While privacyIDEA Server does support offline authentication, this component is currently not implemented in the privacyIDEA Credential Provider. You can do it, but it will always be a technical crutch - even if it might seem smooth to the user. Having said this above, you will also see, that offline authentication is a bit of a problem. THe 2nd factor authentication is done on the client side, the keberos ticket is still retrieved with the domain password from the domain controller. So adding 2FA with OTP on the kerberos level is simply not possible with the microsoft implementation! Thus you have to choose another apporach, which we have done with the privacyidea credential provider as a component to be installed on the client machine (not on the domain controller). The microsoft KDC a.k.a domain controller does not support any additional protocol. If you want to add 2FA, it get a bit more difficult, if you do not use smartcards which is directly supported in windows: You don’t just lose data, but your customers will lose trust in your business, which will have huge consequences on your business’ reputation. A weak password causing a security breach can have a negative impact on the business and its customers. If you logged in to a computer, the windows client caches the whatever and you can unplug your laptop and login in the absense of the domain controller - for a certain time. MFA Supports Stronger and Better Security.
So basically when you are logging in to the windows domain you are doing a kerberos authentication against the KDC/Domain Controller. There are several restrictions with the “windows login”.
0 kommentar(er)
