Current options for 2-factor auth in AD?

davejones9673 · 2017-03-17T15:34:05.000Z

Has anyone successfully deployed 2-factor to their workstations for domain login? I’m looking for experience/recommendations of successful deployments. Did it cost a fortune? Has it been a nightmare for IT support?

I’d really like to do it with something like Yubikeys, but I can’t find much information about how that works with AD logins. Everything seems to be about Windows Hello. Ideally this would be rolled out alongside Windows 10 when we upgrade this year.

jonahzona · 2017-03-17T15:45:47.000Z

We looked at Yubikeys, but found that the most straight-forward way was RSA Key Fobs. They have a rolling token that the user must enter to the workstation followed by a pin, and after that they are prompted their normal AD login. Cost effective and straight-forward to setup.

Hope that helps.

010101000110100101101101 · 2017-03-17T15:53:00.000Z

jonahzona:

We looked at Yubikeys, but found that the most straight-forward way was RSA Key Fobs. They have a rolling token that the user must enter to the workstation followed by a pin, and after that they are prompted their normal AD login. Cost effective and straight-forward to setup.

Hope that helps.

That definitely beats implementing a smart card infrastructure.

Carl-Holzhauer · 2017-03-17T16:04:06.000Z

Have you looked at Duo? I’m trialing for AnyConnect and it “just works”

I have to assume they have an AD tie-in too?

richardwright · 2017-03-17T16:12:16.000Z

+1 for Duo

DUO - Synchronizing Users from Active Directory

leeseeman · 2017-03-17T17:25:14.000Z

RSA Secure ID is tried and trusted.

dbeato · 2017-03-17T18:48:58.000Z

Duo has worked well for me as well and it works through Domain Computers, OWA, RDS and much more.

Cisco Duo

Duo Advantage Pricing

Get detailed device health data, enforce adaptive user, device and application access controls, and give your users a secure single sign-on (SSO) experience.

@Duo_Security Duo Security

anon10772329 · 2017-03-17T19:01:53.000Z

I use Duo for personal stuff (no domain) but I do recommend it. Works great on Windows. Linux support was kind of shitty but it worked.

erich-knowbe4 · 2017-03-17T19:30:40.000Z

I did Yubikeys at a past org, especially for admin accounts. If you have AD implemented and a working CA living somewhere, it’s really not that tough and they seem to last. I also use mine for LastPass 2FA and have used it for Android 2FA as well.

Of course I came out of DoD where we played the smart card game in a big way. You haven’t lived until you deploy an OCSP infrastructure and know the difference between a responder and repeater. Ahh, my mind is full of useless info.

yubi.jpg800×1067 118 KB

This thing won’t die and I am not kind to it

donovanplank · 2017-03-17T19:53:15.000Z

Erich (KnowBe4):

I did Yubikeys at a past org, especially for admin accounts. If you have AD implemented and a working CA living somewhere, it’s really not that tough and they seem to last. I also use mine for LastPass 2FA and have used it for Android 2FA as well.

Of course I came out of DoD where we played the smart card game in a big way. You haven’t lived until you deploy an OCSP infrastructure and know the difference between a responder and repeater. Ahh, my mind is full of useless info.

This thing won’t die and I am not kind to it

The skeleton key is what he really uses

@erich-knowbe4

erich-knowbe4 · 2017-03-17T19:56:41.000Z

Donovan5068:

Erich (KnowBe4):

I did Yubikeys at a past org, especially for admin accounts. If you have AD implemented and a working CA living somewhere, it’s really not that tough and they seem to last. I also use mine for LastPass 2FA and have used it for Android 2FA as well.

Of course I came out of DoD where we played the smart card game in a big way. You haven’t lived until you deploy an OCSP infrastructure and know the difference between a responder and repeater. Ahh, my mind is full of useless info.

This thing won’t die and I am not kind to it

The skeleton key is what he really uses

Aww man! My secret has been revealed!

greg-collective-software · 2017-03-19T15:45:14.000Z

Based on your requirements, you might have a look at AuthLite , which does enterprise integration of YubiKeys into AD.

We use OTP mode (not smartcard) so you can pass 2-factor credentials through any existing software/services. And for secure logon to the workstations while they are offline, we use the challenge/response mode on the YubiKeys.

Also, please don’t forget to encrypt the endpoint drives with BitLocker (to protect against the threat of a thief pulling the drive and reading the data right off it)

mountainbiker · 2017-03-19T19:06:49.000Z

+1 for Duo.

Never been a fan of RSA (even before the 2011 hack that rendered their tokens less than secure).

davejones9673 · 2017-03-19T23:33:19.000Z

Lots of good info. Thanks guys. What happens with Duo if it’s offline?

@greg which model yubikey does authlite require?

dbeato · 2017-03-20T00:27:39.000Z

bellows:

Lots of good info. Thanks guys. What happens with Duo if it’s offline?

@greg which model yubikey does authlite require?

When it is offline, you have the option to allow login.

xxx-420blazeit-mlg-snipez-xxx · 2017-03-20T06:37:48.000Z

Tested DUO, RSA and Vasco for my final exam project.

DUO is nice and I considered it for my personal stuff, but our main problem was, that you don’t have something to install locally. I know this sounds weird. Point is: all your data is saved in a cloud and you have to rely on their web frontend, so if something is down, you can’t support your users if you don’t have the precautions. Also, your customers may not like an online hosted solution.

RSA and Vasco offer good service and are easy to set up (if you choose Vasco, make sure that the server’s name that you’re gonna install it on doesn’t start with a number!) and use. RSA is just very expensive, compared to Vasco, so we have Vasco Digipass deployed, complete with AD integration.

Another thing you have to keep in mind: when you’re working with sensitive data, your customers may demand some certifications when it comes to 2FA like FIPS 140-2. With DUO, you can’t guarantee that when you’re using smartphones as tokens and even if you use key fobs, you a) have to buy them seperately (costs) and b) have to ask the manufacturer about the certs.

With RSA and Vasco, you get the key fobs together with the software (most likely from a local reseller) and they both have FIPS 140-2 certified key fobs.

@Duo_Security

danielreis · 2017-03-20T09:07:57.000Z

On the same road and tried DUO, my main problem is that it doesn’t provide offline authentication. Currently testing SAASPASS which is great and provides integration with 3rd part tokens such as Yubico keys. RSA is great but it can be a bit pricey!

idriveakeyboard · 2017-03-20T09:35:03.000Z

I’ve tried SaasPass which uses a revolving QR code, paired with a mobile device.
You can remotely lock and unlock a PC - Good if you’re remote connecting into it, doesn’t need the QR code.

The mobile app is pretty good, also doubles as a stand-alone authenticator.

Only problem I’ve come across so far is that if it’s installed on a laptop and it looses internet connection for a while, the QR/time doesn’t update and it just won’t unlock.

Only way I’ve found to restore the connection is to do a force-reboot. GREAT if you’ve got documents or other things open - NOT!

Except the dropped connection problem, it’s a pretty good solution. Does all the things you’ll need but as I’ve not used SaasPass on a wired connection PC yet, I can’t give it a double thumbs up I’m afraid.

mkstead · 2017-03-20T12:15:09.000Z

PingID, RSA (hard to manage), Azure, Duo, Secureauth

adamwarpinski · 2017-03-20T13:00:03.000Z

My first thought regarding this question was what can be done in vanilla AD?

User Identity? ID and Password

User Location? Remote logon, restrict logon times, restrict access to certain pcs using security permission.

But I suppose there are other third-party options… LOL

Happy Monday