Two factor auth for CRES portal

Similar Messages

• Need help with two-factor auth for windows logon using CSS

  Hi all,
  I have been trying for a couple of days now to get two-factor auth for windows logon working on my X1C Type 3443.
  I am running Windows 7 (64-bit) with Lenovo System Update 5.06.0007, Lenovo Solution Center 2.6.001.00, ThinkVantage Fingerprint Software 5.9.9.7282, ThinkVantage Client Security Solution 8.30.0031.00. If it's of any importance, my X1C was originally shipped with Windows 8, but I couldn't stand it and reinstalled Windows 7 instead.
  I have uninstalled and reinstalled the above programs in the following order:
  1) Install System Update and reboot
  2) Install Solution Center and reboot
  3) Install CSS and reboot
  4) Install Fingerprint Software and reboot
  Everything seems to be working fine by itself, except that when I try to configure two-factor auth in CSS, the Fingerprint tab (on the left of the GUI) is greyed out and CSS tells me that I have no fingerprints enrolled. The Fingerprint Software, however, is working just fine and shows me as having a fingerprint enrolled there.
  I have spent all morning searching for a solution, but everything I find dates back to 2011, when ThinkPads still came with ThinkVantage Toolbox. I obviously can't download that anymore, so I'm at a loss. Can someone please help? Thanks!
  Candace

  Hi all,
  I have been trying for a couple of days now to get two-factor auth for windows logon working on my X1C Type 3443.
  I am running Windows 7 (64-bit) with Lenovo System Update 5.06.0007, Lenovo Solution Center 2.6.001.00, ThinkVantage Fingerprint Software 5.9.9.7282, ThinkVantage Client Security Solution 8.30.0031.00. If it's of any importance, my X1C was originally shipped with Windows 8, but I couldn't stand it and reinstalled Windows 7 instead.
  I have uninstalled and reinstalled the above programs in the following order:
  1) Install System Update and reboot
  2) Install Solution Center and reboot
  3) Install CSS and reboot
  4) Install Fingerprint Software and reboot
  Everything seems to be working fine by itself, except that when I try to configure two-factor auth in CSS, the Fingerprint tab (on the left of the GUI) is greyed out and CSS tells me that I have no fingerprints enrolled. The Fingerprint Software, however, is working just fine and shows me as having a fingerprint enrolled there.
  I have spent all morning searching for a solution, but everything I find dates back to 2011, when ThinkPads still came with ThinkVantage Toolbox. I obviously can't download that anymore, so I'm at a loss. Can someone please help? Thanks!
  Candace

• Two factor authentication for iCloud?

  Hello,
  I have two factor authentication (aka two step verification) setup for my AppleID - when I login to appleid.apple.com it sends a code to my phone.  So that part works great.  However, when I login to www.icloud.com it doesn't send a code to my phone.  Securing iCloud.com with two factor is very important as iCloud contains a lot of your data (email, contacts, etc.).
  I'm wondering if it's not working for me because two factor for iCloud.com hasn't been fully rolled out yet - or maybe it is still in beta?
  This article indicates that Apple was testing two factor for iCloud.com as recently as June, 2014:
  http://appleinsider.com/articles/14/06/30/apple-testing-two-step-verification-fo r-icloudcom
  So my question is, does anyone know when two-factor authentication will be fully rolled out and working for iCloud.com?
  Thanks!

  After reading a few articles on this subject, Apple is still working on enabling two-factor authentication for iCloud.  At best, they are currently "rolling it out", a process that can take several months due to the millions of users, I guess.  At worst, it's still in beta and they are still testing and working on it... which means it could be next year before it's fully deployed.  I haven't found any articles or news with a firm date.  I'm just glad they are working on it as it's very important.  In the meantime, they have implemented email notifications when you login to your iCloud account.  I tested this and only received one notification (for multiple logins over several days from several different computers) so I'm not sure how well the notifications are really working - but I think the notifications are just a workaround until they get two-factor fully deployed for iCloud.
  Does anyone else have more info on this?

• Two Factor Authentication for UC servers

  Has anyone setup any form of two factor authentication for logging into UC servers (Callmanager/Unity) for administrators using RSA SecurID's or another form of authentication?  We currently use our LDAP account or setup a Application User account but our Security group would like to add another layer of authentication.  Any suggestions?

