In SSL VPN setups, one of the most popular setups is two-stage authentication with the user's LDAP/Active Directory user account and a passcode generated from an OTP.
I got the question more than once: our users find it too difficult to remember their password and an extra pin-code. That together with the generation of the passcode (=tokencode + pin-code) makes it rather complex for a non-IT-oriented user to log in. The second question was then: but to respect strong authentication: can't we use the password as "something you know" and the tokencode as "something you have" ?
This is indeed possible and it depends on the kind of tokens you're using, well in fact, the AAA software which is managing these tokens. For example, ActivIdentity supports this since version 6.5 of its 4TRESS AAA radius server. Here you'll find a screenshot of the Mini Token PIN Policy setting:
No comments:
Post a Comment