For a long time I have been meaning to pull together some of the top tips when setting up two-factor authentication. I expect this will be a moving target. Obviously, two-factor authentication is central to your network deployment, so even if that PCI QSA is breathing down your throat, take some time to do a bit of planning!
- Read the fine manual. While we certainly cater to a quick install with our cheat-sheet, our installation manual is quite short too. You'll avoid some misteps.
- If you don't know what it does, you can probably leave it blank. A good example is Radius return attributes. Just forget about them if you're not using them. Another is the Registered URL - it is only used for mutual https authentication.
- Start simple. We highly recommend you route your two-factor authentication through a radius server such as NPS or Freeradius to separate authorization from authentication. This adds security in the long run. In the short run, it's extra complexity. Start by testing seeing if your network client (VPN, Webapp, SSH, e.g.) can talk Radius to WiKID directly, then add complexity.
- Test the server using the example.jsp page. This will let you know if you have a working server and it will expose you to the functionality in our API.
The next level
- Turn on debugging and see what is going on. Better to be familiar with this now when you don't need it. Chances are you will need to maintain your logs for compliance reasons. We recommend you not keep the logs in debug mode when in production though as they can quickly get big. Test archiving the logs,
- Check out the ADRegister scripts. They allow users to add their own tokens after they authenticate with their AD credentials. You'll want to set this up in your own directory or back it up. RPM updates may overwrite any changes you make.
- Separate Authentication and authorization using NPS or Freeradius. The WiKID server is not a real "radius server". It just talks radius to perform authentication.
- Configure the server to start automatically using the provided script and setting the server passphrase in /etc/WiKID/security