Looking for a 2FA solution

riyadlahmer · 2017-10-05T10:30:07.000Z

Hi,

I am currently looking for a 2 factor authentication solution for company. I have tested OpenOTP but the offline authentication to OS login, which is very important for my company, isn’t possible.
So I am asking you, if you know any solution that support OS login with a second factor even when the laptop is offline (for Windows, Linux and Mac OS). Moreover, the solution has to support SAML 2.0 and SSO. And off course, if you have an idea of the price it will be wonderful

Thank you !

brad · 2017-10-05T10:42:14.000Z

Have you looked at Duo? they are pretty much the gold standard in this space Pricing | Duo Security

riyadlahmer · 2017-10-05T10:54:39.000Z

Thank you for your answer,

Apparently offline login with Duo isn’t possible, there is only a way to bypass the 2FA if the server isn’t reachable, which is a problem because is someone steal credentials then he can logon just by disconnected the network access.

For the moment, I have found keyidentity and Deepnet Dualshield that may do the job but I need other solution to compare with.

brad · 2017-10-05T11:00:28.000Z

Looks like they support an offline mode Using Duo without Cellular Service or While Traveling - IT Services

brad · 2017-10-05T11:00:29.000Z

Sounds like it is Using Duo without Cellular Service or While Traveling - IT Services

zachkoppolin · 2017-10-05T11:01:19.000Z

Possibly the YUBIKEY product, but not sure bout that.

scottbrindley · 2017-10-05T11:03:44.000Z

In the past I used the RSA solution , which good especially as you could have software tokens which could easily be installed onto a smartphone.

bryandoe · 2017-10-05T11:06:59.000Z

I asked this recently, with similar requirements, and Duo was the overwhelming answer as well. I’ve heard offline is coming for them.

riyadlahmer · 2017-10-05T11:19:15.000Z

We may use yubikey but only as a token for other solution. The idea is that we give to our staff members the possibilty to choose the token they want (smartphone app or Yubikey).

I emailed Duo’s support to get more informations

zachkoppolin · 2017-10-05T11:48:19.000Z

Another option you may want to investigate is the use of Google Authenticator app on mobile device. I know for a fact that Google Authenticator works well in our Linux Environment. We have it set up with GDM as well as LightDM. user types username and then enters password, then get pop up to enter google auth code. then it lets them login. the YubiKey model we use is similar save for the fact that the YubiKey folks just insert the key into usb port then tap the button, and they are in.and both work with FDE as well. Though I was not part of the set up process.

greg-collective-software · 2017-10-05T12:14:29.000Z

AuthLite can support YubiKeys and Google Authenticator for offline logon to Windows workstations.

riyadlahmer · 2017-10-05T13:44:45.000Z

The problem with Authlite is that it’s not compatible with Linux and MacOS and around 50% of our users use these OS.

I have tested Duo but as I tought, offline log in isn’t possible when it’s the workstation that is offline. It is only possible when the smartphone is offline.

When you try to login while offline, it says that there is an error communicating with the Duo authentication server

greg-collective-software · 2017-10-05T14:14:35.000Z

Not to imply that it’s going to be a perfect fit for you (it sounds like you’ve done your research) But just to clarify, in case anyone else sees this thread: AuthLite can be used with Linux and MacOS , although the integration isn’t as deep as with Windows, and it requires more effort to get set up.

In particular with Macs, the offline mobile account and the disks’ filevault encryption is still just secured by the user’s password. (Other products have this limitation too). We’re trying to improve this anyway, because we’d like to be the first to offer really deep support for MacOS. But it’s a tall order because the APIs from Apple are just not there.

marcuswale3 · 2017-10-05T14:21:46.000Z

Gemalto? send me a message have some info which might be of use…

riyadlahmer · 2017-10-06T05:47:07.000Z

Hi,

Marcus, I tried to send you a message but can’t because my profile is new

I already made some little search about gemalto in the past. Is it responding to all my expectations ?

riyadlahmer · 2017-10-12T10:55:40.000Z

Hey !

I’m still looking for this perfect solution, So far, Keyidentity provides offline login for Windows and Mac (but Not Linux :/) .

OpenOTP just release a Windows offline login plugin (apparently it’s planned for Linux and Mac…).

DualShield seems to work offline on Windows and Mac OS, but again not for Linux. I feel like offline login isn’t really a priority in the OTP world.

About Gemalto, it looks also to work only for Windows.

ravikumartenneti9388 · 2017-12-11T08:07:03.000Z

We at Computer Port IT Solutions can give a solution for this 2FA. We can give the solution using PrivacyIDEA and you can make use of Google Authenticator.

If you have implemented using some other solution, then it is fine as we are late in seeing this. But if you want more information, please feel free to contact us.

jugoslavmumovich · 2018-02-28T09:52:42.000Z

Try SAASPASS, as I can see it is a complete solution for You, even offline.