Generalize double authentication by simplifying the user experience!
Too much security kills security
The subject of multi-factor authentication is a good illustration of the adage “Too much security kills security”.
Security often tends to make the use of IT more complex for users. They then bypass or reduce security mechanisms in order to be more efficient in their work. This is the case, for example, with strong authentication to Windows Logon.
Indeed, despite the awareness of users to use always different and complex passwords, strong authentication remains a much better way to reduce the risks of credentials fraud. However, few companies use it today for Windows Logon for fear of exceeding users with each session lock.
The new OTP conservation mechanisms reduce the number of authentications but provide a flexibility that allows us today to strongly recommend the implementation of OTP in Windows Logon and thus increase the level of security of companies.
Windows Logon MFA
We already presented them to you a few years ago at a security breakfast: Deepnet Security and their flagship product, DualShield , have just released a new feature related to Windows logon.
If you want to protect your users’ workstations with a second authentication factor, the most mature solution on the market is undoubtedly DualShield Desktop Logon. Its advantage is that it allows MFA locking even when the PC is not connected to any network.
Authentication works as follows:
The solution is based on 3 components:
- An authentication server (3)
- An agent installed on a Windows server (2)
- A client program on the user’s workstation (1)
During the authentication process, the client program retrieves the identification information and communicates it to the agent. The latter acts as a bridge between the client and the DualShield authentication server.
Conservation of the OTP
To improve the user experience, it is possible to configure DualShield to keep the user’s last passwords in memory, so the user only needs to enter their OTP to connect to their workstation. This feature has recently evolved to give you the choice between keeping the OTP or password.
Indeed, it can be very tiring for a user to have to take out his phone or physical token every time he moves away from his computer. DualShield now allows you to keep the token so you only need to re-type the password to connect to the user workstation.
To activate this feature, it’s easy:
- Log in to the machine hosting the DualShield agent and launch DualShield Windows Logon Manager
- Then go to the General Policy tab
- In this tab you will find the MFA Exemption section
As you can see, you can define a token exemption time after a successful connection.
>>> Contact us for more information.