Viewing posts from January, 2009
How does WiKID enable Active Directory password resets?
Posted by: root 16 years, 4 months ago
A password-reset domain is configured on the server with Administrator rights to reset users' passwords. When a user forgets their password, they choose the password reset domain on the WiKID client and enter their PIN. If PIN is correct, the encryption valid and the WiKID account is active, the WiKID server resets the Active Directory password to the one-time passcode and forces the user to change their password at the next login.
Can more than one passcode be valid at one time?
Posted by: root 16 years, 4 months ago
No. Only one passcode can be valid at one time. Most time-synchronous token solutions allow more than one passcode to be valid at one time so that the login window is long enough or to account for clock drift. With only a 6 digit passcode, this can reduce security.
How can a software token be as secure as a hardware token?
Posted by: root 16 years, 4 months ago
Simple, really.
There are two factors: possession of the private key and knowledge
of the PIN. The private key is stored on the client. Our PC client, for
example, this key is in a password-protected PKS12 encrypted file. If
someone steals this file and brute-force attacks it and gets the
passcode, they are only half-way there.
They still need the PIN. The PIN is stored encrypted on the WiKID
server. Losing the private key is the equivalent of losing a hardware
token. You're only half-way there.
Typical software tokens store the PIN, the secret and the algorythm all in the client. Clearly this is not the way to do it.
Can I use WiKID for two-factor authentication for GDM/XDM/Gnome/KDE login?
Posted by: root 16 years, 4 months ago
Most Linux services use PAM, so 'Yes'. Just configure /etc/pam.d/login to use Radius and you should be good to go.
But we can't ask non-employees to run software on their PCs. What can we do about vendors?
Posted by: root 16 years, 4 months ago
We suggest you use USB tokens or wireless tokens.
Recent Posts
- Blast-RADIUS attack
- The latest WiKID version includes an SBOM
- WiKID 6 is released!
- Log4j CVE-2021-44228
- Questions about 2FA for AD admins
Archive
2024
2022
- December (1)
2021
2019
2018
2017
2016
2015
2014
- December (2)
- November (3)
- October (3)
- September (5)
- August (4)
- July (5)
- June (5)
- May (2)
- April (2)
- March (2)
- February (3)
- January (1)
2013
2012
- December (1)
- November (1)
- October (5)
- September (1)
- August (1)
- June (2)
- May (2)
- April (1)
- March (2)
- February (3)
- January (1)
2011
2010
- December (2)
- November (3)
- October (3)
- September (4)
- August (1)
- July (1)
- June (3)
- May (3)
- April (1)
- March (1)
- February (6)
- January (3)
2009
- December (4)
- November (1)
- October (3)
- September (3)
- August (2)
- July (5)
- June (6)
- May (8)
- April (7)
- March (6)
- February (4)
- January (427)
2008
- December (1)
Categories
- PCI-DSS (2)
- Two-factor authentication (3)
Tags
- wireless-cellular-mobile-devices (7)
- Two-factor authentication (10)
- Wireless, cellular, mobile devices (6)
- NPS (1)
- Phishing and Fraud (111)
- Active Directory (1)
- pam-radius (3)
- privileged access (2)
- Cloud Security (10)
- Mutual Authentication (60)
- Web Application Authentication (1)
- Authentication Attacks (99)
- pci (50)
- Security and Economics (97)
- WiKID (133)
- pam (2)
- VPN (1)
- Installation (2)
- RADIUS Server (1)
- Open Source (64)
- Tutorial (2)
- Strong Authentication (35)
- Information Security (137)
- Transaction Authentication (13)
- Miscellaneous (100)
- Linux (2)
- transaction-authentication (6)
- Two Factor Authentication (254)