Am Montag, den 13.06.2016, 11:46 +0100 schrieb Phil Mayers:
On 12/06/2016 19:30, Cornelius Kölbel wrote:
We've looked at this in detail, and there are about 250 people in our organisation of 30k+ that could justify a hard token.
So you should choose a solution, where you can combine soft tokens, text messages, OTPs via email *argh* and hardware tokens, just as you wish. This would make the best sense for your scenario.
Ideally yes. So I'm very supportive of the idea of a standard set of protocols that can integrate all of the above.
In reality, cost and vendor support for our most exposed apps (Office 365, web-based SAML/Shibboleth auth) will matter hugely.
Oups, we left the RADIUS track. ;-) Are you bound to a certain IdP like ADFS? Have you implemented shibboleth? E.g. SimpleSAMLphp has a bunch of plugins that authenticate an 2FA backend. I think they have a native yubikey plugin. But there is also a privacyIDEA plugin. You can manage all kind of tokens in privacyIDEA (Disclaimer: I am developing this 2FA auth backend, which supports hardware HOTP/TOTP, smartphones, yubikey, sms, email...). Usually you will only have to get support/SLA for such a setup. Of course there a lot of plugins/connectors for ADFS, too. Which might result in more licenses costs. Here is a video, where you can even use U2F tokens (under certain conditions) https://www.youtube.com/watch?v=0VKFGSAlL80 -- Cornelius Kölbel cornelius.koelbel@netknights.it +49 151 2960 1417 NetKnights GmbH http://www.netknights.it Landgraf-Karl-Str. 19, 34131 Kassel, Germany Tel: +49 561 3166797, Fax: +49 561 3166798 Amtsgericht Kassel, HRB 16405 Geschäftsführer: Cornelius Kölbel