So, I’ve started a new job back in the IT career field and I couldn’t be happier. I’m able to do things related to my expertise again. One of the challenges in my job has been a community-wide lack of #MFA in our network environments. I won’t discuss which community, because it will start a lot of debate that isn’t relevant here. However, my new position allows me to set the tone and objectives for which we will progress.
I’ve looked at a lot of different possible implementations of #MFA and our environment introduces some serious considerations and constraints. Here are some of the inviolate constraints that I’m using for our solution:
- Non-Internet connected Network: Our networks do not and cannot touch the Internet in any way, other than an Air Gap for patches and updates
- Small IT Staff: I have more of a staff than I’ve had elsewhere, but I don’t have a large staff to regularly move files between the Internet and our environment
- Restrictive Budget: No surprise here…who has money these days when cut-backs are all the rage!
- Relatively small user base: Typically less than 100 with surges to around 500ish–most are non-technical that just “want it to work” and hate the “security” word
- Government Restrictions: Although I have freedom to introduce new technology, I’m also restricted by just how much I *can* introduce
Looking around at what has been approved elsewhere within the government, I came across two #MFA options:
Reading through both vendor product pages, the YubiKey option seemed like something that meets many of the above criteria as well as giving me an option to implement it in my #HomeLab for personal use. So, in comes the new toys:
I decided to get two keys, one of which will either become my cold storage backup sitting in my fire safe, or will go to the wife so I can give her an easier way to be secure. I also wanted to try out the different interfaces (USB A, USB C, NFC, and Lightning) and see what the limitations, caveats, and warts are with the product.
Because of what I have setup in my #HomeLab, here are some of the use cases I intend to test:
- On-Prem AD Windows Login
- Azure AD Windows Login
- Azure AD macOS / iOS / Android Login
- Password-less Login using the FIDO2 protocol
- Horizon Client login
- Zero / Thin Client login to Horizon VDI
- VMware UAG Login to Horizon VDI Environment
- GlobalProtect VPN Login using Azure AD users
I’ll share anything interesting that I find or discover throughout this process. There is a lot of documentation on the YubiCo website.
If there’s another MFA product out there that has applications on my work use case and/or a #HomeLab environment, please share! I LOVE my 1Password with the Google/Microsoft Authenticator solution that I’m using right now. I’m not as interested in using the YubiKey to replace the TOTP I’m already getting, but doing a true lightweight second factor.
Anyways, let me know what you’re doing either with your #HomeLab or in your work environment (if they’re small like ours). Also, if you have any other suggestions on products that fit within the constraints, let me know.