Two factor auth tied together?
Hi all,
I have an irritating problem dealing with the physical security staff in my datacenter. We have a requirement for certain areas to have "two factor authentication", and they've provided badge readers and fingerprint scanners, and consider this requirement solved.
Unfortunately, the systems don't work together and you can use one person's badge, and someone else's fingerprint.
My experience (and common sense) says that two factor means YOUR badge needs to only work with YOUR fingerprint, but our physical security team doesn't see it that way.
They've asked for some sort of evidence that this is how it works... A government directive or other "proof" that they need to tie together.
I thought that it would be a quick Google search away, but it turns out to be more difficult than I thought! All the definitions seem to leave the "tie in" to the imagination! They all say "password and token" or "badge and bio" but never explicitly say that those devices need to tie to the person who is authenticating.
This seems like such a simple thing! Does anyone know of a document that clearly defines two factor as both factors required to be tied to the same person?
I agree that tying them together would be better security but you may lose this one.
In the bank card scenario, the unique item is the card, but the card and PIN can be used by anyone.
Your situation is different in that the unique item is the fingerprint (since any card will do, thank you) AND it is physically tied to a single person (lopped off fingers aside).
It's not as tight as it could be but it does qualify as two factor since you need both to enter.
Since John's finger is scanned, John entered.
JMTC
Tom
Similar Messages
-
Need help with two-factor auth for windows logon using CSS
Hi all,
I have been trying for a couple of days now to get two-factor auth for windows logon working on my X1C Type 3443.
I am running Windows 7 (64-bit) with Lenovo System Update 5.06.0007, Lenovo Solution Center 2.6.001.00, ThinkVantage Fingerprint Software 5.9.9.7282, ThinkVantage Client Security Solution 8.30.0031.00. If it's of any importance, my X1C was originally shipped with Windows 8, but I couldn't stand it and reinstalled Windows 7 instead.
I have uninstalled and reinstalled the above programs in the following order:
1) Install System Update and reboot
2) Install Solution Center and reboot
3) Install CSS and reboot
4) Install Fingerprint Software and reboot
Everything seems to be working fine by itself, except that when I try to configure two-factor auth in CSS, the Fingerprint tab (on the left of the GUI) is greyed out and CSS tells me that I have no fingerprints enrolled. The Fingerprint Software, however, is working just fine and shows me as having a fingerprint enrolled there.
I have spent all morning searching for a solution, but everything I find dates back to 2011, when ThinkPads still came with ThinkVantage Toolbox. I obviously can't download that anymore, so I'm at a loss. Can someone please help? Thanks!
CandaceHi all,
I have been trying for a couple of days now to get two-factor auth for windows logon working on my X1C Type 3443.
I am running Windows 7 (64-bit) with Lenovo System Update 5.06.0007, Lenovo Solution Center 2.6.001.00, ThinkVantage Fingerprint Software 5.9.9.7282, ThinkVantage Client Security Solution 8.30.0031.00. If it's of any importance, my X1C was originally shipped with Windows 8, but I couldn't stand it and reinstalled Windows 7 instead.
I have uninstalled and reinstalled the above programs in the following order:
1) Install System Update and reboot
2) Install Solution Center and reboot
3) Install CSS and reboot
4) Install Fingerprint Software and reboot
Everything seems to be working fine by itself, except that when I try to configure two-factor auth in CSS, the Fingerprint tab (on the left of the GUI) is greyed out and CSS tells me that I have no fingerprints enrolled. The Fingerprint Software, however, is working just fine and shows me as having a fingerprint enrolled there.
I have spent all morning searching for a solution, but everything I find dates back to 2011, when ThinkPads still came with ThinkVantage Toolbox. I obviously can't download that anymore, so I'm at a loss. Can someone please help? Thanks!
Candace -
Two factor auth for CRES portal
This is a wishlist of mine which I hope would get into the plans for future enhancements to CRES service. Some form(s) of two factor authentication for access to CRES service would be very useful. I'm thinking of a low overhead approach for both internal (within the org) and external users such as out-of-band SMS OTP or a software token app on the device generating OTP (as opposed to hardware based form factors).
