Questions about 2 factor auth in AD

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Questions about 2 factor auth in AD

Big D
We want to set up 2 factor auth for on-site windows workstation logins (user generates an OTP via mobile app and enters it along with hisser username in the windows login dialogue instead of simple user/password auth), so I've read the https://www.wikidsystems.com/support/wikid-support-center/installation-how-tos/use-wikid-one-time-passcodes-in-active-directory page and have a few questions.

1) Is the new AD protocol module suitable for this purpose (the page only mentions shared admin accounts)?
1) Is that (what has been documented on this page) all there is to it? I mean: How do I specify which user account needs to authenticate using 2FA?
3) How is the 2FA for logging into the workstation enforced?
2) If this works the way we want it, does one need to generate and enter a new OTP each time one locked the workstation due to abscence and logs back into windows?

Thanks a lot for your feedback.
Reply | Threaded
Open this post in threaded view
|

Re: Questions about 2 factor auth in AD

Nick Owen
Administrator

Good questions.

It is very suitable to windows login. We are just positioning it that way to start.

When a user in an AD-enabled domain requests an OTP, the WiKID server pushes it to AD as the user's password.  So any user in that domain is automatically setup.

It is enforced by AD since it's the new password. Once the OTP expires, the WiKID server sends a random string to overwrite the OTP in AD.

Each time you login, you need to generate a new OTP.

So, you get two factor auth for windows logins, you limit pass-the-hash attacks etc. But, if these users are using Exchange, they will probably not appreciate it.

Does that help?

Nick

On Dec 11, 2015 6:39 AM, "Big D [via WiKID Strong Authentication Forums]" <[hidden email]> wrote:
We want to set up 2 factor auth for on-site windows workstation logins (user generates an OTP via mobile app and enters it along with hisser username in the windows login dialogue instead of simple user/password auth), so I've read the https://www.wikidsystems.com/support/wikid-support-center/installation-how-tos/use-wikid-one-time-passcodes-in-active-directory page and have a few questions.

1) Is the new AD protocol module suitable for this purpose (the page only mentions shared admin accounts)?
1) Is that (what has been documented on this page) all there is to it? I mean: How do I specify which user account needs to authenticate using 2FA?
3) How is the 2FA for logging into the workstation enforced?
2) If this works the way we want it, does one need to generate and enter a new OTP each time one locked the workstation due to abscence and logs back into windows?

Thanks a lot for your feedback.


If you reply to this email, your message will be added to the discussion below:
http://wikid-strong-authentication-forums.1491522.n2.nabble.com/Questions-about-2-factor-auth-in-AD-tp7575206.html
To start a new topic under Support, email [hidden email]
To unsubscribe from WiKID Strong Authentication Forums, click here.
NAML
Reply | Threaded
Open this post in threaded view
|

Re: Questions about 2 factor auth in AD

Big D
It helps a great deal! Thanks again for the very quick reply!
Fortunately we're running no own exchange server anymore, and the Outlook365 password is not related to the domain password, so we should be good.
Only thing people are going to be miffed about is having to create a new OTP whenever they've locked the workstation while going places but hey! Life is not a wishing well, right? ;)
When I've implemented it I'll let you know how it went as you asked for in the other thread.
Reply | Threaded
Open this post in threaded view
|

Re: Questions about 2 factor auth in AD

Nick Owen
Administrator

Interesting about the mail.

Of course, you can set the lockout to be more forgiving.

Let me know how it goes!

On Dec 11, 2015 8:14 AM, "Big D [via WiKID Strong Authentication Forums]" <[hidden email]> wrote:
It helps a great deal! Thanks again for the very quick reply!
Fortunately we're running no own exchange server anymore, and the Outlook365 password is not related to the domain password, so we should be good.
Only thing people are going to be miffed about is having to create a new OTP whenever they've locked the workstation while going places but hey! Life is not a wishing well, right? ;)
When I've implemented it I'll let you know how it went as you asked for in the other thread.


If you reply to this email, your message will be added to the discussion below:
http://wikid-strong-authentication-forums.1491522.n2.nabble.com/Questions-about-2-factor-auth-in-AD-tp7575206p7575208.html
To start a new topic under Support, email [hidden email]
To unsubscribe from WiKID Strong Authentication Forums, click here.
NAML
Reply | Threaded
Open this post in threaded view
|

Re: Questions about 2 factor auth in AD

Big D
In reply to this post by Big D
Oh, one more question...
Let's say a user goes on a business trip. Usually he would fire up his workstation, log into Windows with his usual password, make a wi-fi connection, fire up the VPN client and the token client and log into the network remotely (we have VPN 2FA via WiKID running as well).  But now with 2FA on Windows login, how is he going to authenticate at the Windows login when there is no connection to the AD/WiKID server?
Reply | Threaded
Open this post in threaded view
|

Re: Questions about 2 factor auth in AD

Big D
that should read notebook not workstation...
Reply | Threaded
Open this post in threaded view
|

Re: Questions about 2 factor auth in AD

Nick Owen
Administrator
In reply to this post by Big D
That might be a deal killer and one reason we are pushing it for admin
use at this time.

Maybe login to a non-domain account and use RDP?

On Fri, Dec 11, 2015 at 8:22 AM, Big D [via WiKID Strong
Authentication Forums] <[hidden email]>
wrote:

> Oh, one more question...
> Let's say a user goes on a business trip. Usually he would fire up his
> workstation, log into Windows with his usual password, make a wi-fi
> connection, fire up the VPN client and the token client and log into the
> network remotely (we have VPN 2FA via WiKID running as well).  But now with
> 2FA on Windows login, how is he going to authenticate at the Windows login
> when there is no connection to the AD/WiKID server?
>
> ________________________________
> If you reply to this email, your message will be added to the discussion
> below:
> http://wikid-strong-authentication-forums.1491522.n2.nabble.com/Questions-about-2-factor-auth-in-AD-tp7575206p7575210.html
> To start a new topic under Support, email
> [hidden email]
> To unsubscribe from WiKID Strong Authentication Forums, click here.
> NAML



--
Nick Owen  --  WiKID Systems, Inc.
http://www.wikidsystems.com
Commercial/Open Source Two-Factor Authentication
http://twitter.com/wikidsystems | #wikid on freenode.net
Get our low-volume newsletter - Notices, updates : http://eepurl.com/zzUeP