I've recently done some work at a place where they've seen occasional use of hardware keyloggers attached to USB keyboard ports to capture usernames and passwords.
Naturally, the first thought to mitigate against this possible threat (as securing the ports themselves is not feasible) is to look at implementing two-factor authentication. If the user's password is compromised, the lack of availability of the token will make the scope of the compromise much smaller. However - I did wonder how 2FA stacks up with functions such as "Run As Different User"? If I steal someone's username and password, and then log on to a machine and do "run as different user" on Outlook.exe or even supply the hijacked credentials for a drive mapping to a share, will I be allowed to access information I otherwise wouldn't have had access to? Or does 2FA also come into play when authenticating via these methods as well? I've never thought about this before, just wondering if anyone who has implemented 2FA knows the answer? TIA, -- *James Rankin* --------------------- RCL - Senior Technical Consultant (ACA, CCA, MCTS) | The Virtualization Practice Analyst - Desktop Virtualization http://appsensebigot.blogspot.co.uk