Thanks,
John
Sent from Cisco Technical Support iPad AppThis, and improving the registration experience for mobile users, are both on the CRES roadmap. For two-factor auth, although I can't commit to anything, I'd agree that some sort of out-of-band communication of a one time password, by SMS or an alternate email address for example, would be the preferred approach.
-
Using BOTH keyfile AND passphrase in dm-crypt. Two factor auth.
How can the following setup be achieved. BOTH (not either) keyfile and a passphrase should be used in order to decrypt a device. So keyfile will be read from an SD-card/FLASH drive on boot and passphrase will be requested. That way, somebody who wants to access the system has to have something and know something to have access. In other words, this will be a two-factor authentication system.
Ideally, multiple keyfiles and passphrases should be used. The reason is because if one keyfile A will be lost/stolen, then the slot can be killed and another keyfile B will be used as a back-up. Now if somebody have found the keyfile A and slot A was deleted, they can no longer use keyfile A, because it will be no longer valid. Multiple passphrases are there to ensure that if one is forgotten another can be used as a back-up.
Is it possible and how should I approach this? The wiki seems to be focusing on one factor authentication systems (where only a keyphrase OR a passphrase is used to decrypt the drive, while in this case BOTH a keyfile and a passphrase should be required).I did not try it by myself but it reads like what you want to achieve:
Using GPG or OpenSSL Encrypted Keyfiles:
The following forum posts give instructions to use two factor authentication -
Google two-factor auth and iPhone apps? ...
Who here has enabled Google two-factor authentication? Did it break anything on your phone?
I tinkered with it yesterday, and then our family's shared Google calendar stopped working. My wife couldn't see new items I added (in either the iPhone calendar or Fantastical). I disabled TFA, and all was good again.
Reading Google TFA page talked about how to use an additional app on the phone to create some additional passwords, but it wasn't clear to me where I would use them.
I also use Mailbox for GMail, not sure what will happen to that.
Anyone here doing Google TFA? Any words of wisdom?
Thanks very much in advance,
ChrisI had to do this for yahoo after my account was hacked.
It's a little tricky but you can enter the codes into your settings and get the stock app to work.
How to set it up:
http://www.imore.com/how-to-gmail-2-step-verification-mail--iphone--ipad-mac -
Luks encrypted key file as key for luks partition (two-factor auth)
I'm trying to implement "two-factor" authentication (possession of a keyfile and knowledge of a passphrase required) using dm-crypt in order to open an encrypted root filesystem. In the past I used gpg and later openssl to decrypt a keyfile using a passphrase, which then was used by cryptsetup using --key-file to decrypt the actual data device. I'd like to ditch gpg/openssl and use only cryptsetup.
So the idea is to create a luksFormatted key file (loop device) which, when opened using a passphrase, will be used as the key (using --key-file) to open a luksFormatted hard drive partition.
To illustrate:
# create and luksFormat the key container file
dd if=/dev/urandom of=key_container bs=1M count=4
cryptsetup luksFormat key_container
# open the container and create a random "key" by directly writing pseudo random data to it
cryptsetup luksOpen key_container key_device
dd if=/dev/urandom of=/dev/mapper/key_device
# luksFormat the data device using the random data from the luks key device
cryptsetup -d /dev/mapper/key luksFormat /dev/sda1
# later, to open /dev/sda1
cryptsetup -d /dev/mapper/key_device luksOpen /dev/sda1 encryptedfs
My questions:
1. Is this a valid approach or am I making a mistake/do you see a problem somewhere?
2. How much data from the loop device will cryptsetup use as key to format/open the data device? Everything? Is there a limit?
3. Is there a difference between doing a
cat /dev/mapper/key | cryptsetup -d -
and
cryptsetup -d /dev/mapper/key?
3. Assuming that the answer to 1 is "no mistake/problem" and 2 is "everything there is" or even "the first x bytes", is it possible that the actual contents of the loop device may change in the future because of different loop device implementations or somethings else I didn't think of? I'd like to avoid bad surprises in the future..
4. What would you recommend as size for the key container file, knowing that the luks header requires some space too?
Any feedback appreciated.
Cheers,
fabricebI do the same ( https://wiki.gentoo.org/wiki/Custom_Ini … ed_Keyfile ).