  Thanks for your help David.  This is not my area of expertise, so if I put in the UC servers IP/URL the proxy server will intercept the request and block it from reaching the UC server?  Our Security group wants two factor enforced so I cannot bypass the second method of authentication.
  Gary

• Luks encrypted key file as key for luks partition (two-factor auth)

  I'm trying to implement "two-factor" authentication (possession of a keyfile and knowledge of a passphrase required) using dm-crypt in order to open an encrypted root filesystem. In the past I used gpg and later openssl to decrypt a keyfile using a passphrase, which then was used by cryptsetup using --key-file to decrypt the actual data device. I'd like to ditch gpg/openssl and use only cryptsetup.
  So the idea is to create a luksFormatted key file (loop device) which, when opened using a passphrase, will be used as the key (using --key-file) to open a luksFormatted hard drive partition.
  To illustrate:
  # create and luksFormat the key container file
  dd if=/dev/urandom of=key_container bs=1M count=4
  cryptsetup luksFormat key_container
  # open the container and create a random "key" by directly writing pseudo random data to it
  cryptsetup luksOpen key_container key_device
  dd if=/dev/urandom of=/dev/mapper/key_device
  # luksFormat the data device using the random data from the luks key device
  cryptsetup -d /dev/mapper/key luksFormat /dev/sda1
  # later, to open /dev/sda1
  cryptsetup -d /dev/mapper/key_device luksOpen /dev/sda1 encryptedfs
  My questions:
  1. Is this a valid approach or am I making a mistake/do you see a problem somewhere?
  2. How much data from the loop device will cryptsetup use as key to format/open the data device? Everything? Is there a limit?
  3. Is there a difference between doing a
  cat /dev/mapper/key | cryptsetup -d -
  and
  cryptsetup -d /dev/mapper/key?
  3. Assuming that the answer to 1 is "no mistake/problem" and 2 is "everything there is" or even "the first x bytes", is it possible that  the actual contents of the loop device may change in the future because of different loop device implementations or somethings else I didn't think of? I'd like  to avoid bad surprises in the future..
  4. What would you recommend as size for the key container file, knowing that the luks header requires some space too?
  Any feedback appreciated.
  Cheers,
  fabriceb

  I do the same ( https://wiki.gentoo.org/wiki/Custom_Ini … ed_Keyfile ).
  --key-file=- should be equivalent, but it's meant for grabbing a key from gpg output or whatever; since you can specify it directly here, no need to involve anything else like cat etc.
  without --key-file=- it would stop reading at newlines or something. this behaviour is quite dangerous as it may cause people who believe they're using a long random key, to use only a very short (or even empty) key instead. one way to avoid such ambiguousness is to make sure there are no newline bytes in your keyfile, so it would use the whole thing in either interpretation.
  as for the key length, a key is essentially a passphrase. So it does not have to be very long at all; 8 truly random bytes would require up to 256^8 tries to break after all and with LUKS, each try takes ~1 second per physical CPU... but the smallest unit that LUKS allows is 512 bytes (1 sector) so you could just as well use the whole thing. If you use 4096 bytes, you're confusing bytes with bits somewhere... and as for bits, even 128bit AES is still considered secure...
  You could save some bytes in the initrd.gz if you initialize the container file with zeroes instead of random, so it can be compressed. The key will still be random as the random cipher key will turn the zeroes to something else after all...

• Guide for configuring an ASA for two factor auth

  I've searched CSC as best as I can so I appologize if this is a duplicate topic.  I have an ASA5505 v8.4(1), ASDM version 6.4(1).  According to the release notes you can setup two factor authentication in these later versions of ASA code.  What I can't find is any guide that tells you what the steps are to actually set it up.  We're testing RSA's SecureID for PCI compliance.  If anyopne has a link to a document that gives some insight into this I'd appreciate it.
  David

  David,
  Two factor requires no additional configuration, i.e. you have one password based on two parts.
  The ASA just works as a relay, it forwards the username/pass to AAA server which validates if it's OK (in a typical scenario).
  Now double authentication is something that might need a bit more config - i.e. you have to provide two passwords for two different machanisms.
  Marcin.

• Google two-factor auth and iPhone apps? ...

  Who here has enabled Google two-factor authentication? Did it break anything on your phone?
  I tinkered with it yesterday, and then our family's shared Google calendar stopped working. My wife couldn't see new items I added (in either the iPhone calendar or Fantastical). I disabled TFA, and all was good again.
  Reading Google TFA page talked about how to use an additional app on the phone to create some additional passwords, but it wasn't clear to me where I would use them.
  I also use Mailbox for GMail, not sure what will happen to that.
  Anyone here doing Google TFA? Any words of wisdom?
  Thanks very much in advance,
  Chris

  I had to do this for yahoo after my account was hacked.
  It's a little tricky but you can enter the codes into your settings and get the stock app to work.
  How to set it up:
  http://www.imore.com/how-to-gmail-2-step-verification-mail--iphone--ipad-mac

• Two factor auth tied together?

