How some users incorrectly use the two-factor authentication process – some comments from Andy Kemshall, SecurEnvoy
(PRWEB UK) 21 November 2014
Many companies use Microsoft Remote Desktop Web (RD Web) in order to manage their access to server resources. Two-factor authentication (2FA) is recommended to secure this access. This usually consists of the conventional username and password components plus an additional passcode component. However, there has recently been an increase in cases of third parties obtaining access to web applications in RD Web environments without needing to enter the additional passcode. How have the third parties been able to get past the usually highly secure 2FA and how should RD Web users protect themselves in the future?
Let's take a look at everyday business activities and how an RD Web login process normally runs. First, a user must authenticate themselves via 2FA in a Microsoft RD Web interface in order to access a website. Then there is a second authentication normally via Single Sign On (SSO) to RD Gateway which is the main VPN that all remote data sent from the RDP client uses. Next something known as an RD Connection Broker comes into play and this connects the user to a backend RD Session Host. Application access is then enabled.
However, the interaction between RD Web and traditional 2FA servers has resulted in the appearance of major vulnerabilities. The reason for this is the lack of a connection between the 2FA server and the Microsoft RD Gateway server. Users can easily create a remote desktop protocol (RDP) file or just request full desktop access directly to the RD Gateway without needing to visit the RD Web first. This allows third parties to bypass the 2FA check required at the RD website and access the gateway directly. To login, one simply has to enter a username and a password here. As the RD Gateway does not have any 2FA integration, this constitutes a major security risk for companies and organisations.
Where the Microsoft protection stops…
In order to prevent such bypassing of 2FA, companies are recommended to install a Windows Logon Agent (2FA) on each RD Session Host. But this theoretically beneficial security step actually creates another big problem: Each backend RD Session Host will require a separate 2FA authentication so each time a user reconnects or starts a different application the RD Connection Broker will probably select a different Session Host. In other words, users would be forced to authenticate themselves countless times via 2FA in their daily work. This would lead not only to frustration but also a reduction in workflow and productivity. It is also a poor security design as it’s like trying to lock all internal doors after leaving your front door open!
SecurEnvoy is the first 2FA company to add true RD Gateway integration. They are the only provider of a solution that restores the security of 2FA and overcomes the aforementioned problems with Microsoft RD Gateway. When companies install a SecurEnvoy solution in the RD Web and on the RD Gateway, all communication through both the RD Web and the RD Gateway is routed and simultaneously checked by the SecurEnvoy agent. This is possible because the SecurEnvoy solution is directly connected to the RD Gateway and Active Directory server and the security mechanisms can now be applied to the whole system. This allows every user to again make unrestricted use of 2FA for all remote desktop web sessions. The system is 100% secure and can never be bypassed using just a conventional login process (username and password).
About SecurEnvoy plc:
SecurEnvoy is the creator of patented tokenless solutions for two-factor authentication. Millions of global users already benefit from the fastest mobile authentication process available that doesn’t require a token. The process uses commonly available devices like mobile phones, smartphones, tablets and laptops to provide the passcode required for authentication. Even without mobile phone reception or an internet connection, the user can obtain the code via a voice call or enable identification using one-swipe technology, which is based on a QR code scan. The product range of the company based in London (UK), Frankfurt (D), New York and San Diego (USA) includes the SecurAccess solution. The administration tools can easily be integrated into existing IT infrastructures and allow administrators to add up to 100,000 users per hour. SC Magazine awarded the solution ‘Best Buy’ and the company has been classed as a leading visionary in Gartner’s Magic Quadrant. SecurEnvoy has a customer base in all vertical segments, including banking, finance, insurance, government, manufacturing, marketing, retail, telecoms, charity, law and construction. The authentication expert collaborates with partners such as AEP, Astaro, Cisco, Checkpoint, Citrix, Juniper, F5, Palo Alto, Sophos, etc. See http://www.SecurEnvoy.com for further information.
SecurEnvoy Global HQ
USA branch I:
373 Park Ave South
USA branch II:
Mission Valley Business Center
8880 Rio San Diego Drive
8th Floor San Diego CA 92108
Sprengel & Partner GmbH
56472 Nisterau, Germany
Tel.: +49 (0)26 61-91 26 0-0
Fax: +49 (0)26 61-91 26 0-29