for you and what is affordable but this is relatively simply and affordable process.
    I like TOTP/SMS because most people already have a cellphone that they can register to obtain the SMS code. There is a minor cost of sending SMS with most organizations can easily pick up.

    Someone mentioned RSA above, this is good but very expensive, one RSA tokens costs over $50!

    All the best on your project.
Sign In or Register to comment.