I have only implemented RSA, but I will be doing a bit of research on this 
topic shortly.

For my current job we'll be needing MFA for a secure environment, in the next 
couple of months. They won't be able to afford RSA.

But I do need to note that PKI key+Duo is not MFA. (Something you have + 
Something you have)

MFA is Multi Factor Authentication and is defined as: (pick 2+ separate items)

1) Something you know (password/PIN not written down)
2) Something you have (device that can not be copied, RSA fob, PKI hardware 
token/smart card...)
3) Something you are (biometrics)

RSA is fob + PIN.

My current plan is a PKI hardware token that requires a PIN/passcode to unlock 
the token to use the private key contained within. The key pair is generated on 
the token and the private key cannot be copied off the token.

Ssh and openvpn clients support PKCS#11 for PKI hardware.


On Dec 1, 2016, Morgan Blackthorne <mor...@windsofstorm.net> wrote:
>I'm an end-user of Duo at the day job and relatively happy with it. Was
>not
>involved in the setup, though. OTOH I remember someone in #lopsa saying
>they had problems with them and had been unhappy. Can't remember who or
>why
>offhand, hopefully they'll chime in on this thread.
>
>I will note that the most common problem with Duo that I've personally
>seen
>is when folks have it configured to give them a phone call instead of
>running the app and getting a push notification. In our setup, to
>access
>the windows jumpbox we start an RDP session, and after normal user
>auth, it
>then triggers a Duo challenge. But the phone call setting seems to get
>delayed enough that the RDP session fails with a network policy error.
>People adjusting their user config with push notifications works
>better. I
>have not looked into seeing if you can just blanket disable that
>option,
>but it seems a bit odd that they offer that as a service when it
>doesn't
>work; then again, we may have a more aggressive timeout policy on the
>Duo
>portion than is recommended. Again, wasn't involved in the setup as it
>predated me, so I'm not sure.
>
>I know it also works with Linux boxes and that's on my list to check
>out,
>just haven't gotten to it yet. We'd likely only enable it on nodes with
>public IPs that have SSH listening/allowed, so it has been low on my
>priority list.
>
>Duo is also apparently free depending on how many users/devices you
>have,
>whereas last time I heard about the RSA setup, it was very expensive.
>I'm
>planning on adding Duo support to my personal AWS Linux nodes for SSH
>(so
>key+MFA auth, no passwords allowed).
>
>On Wed, Nov 30, 2016 at 10:31 AM, Kyle Stewart
><_kylestew...@outlook.com>
>wrote:
>
>> Hi all, hope this email finds everyone well. We're looking into
>setting up
>> two-factor authentication at my company for a 2017 project and I'm in
>the
>> "Let's get the lay of the land" phase. Right now it seems like Duo is
>> making big headway in this market, but I've heard good things about
>RSA as
>> well. I'd love to get some first-hand feedback from people who have
>used
>> these types of 2FA solutions who aren't sales people :)
>>
>>
>> Overall I get what 2FA/MFA does, but I'm blurry on how it gets
>implemented
>> - at face value I'm very interested in Duo so if anyone has
>experience with
>> Duo and setting it up (preferably alongside Palo Alto's and
>GlobalProtect)
>> that'd be fantastic.
>>
>>
>> Thanks in advance!
>>
>>
>> _____________________________
>> Kyle Stewart
>>
>> _______________________________________________
>> Discuss mailing list
>> Discuss@lists.lopsa.org
>> https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
>> This list provided by the League of Professional System
>Administrators
>>  http://lopsa.org/
>>
>>
>
>
>------------------------------------------------------------------------
>
>_______________________________________________
>Discuss mailing list
>Discuss@lists.lopsa.org
>https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
>This list provided by the League of Professional System Administrators
> http://lopsa.org/


-- 
Mr. Flibble
King of the Potato People
http://www.linkedin.com/in/RobertLanning
_______________________________________________
Discuss mailing list
Discuss@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
 http://lopsa.org/

Reply via email to