--key-file=- should be equivalent, but it's meant for grabbing a key from gpg output or whatever; since you can specify it directly here, no need to involve anything else like cat etc.
without --key-file=- it would stop reading at newlines or something. this behaviour is quite dangerous as it may cause people who believe they're using a long random key, to use only a very short (or even empty) key instead. one way to avoid such ambiguousness is to make sure there are no newline bytes in your keyfile, so it would use the whole thing in either interpretation.
as for the key length, a key is essentially a passphrase. So it does not have to be very long at all; 8 truly random bytes would require up to 256^8 tries to break after all and with LUKS, each try takes ~1 second per physical CPU... but the smallest unit that LUKS allows is 512 bytes (1 sector) so you could just as well use the whole thing. If you use 4096 bytes, you're confusing bytes with bits somewhere... and as for bits, even 128bit AES is still considered secure...
You could save some bytes in the initrd.gz if you initialize the container file with zeroes instead of random, so it can be compressed. The key will still be random as the random cipher key will turn the zeroes to something else after all... -
Guide for configuring an ASA for two factor auth
I've searched CSC as best as I can so I appologize if this is a duplicate topic. I have an ASA5505 v8.4(1), ASDM version 6.4(1). According to the release notes you can setup two factor authentication in these later versions of ASA code. What I can't find is any guide that tells you what the steps are to actually set it up. We're testing RSA's SecureID for PCI compliance. If anyopne has a link to a document that gives some insight into this I'd appreciate it.
DavidDavid,
Two factor requires no additional configuration, i.e. you have one password based on two parts.
The ASA just works as a relay, it forwards the username/pass to AAA server which validates if it's OK (in a typical scenario).
Now double authentication is something that might need a bit more config - i.e. you have to provide two passwords for two different machanisms.
Marcin. -
When will CC support Two Factor Auth?
As the title says -- I'd like to not worry so much about the next breach Adobe will face.
I'd personally prefer Google Authenticator support, but I'd grudgingly accept SMS.Could you provide more detials on how do you use _Adobe.JSXInterface?
This is a simple exmaple to show how to use _Adobe.JSXInterface:
1. Place a jsx file like f.jsx in assets folder. The function f is defined as below in this file:
function f(a, b)
return a + b;
2. The JavaScript below in HTML widget will show the return value:
<button onClick="_Adobe.includeJSXFile('f.jsx'); alert(_Adobe.JSXInterface.call('f', 5, 4));">Return result</button>
"9" will be popped up if click this button. Make sure invoke _Adobe.includeJSXFile('f.jsx'); to call the functions defined in f.jsx via _Adobe.JSXInterface.call(). -
Vmware horizon radius integration with two factor authentication
-1 down vote favorite
I have deployed vmware horizon view connection server (Evaluation/Trial version), i want to integrate it with two factor authentication server. But after configuring RADIUS parameters in admin portal of connection server, it’s not allowing me to save the settings. Please suggest.
I have attached the snap for your reference.The SMTP server supports what is referred to as third party authentication. To take advantage of this you would need to provide all of the authentication code, however -- there's no way to do part of the authentication and then pass control back to the messaging server for the rest. So you'd need to do both password checks, one of which is presumably done via LDAP auth, yourself.
As far as LDAP proxy and RADIUS, we use a standard LDAP simple bind. The ODSEE LDAP proxy is often used in OCMS deployments, so that is a known good solution. We don't directly support RADIUS; the aforementioned third party authentication could be used to tie into such a system.
- Jeff -
Apple ID - Two Factor Authentication (and why I stopped using it)
The Apple devices I use every day consist of the following:
2009 MacBook Pro 17" (home)
iPhone 6 (home)
2012 MacBook Pro Retina (work)
My home devices are all logged in using my Apple ID as usual, and my work laptop uses a Apple ID specific to work, but with my personal Apple ID logged in for iMessage and FaceTime (pretty standard, I presume, for people with full-time work laptops they can bring home, etc.). Now, since I have multiple devices which are constantly syncing everything back and forth, whether it be something as simple as my contacts or as delicate and near and dear to my heart as my photo collection, I felt that maybe I should use two factor authentication for my home Apple ID, just to be on the safe side. I recognize that the two factor authentication only protects iMessage and FaceTime currently, but I implemented it with hopes that someday they will incorporate everything about iCloud and other services synced between Apple devices that you would assume should be covered by a two factor authentication update/overhaul.
I liked this idea very much, as I use two factor for almost everything I can, but things started to fall apart one day when I had to switch to a temporary work laptop and decided to log in to iMessage with a new app specific password, as you would need to on a new device (unless you wrote down the original iMessage password, which is a terrible thing to do). When I went to create my new iMessage password for work laptop B, I decided to revoke work laptop A's iMessage password while it went in for repairs. This wasn't so bad until something seemed funny about my phone, as it was asking for me to log into iMessage again. Now, I had created a separate password for work laptop A's iMessage when I first logged in a while back, as well as a separate password for the temporary work laptop B so it didn't interfere with my other generated passwords. Apparently this didn't matter.
I continued and created a new app password for my phone, but when I got home, wouldn't you know it, I had to log into iMessage on my home laptop again as well. I had to create a new password for that, which seemed to work for a while, but then I was prompted to enter my iMessage password on my phone again once I revoked my home laptop's iMessage password. Not following? No, me either. It seemed to me that creating separate app specific passwords for me to use across my devices didn't stay as separate as I thought they should, but instead they somehow seemed to be dependent on one another. Since I had a frustrating time trying to activate iMessage again on my iPhone and laptops on multiple occasions while this was happening, I decided to disable two factor authentication altogether.
I suppose I should ask a question here, so here goes: has anyone else encountered this horrific two factor authentication/app specific password management issue for their own account? Have you been able to resolve it, and if so, any helpful suggestions? Thanks!I had also thought that initially, but after turning it on, I went to sign into iMessage with my Apple ID and regular Apple ID password, but it prompted me to create an app specific password to sign in since I had two factor authentication on, as it wouldn't let me use my regular Apple ID password to log in (which I could use to log in for everything else but iMessage and FaceTime). It was nice since I was prompted to provide a code sent to an Apple device of my choosing when signing into the Apple ID management site or iCloud.com, but forcing me to create app specific passwords for iMessage and FaceTime is kind of ridiculous and frustrating. Maybe there's a way to have two factor authentication without the need for app specific passwords? Or if not, then perhaps that would be a great option to present users when turning that feature on.
-
Two Factor Authentication on Windows Server 2008 R2
We have a small 2008 R2 Active Directory environment with 2 domain controllers and 13 member servers. We have no additional features such as an RDP gateway or Federation Services - just a plain AD setup. We now have a requirement from our client to have
a two factor authentication solution for each time we logon to any server, either using RDP or locally. We only have 4 admins that ever logon to these servers - we do not have any "regular" users.
Is there anything out there that would work in this environment without having to modify our AD (at least nothing major)?
ThanksHi,
You may consider smart card:
Smart Card Overview
http://technet.microsoft.com/en-us/library/hh831433.aspx
Understanding Requirements for Connecting to a Remote Desktop Gateway Server
http://technet.microsoft.com/en-us/library/cc770519.aspx
Best Regards,
Amy
Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected] -
Visual Studio 2013 Community Azure Login Not Working with Two-factor Authentication
Has anybody had any problems logging in to Azure to publish when using Visual Studio 2013 Community and with two-factor authentication turned on?
I couldn't log on until I turned off two-factor authentication.
RegardsHello John,
Thanks for posting here!
You can try and set a credential helper like
git-credential-winstore in order to cache your credentials. See if that helps.
Couple of questions here:
1) Are you using a MSA account by any chance?
2) When you turn on two-factor authentication, do you get any error message?
3) Did you try with different browsers?
Looking forward to your response!
Regards,
Sadiqh -
Two different projects spliced together over each other some how?
Greetings everyone,
I thought forum users might be interested in this one. I don't use the forum often so I don't know the history but has anybody ever had two different projects spliced together over each other some how? For example, I was tweaking a project and left it alone for several months. I came back today to work on it and clips from other projects were in it some how. Also the audio from the new clips were in the new project and overriding the existing project. Does anybody know how to restore the two and make them separate them without losing any info. from either one? The thing's a mess. I had 1 video track w/ some subtitles, a voice over, and some music in the background. Now it has two video clips, and two of everything else. It's crazy. I don't think it's a virus or anything. Nothing else on my machine is acting strange. I hope nobody else has experienced this yet can help.
