>> Our company does not consider this a strong enough authentication method >> for our intranet. Whilst it might be unusual for a certificate to be >> compromised, in a big company we cannot guarantee that some employees >> won't make the mistake of storing their key with an empty password on a >> memory stick. Requiring the user to also enter the correct username and >> password provides a greater level of security. > > Hmm, but entering username and password is also rather weak, especially > when doing it from unknown browsers. > > If you really need two-factor authc you should issue X.509 certs for > keys generated on smartcards protected by a PIN or something like RSA > SecurID (AFAICT the latter can be integrated with CAS via RADIUS).
I second this recommendation. We use certificates on a security device (Aladdin eToken) for strong 2-factor authentication when needed. CAS supports this very well out of the box. M -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
