Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2645
Views
10
Helpful
4
Replies

Is this two-factor authentication?

serotonin888
Level 1
Level 1

‎06-24-2007 03:02 AM - edited ‎02-21-2020 10:18 AM

Hi all,

Two factor authnetication is considered be any two of the following.

1) Something you know

2) Something you have

3) Something you are

I want to know whether any of you would consider the following as two factor authentication...

A preconfigured copy of the cisco software VPN client including conenction details of an IPSec VPN (this includes the pre share key). And authentication to a windows domain configured on the VPN end point (a Cisco ASA).

One way to look at it is that the "something you have" is the Pre-configured Cisco VPN Client. And the "Something you know" is your Windows domain username and password.

Any thoughts?

What is the accepted wisdom on 2 factor authentication?

Can the Pre-configured VPN client be considered 1 of the authentication factors?

Many Thanks

Andy

Labels:
0 Helpful
4 Replies 4

mhellman
Level 7
Level 7

‎06-24-2007 06:40 PM

To me, strong authentication means at least some component of the authentication is out of band. Lots of folks think differently though.

Alternatively, you might call is weak[er] 2-factor;-) Does the "pre-configured client" mean that the software is somehow validated too? Will the shared key be the same for everyone? Will it ever change? An RSA token would be more secure. Still, it's certainly better than just a username/password. What are you trying to protect against?

serotonin888
Level 1
Level 1
In response to mhellman

‎06-25-2007 12:16 PM

The cisco vpn software client stores the IKE preshared key. This is the "something i have". This is the same key for everyone and is unlikely to change very often (if ever).

The username and password is the "something i know", and this is different for each user.

I know im going to be asked by auditors whenther we have 2 factor authentication for remote access vpn users. And I wanted to know if our current setup could be thought of as 2 factor.

Personally i dont think it is. And i agree that some kind of RSA token solution would be better.

Thanks

Andy

0 Helpful

wmblake755
Level 1
Level 1
In response to serotonin888

‎06-26-2007 11:21 AM

we had that same setup and it did NOT pass for 2 factor, because the pre-shared key is not unique for every VPN user/machine. We had to implement RSA tokens to pass the audit. Your auditors may say the same.

serotonin888
Level 1
Level 1

‎06-26-2007 11:30 AM

Thank you to both of you for helping me with this issue. At least i know where i stand with the auditors. This will give me leverage tim implement additional token authentication.

Cheers

Andy

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents