Re: 2 Factor Authentication with VPN

From: Nick Owen (nickowen_at_yahoo.com)
Date: 02/18/04 

Date: 18 Feb 2004 14:20:22 -0800

Stan:

I once heard a security guy call certificates "1 and a half
authentication". I guess it depends on who your talking to. In most
cases, certs aren't workable because you can't install them everywhere
and if your users want to use a kiosk for example, certs are out. I
don't have a lot of experience with them, but people seem to have a
lot of trouble with them - anecdotally at least. From a security
perspective, if the cert is cloned, it can be brute-forced attacked.
I would also suspect that initial validation, the process of assuring
that the right person gets the right cert is awkward with certs though
certainly less awkward than a hardware-based token - the analysts will
tell you that costs $15 a pop in soft & hard costs.

You also don't get a lot of other benefits from certs. For example,
if you wanted to allow customers, vendors, consultants, etc access to
your network with strong authentication, you probably couldn't put
certs on their machines. Increasingly, cross-enterprise
authentication is cropping up as a problem
(http://www.wired.com/news/privacy/0,1848,59024,00.html).

Here is a link to a paper on how to evaluate two-factor authentication
systems based on relative security, operational factors and financial
impacts:
http://www.wikidsystems.com/WiKIDReviewersGuidev1.pdf. Perhaps it
will be helpful.

Nick Owen 

--
WiKID Systems, Inc.
http://www.wikidsystems.com
The End of Passwords
"stan" <no@email.com> wrote in message news:<ep9N4nZ9DHA.2404@TK2MSFTNGP12.phx.gbl>...
> Hello All:
> 
> Can anyone suggest the best method to accomplish 2 factor authentication for
> VPN clients? I have tried using Microsoft Certificate Services and can't
> quite get it working.  I have certificate server setup, can issue
> certificate to clients through web.
> But when I try to login from a client with the certificate installed, i get
> usename and or password invalid for domain.
> 
> Can't figure out why. I guess my first question is - will the above satisfy
> 2 factor authentication if I get it working and....what am I doing wron that
> is causing this password error.?? Thanks

Relevant Pages

  • RE: Securing OWA w/SSL on IIS5.0
    ... (many other security professionals agree with me on this point). ... authentication, basic and certificate. ... the OWA server or you can again ask for a client side authentication. ...
    (Focus-Microsoft)
  • [NEWS] Cisco Secure Access Control Server EAP-TLS Authentication Vulnerability
    ... Get your security news from a reliable source. ... Extensible Authentication Protocol-Transport Layer Security to ... a cryptographically correct certificate as long as the user name is valid. ... * Cisco Secure ACS for Windows and Cisco Secure ACS Solution Engine ...
    (Securiteam)
  • Re: Two-factor authentication with SSH?
    ... > As a system administrator I am responsible for the security and the ... > the passphrase from his certificate. ... > password authentication on the server side. ... There has to be some process that registers the public key ... ...
    (comp.security.ssh)
  • WSE 3.0 X.509 certs problem
    ... secure with these certs - no rocket science here. ... Microsoft.Web.Services3.Security.SecureConversationServiceSendSecurityFilter.SecureMessage(SoapEnvelope envelope, Security security) ... if the certificate has been properly installed in the Trusted People ... HttpContext context, HttpRequest request, HttpResponse response, Boolean& ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • RE: WSE 3.0 X.509 certs problem
    ... "1) Did you check the "allow test root" option on the security page for the ... secure with these certs - no rocket science here. ... if the certificate has been properly installed in the Trusted People ... Or you might want to set allowTestRoot configuration ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
Loading