DirectAccess Multifactor Authentication? RRS feed

  • Question

  • What else can be used for 2 factor other than smart cards?

    Besides the logistics hassle of managing the cards purchasing, shipping and replacing them, I don't see the security benefit when users are going to either leave the cards plugged into the laptops or at least store them in the same bag with the laptop.

    Does something else integrate with DirectAccess where they could use their phones or even just a memorized PIN in addition to their Windows user name and password?

    Azure Multifactor?


    To clarify, it is not the DirectAccess connection itself that needs to be protected by MFA, it is the Windows login for remote users.  DA would be protected indirectly by 2FA into the laptop since they can't get to DA without logging into the laptop.

    We want DA to connect seamlessly once the user has done 2FA to get into the laptop so they will get security updates and sync offline files with no additional user action required other than logging into Windows.  

    If we require 2FA to specifically start DA connections, then users who only need access to email or other resources they can reach with a plain Internet connection will not bother to go through the steps to connect to DA.

    • Edited by MyGposts Tuesday, October 28, 2014 12:29 AM
    Tuesday, October 28, 2014 12:17 AM

All replies

  • Hi,

    Having MFA at Windows Login is not possible at current time with DirectAccess. reason is simple. Once authentication is granted by the RADIUS Server, the DirectAccess Gateway sign a certificate request in behalf of the client and the the certificate to the DirectAccess client. This certificate is supposed to be used in the PKINIT phase of the Kerberos negociation at user logon.  Having 2FA with DirectAccess does not force you to authenticate whatever the ressource you try to access. if your ressources are considered as allowed destination for the IPSEC infrastructure tunnel 2FA authentication will not be required. It can be the case for Outlook & Link, not for your Sharepoint.

    BenoitS - Simple by Design

    Tuesday, October 28, 2014 12:10 PM
  • It is possible to use TPM Virtual Smart Cards. What this allows you to do is use your TPM in your mobile device to create multiple TPM Virtual Smart Cards. Each user will then assign a persional Smart Card certificate and link it to the TPM Virtual Smart Card. Users are able to use only a pincode to logon, but ONLY from that mobile device.

    Boudewijn Plomp | BPMi Infrastructure & Security

    This posting is provided "AS IS" with no warranties, and confers no rights. Please remember, if you see a post that helped you please click "Vote as Helpful", and if it answered your question, please click "Mark as Answer".

    Thursday, November 20, 2014 2:38 PM