PeaceIf you have a backup external drive and Time Machine, I would suggest the following:
Locate this specific clip in your Finder. Highlight it and rename it "old", or something similar.
Launch Time Machine.
Go back to a date in time when this clip was as you properly edited it.
Again, make sure Finder is still open and highlight the clip.
Click "restore" in Time Machine.
Open iMovie and you will see your project as you had it all those months ago.
This works for me when I have an iMovie project behaving badly.
iMovie is a great application: but just like us, it has good days and bad days.
Dan -
Is multi-factor auth required for self-service password reset and portal registration?
Hi, hoping someone can give some clarity on this. I'm dealing with strictly online accounts, no AD sync to local servers. I have enabled and configured self-service password reset in AzureAD. In that config I have required users to register
their alt contact info when logging into the portal. While testing this, I don't get prompted to register unless I've enabled multi-factor auth for the test user account. I need users to register in case they need to use SSPR, but I don't want
to force them into MFA. I've gone over the following article and it says nothing about requiring MFA for SSPR or forced portal registration to work.
https://msdn.microsoft.com/en-us/library/azure/dn683881.aspx
I know there is a separate link for the registration portal that will guide users through the process, but that's a separate link. Maybe they'll set it up, maybe they won't. I'd like for the first sign-on to be a smooth process that gets them
set up for SSPR if needed. Can someone clarify and point me in the right direction? Thanks.Hey acook15,
I work on the password reset engineering team. Right now, you are correct, you cannot enforce registration for password reset during first sign in. This is a feature that we are working on right now, which will be available very soon for sign
ins to Azure, your connected apps, and the access panel, and will come a bit later for Office 365 sign ins, as well.
In the interim, you can configure SSPR to require users to register when they access the access panel at myapps.microsoft.com by following the instructions here: http://aka.ms/customizesspr (search for "Require users to register when signing in to the
access panel?").
You can also read more about other ways to get SSPR data in the system for your users here: http://aka.ms/ssprbestpractices. Let me know if this helps, and if you need to get in contact with me, feel free to email me at [email protected]
Regards,
Adam.
Adam Steenwyk | Senior Program Manager | [email protected] -
How do I know if I set up Apple's two factor authentication?
How can I tell if I ever set up Apple's two factor authentication and should make sure I can find the Recovery Key?
Hi David,
You can check to see whether you turned on two-step verification for your Apple ID by seeing if it will allow you to turn it off. Follow the instructions in this article, though you do not actually have to turn it off -
Apple ID: Turning off two-step verification for your Apple ID - Apple Support
Read this article for more information on two-step verification, including the Recovery Key -
Frequently asked questions about two-step verification for Apple ID - Apple Support
Thanks for using Apple Support Communities.
Best,
Brett L
Maybe you are looking for
-
My computer rebooted and now I have an older itunes library!
My computer rebooted a couple of days ago and when I logged back in it looked like itunes was starting from scratch. My library opened up and I saw there was music there and didn't pay much attention until today. I tried to play a song and it couldn'
-
For the past few hours I have been trying to download ios 7.0.4 from itunes onto my iPhone after trying many times it would give me a error saying network failed! then i tried to download Ios 7.0.4 manually and then put it on but it keeps failing? i
-
While you wait for iOS 7, download iTunes 11.1
For iOS 7 compatibility, you will want to download and instal iTunes 11.1. See this link. Sync with iOS 7. You can now use iTunes to sync your favorite music, movies, and more to devices with iOS 7. In addition, iTunes now makes it even easier to qui
-
[Solved] Network interfaces change places after every reboot.
This has been bugging me for a while, it seems that in Arch every time the system reboots, the network interfaces are recognized in a random order. So what was eth0 in the last reboot will be eth1 in this reboot, and sometimes it will remain for seve
-
Creating a chart of accounts from a Smart View extract
Hello, I am working with the Smart View add-in for Excel. What I would like is to run a financial report, selecting the account alias and then to create a listing of accounts from the account column that is displayed in Excel. If you've worked with S