  Hi all,
  I have an irritating problem dealing with the physical security staff in my datacenter. We have a requirement for certain areas to have "two factor authentication", and they've provided badge readers and fingerprint scanners, and consider this requirement solved.
  Unfortunately, the systems don't work together and you can use one person's badge, and someone else's fingerprint.
  My experience (and common sense) says that two factor means YOUR badge needs to only work with YOUR fingerprint, but our physical security team doesn't see it that way.
  They've asked for some sort of evidence that this is how it works... A government directive or other "proof" that they need to tie together.
  I thought that it would be a quick Google search away, but it turns out to be more difficult than I thought! All the definitions seem to leave the "tie in" to the imagination! They all say "password and token" or "badge and bio" but never explicitly say that those devices need to tie to the person who is authenticating.
  This seems like such a simple thing! Does anyone know of a document that clearly defines two factor as both factors required to be tied to the same person?

  I agree that tying them together would be better security but you may lose this one.
  In the bank card scenario, the unique item is the card, but the card and PIN can be used by anyone.
  Your situation is different in that the unique item is the fingerprint (since any card will do, thank you) AND it is physically tied to a single person (lopped off fingers aside).
  It's not as tight as it could be but it does qualify as two factor since you need both to enter.
  Since John's finger is scanned, John entered.
  JMTC
  Tom

• Zuul - Simple two-factor authentication for SSH unless using publickey

  To quote myself:
  I wrote:I have a few machines I want to access using SSH. I use public keys when connecting from a trusted computer. However, I also want to access the machines from other computers using passwords. To eliminate the consequences of brute force password cracking or even stolen passwords, I been looking for a two-factor authentication scheme to use if anything but public keys are used. The method described here lets me log in using publickeys without any further hassle, while I must enter a second, one time password delivered to my mobile phone by email if I use a password.
  Comments are welcome! (Especially on a better way to figure out what authentication method the current SSH session used)
  https://github.com/halhen/techsperiment … aster/zuul

  Finally, this is what I looking. Thanks for giving the link.

• Using BOTH keyfile AND passphrase in dm-crypt. Two factor auth.

  How can the following setup be achieved. BOTH (not either) keyfile and a passphrase should be used in order to decrypt a device. So keyfile will be read from an SD-card/FLASH drive on boot and passphrase will be requested. That way, somebody who wants to access the system has to have something and know something to have access. In other words, this will be a two-factor authentication system.
  Ideally, multiple keyfiles and passphrases should be used. The reason is because if one keyfile A will be lost/stolen, then the slot can be killed and another keyfile B will be used as a back-up. Now if somebody have found the keyfile A and slot A was deleted, they can no longer use keyfile A, because it will be no longer valid. Multiple passphrases are there to ensure that if one is forgotten another can be used as a back-up.
  Is it possible and how should I approach this? The wiki seems to be focusing on one factor authentication systems (where only a keyphrase OR a passphrase is used to decrypt the drive, while in this case BOTH a keyfile and a passphrase should be required).

  I did not try it by myself but it reads like what you want to achieve:
  Using GPG or OpenSSL Encrypted Keyfiles:
  The following forum posts give instructions to use two factor authentication

• Two factor authentication for login

  Can you tell me when Verizon online will implement 2 factor authentication for logging into web and email?
  Thanks!

  Uh, never.  I doubt its even on their radar.

• When will CC support Two Factor Auth?

  As the title says -- I'd like to not worry so much about the next breach Adobe will face.
  I'd personally prefer Google Authenticator support, but I'd grudgingly accept SMS.

  Could you provide more detials on how do you use _Adobe.JSXInterface?
  This is a simple exmaple to show how to use _Adobe.JSXInterface:
  1. Place a jsx file like f.jsx in assets folder. The function f is defined as below in this file:
  function f(a, b)
      return a + b;
  2. The JavaScript below in HTML widget will show the return value:
  <button onClick="_Adobe.includeJSXFile('f.jsx'); alert(_Adobe.JSXInterface.call('f', 5, 4));">Return result</button>
  "9" will be popped up if click this button. Make sure invoke _Adobe.includeJSXFile('f.jsx'); to call the functions defined in f.jsx via _Adobe.JSXInterface.call().

• Is multi-factor auth required for self-service password reset and portal registration?

  Hi, hoping someone can give some clarity on this.  I'm dealing with strictly online accounts, no AD sync to local servers.  I have enabled and configured self-service password reset in AzureAD.  In that config I have required users to register
  their alt contact info when logging into the portal.  While testing this, I don't get prompted to register unless I've enabled multi-factor auth for the test user account.  I need users to register in case they need to use SSPR, but I don't want
  to force them into MFA.  I've gone over the following article and it says nothing about requiring MFA for SSPR or forced portal registration to work.
  https://msdn.microsoft.com/en-us/library/azure/dn683881.aspx
  I know there is a separate link for the registration portal that will guide users through the process, but that's a separate link.  Maybe they'll set it up, maybe they won't.  I'd like for the first sign-on to be a smooth process that gets them
  set up for SSPR if needed.  Can someone clarify and point me in the right direction? Thanks.

