Several years ago, I wrote a blog post about Two Factor Authentication (2FA), and since then I’ve been using and living with it on a daily basis. Having just gotten a couple of questions posted to me from that blog post, I thought it might be time to update things a bit. First, if you haven’t read the earlier post, or don’t know much about 2FA, start by reading that so we’re all on the same page.
So, what’s changed? Well, for one, although I still carry around that keyfob token, I rarely use it. Instead, I run the AuthAnvil iPhone app on my cell phone. And AuthAnvil makes it easy for me to use either one, independently, through a feature they call “grouped users”. Basically, I have two different AA usernames, one assigned to that hard token, and the other assigned to the iPhone SoftToken. But AA links the two accounts together under my grouped username, which is matched to my Windows username. Now it doesn’t matter whether I use the hard or soft token, both are recognized and used transparently.
Speaking of transparency, I’ve moved to running AA for ALL laptop and remote users in our business. We use the AuthAnvil Credential Provider (aka, Windows Logon Agent) on our Windows 7 laptops, and on our Remote Desktop Session Host (aka, Terminal Server). Our laptops have cached credential mode enabled, of course, ensuring that users can log on to their laptops even if they don’t have a network connection.
We also use the AA Credential Provider our RD Session Host server. We’re big users of RemoteApps here, and adding AA to our RemoteApp server has allowed us to make those same RemoteApps available even when we’re working remotely.
One of the questions I’ve been asked, more than once, is “Isn’t it a nuisance to have to get the one time password and then enter it every time?” And the answer is, well, yeah, I suppose. But it’s a whole lot less of a nuisance than having to deal with the consequences of an unauthorized user getting access to our intellectual property. Our business is intellectual property, after all. So a few extra steps once or twice a day to protect that is, frankly, trivial in the overall scope of things.
Is there one feature I wish AA had? Yup. Location Awareness. I want to be able to have a different policy for local v. remote users. The problem, of course, is that this is not trivial to implement. I know it’s on the wish list for AuthAnvil, and I’m hopeful we’ll see it sooner rather than later. But ultimately it isn’t a “must have” feature. It’s a “would be really nice” feature. Having AA at all, however, is very much a must have.