Jump to content

What to use for two-factor (w/AD integration)

Recommended Posts

The safe length of a password keeps growing, and we are considering possible increasing length by one every year till probably infinity as computers keep getting more powerful at cracking passwords. If users can't remember passwords they will form have bad habits like writing them down...

...Long term this seems like a losing strategy - I can't be the only one thinking this, so what are other people doing?

First rule of Security: It has to be usable or security won't be used.

Second rule of Security: there are no rules.. lol

So anyways back on topic

personally I like the idea of moving strait to a 24 charter password today with an added login option for two factor where the user only needs a token of some type and short pin.

  • What are others using, and what works? (what doesn't work)

Target: Citrix Desktops, Laptops, and iPhone


Leverage existing proximity cards

Fingerprint scanners

Iris Scanners ($$)

Smart Card Readers

RSA - currently we have RSA in limited use, but it seems unproductive to wait for token then enter it in, a faster and easier user experience would be more ideal

Price, cheaper solutions are obviously easier to sell, but usability and security are more important

Link to comment
Share on other sites

  • 3 weeks later...

why not use memory sticks and a bit of software, when the user leaves the machine they unplug the stick which locks it and when they return they just simply reinsert the stick back into the machine. now this may not work if you have have removable devices disabled by a group policy. This is just only idea to bounce of you, but it is a good question

Link to comment
Share on other sites

  • 3 weeks later...

Hi Hackling,

Ah, the dreaded "more security = less security" dilemna has plagued us IT guys for decades. Two factor authentication is definitely the right path but you have to keep it simple or else it won't be used (or as you said, written down, aaahhh). I have found that if my users can just remember one solid password and use Lastpass with a Yubikey, their lives (as well as mine) can be a better one :) . Now, certain timeout adjustments should be made to the Lastpass settings depending on the user (ie, if the user doesn't touch the keyboard for X minutes, Lastpass automatically logs them out and they have to perform the TFA again). I've been using Lastpass with Yubikey for some time now and am very happy with the results. Those few times that I leave my Yubikey at home really show me how secure my passwords really are.

I hope this reply helps you!

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...