2 factor authentication for VPN access

rcalabro · ‎08-03-2006

What do you consider "two factor" authentication? We currently use Cisco 3000 series VPN concentrators with RADIUS to the NT domain authentication. Our security group wants us to start using SecurID tokens, which I am all for. Unfortunately, Cisco does not support 2 methods at the same time.

The way the RSA token works is that you are prompted for a username to which you respond with your 4-6 character pin and the rotating number on your token.

What I want is to be prompted for a username/password using domain credentials via RADIUS, then a handoff for additional authentication using the RSA token. I consider that to be 2 factor authentication.

I see changing over to the SecurID tokens as the same or even perhaps a little lower security that a plain old username/password authentication. I say worse because I can see people writing their pins (remember, it is just a 4 digit numerical only PIN) on the token. If it is found, the bad guy now has physical access to the network (until the token is invalidated). Our regular password policy is strong.

Does anyone know a VPN system that accepts 2 different authentication methods? Does Checkpoint support this?

Oh and BTW: The RSA system is $180,000.

rmeans · ‎08-03-2006

Wikipedia has a nice explanation for two-factor authentication.

http://en.wikipedia.org/wiki/Two-factor_authentication

?The way the RSA token works is that you are prompted for a username to which you respond with your 4-6 character pin and the rotating number on your token.?

The SecurID token as you describe provides two-factor authentication by itself. The username or pin is the ?something you know? and the token is the ?something you have?.

You are absolutely correct to be concerned about users and their handling of security measures. User education and participation are what make a security system successful or fail.

grant.maynard · ‎08-04-2006

RSA is 2-factor authentication, the 2 being the PIN and the keycode. I don't think you can get the user to be authenticated twice on any system, not unless you put some other device inside the VPN device, so they each authenticate separately.

You cannot stop users writing down the PIN, but you can include in your Security Policy something about it being a discilinary offence to do so, and all losses must be reported immediately to IT Dept. Nor should users keep the RSA token in their laptop case. Any security setup can be weakened by users doing something daft, so you have to educate and, if that fails, remove their rights or discipline them. Of course this requires the support of the big cheeses.

A strong password can still be written down (maybe it's more likely to be) and I do believe 2-factor authentication adds something. Shame about the cost.

rcalabro · ‎08-04-2006

I understand that "technically" SecurID is 2 factor authentication. But do people really go to bed at night thinking that this is any more secure than username/password? I do not. At the best it is just as secure, maybe a smidgen better. So is this just managerware? Also it appears that you need to dump your entire RADIUS infrastructure as you no longer need it (plus the RSA server is also a RADIUS server). I just really don't think that this system is worth the money for marginally better security and a LOT more management dealing with lost, stole, forgotten or invalidated hardware keys. Plus are people aware that the RSA keys do not have replaceable batteries? When they die, they are discarded and you PURCHASE new ones from RSA.

This whole thing reeks of scam.