  Hey acook15,
  I work on the password reset engineering team.  Right now, you are correct, you cannot enforce registration for password reset during first sign in.  This is a feature that we are working on right now, which will be available very soon for sign
  ins to Azure, your connected apps, and the access panel, and will come a bit later for Office 365 sign ins, as well.
  In the interim, you can configure SSPR to require users to register when they access the access panel at myapps.microsoft.com by following the instructions here: http://aka.ms/customizesspr (search for "Require users to register when signing in to the
  access panel?").  
  You can also read more about other ways to get SSPR data in the system for your users here: http://aka.ms/ssprbestpractices.  Let me know if this helps, and if you need to get in contact with me, feel free to email me at [email protected] 
  Regards,
  Adam.
  Adam Steenwyk | Senior Program Manager | [email protected]

• Two-factor / Multi-factor authentication for Sites login

  Hi All,
  Would like to know if any one have implemented the two-factor authentication for Sites login ( Admin / Contributor Interface ),
  It will be really helpful if you could share any ideas on this.
  Regards,
  Anoop.

  I haven't seen any before for Sites.
  But I guess if You use OAM for the access, you could create something like the described in:  Integrating the RSA SecurID Authentication Plug-In -
  I haven't tried myself, but maybe that integration with RSA SecurID plugin helps you.
  Regards,
  Guillermo.

• Apple ID - Two Factor Authentication (and why I stopped using it)

  The Apple devices I use every day consist of the following:
  2009 MacBook Pro 17" (home)
  iPhone 6 (home)
  2012 MacBook Pro Retina (work)
  My home devices are all logged in using my Apple ID as usual, and my work laptop uses a Apple ID specific to work, but with my personal Apple ID logged in for iMessage and FaceTime (pretty standard, I presume, for people with full-time work laptops they can bring home, etc.). Now, since I have multiple devices which are constantly syncing everything back and forth, whether it be something as simple as my contacts or as delicate and near and dear to my heart as my photo collection, I felt that maybe I should use two factor authentication for my home Apple ID, just to be on the safe side. I recognize that the two factor authentication only protects iMessage and FaceTime currently, but I implemented it with hopes that someday they will incorporate everything about iCloud and other services synced between Apple devices that you would assume should be covered by a two factor authentication update/overhaul.
  I liked this idea very much, as I use two factor for almost everything I can, but things started to fall apart one day when I had to switch to a temporary work laptop and decided to log in to iMessage with a new app specific password, as you would need to on a new device (unless you wrote down the original iMessage password, which is a terrible thing to do). When I went to create my new iMessage password for work laptop B, I decided to revoke work laptop A's iMessage password while it went in for repairs. This wasn't so bad until something seemed funny about my phone, as it was asking for me to log into iMessage again. Now, I had created a separate password for work laptop A's iMessage when I first logged in a while back, as well as a separate password for the temporary work laptop B so it didn't interfere with my other generated passwords. Apparently this didn't matter.
  I continued and created a new app password for my phone, but when I got home, wouldn't you know it, I had to log into iMessage on my home laptop again as well. I had to create a new password for that, which seemed to work for a while, but then I was prompted to enter my iMessage password on my phone again once I revoked my home laptop's iMessage password. Not following? No, me either. It seemed to me that creating separate app specific passwords for me to use across my devices didn't stay as separate as I thought they should, but instead they somehow seemed to be dependent on one another. Since I had a frustrating time trying to activate iMessage again on my iPhone and laptops on multiple occasions while this was happening, I decided to disable two factor authentication altogether.
  I suppose I should ask a question here, so here goes: has anyone else encountered this horrific two factor authentication/app specific password management issue for their own account? Have you been able to resolve it, and if so, any helpful suggestions? Thanks!

  I had also thought that initially, but after turning it on, I went to sign into iMessage with my Apple ID and regular Apple ID password, but it prompted me to create an app specific password to sign in since I had two factor authentication on, as it wouldn't let me use my regular Apple ID password to log in (which I could use to log in for everything else but iMessage and FaceTime). It was nice since I was prompted to provide a code sent to an Apple device of my choosing when signing into the Apple ID management site or iCloud.com, but forcing me to create app specific passwords for iMessage and FaceTime is kind of ridiculous and frustrating. Maybe there's a way to have two factor authentication without the need for app specific passwords? Or if not, then perhaps that would be a great option to present users when turning that feature on.