An organization requires employees to use 2 person authentication in some scenar

Question

An organization requires employees to use 2 person authentication in some scenarios. That is, when accessing, say, a server, secret knowledge from 2 people should be used for authentication. No one person should ever have access to the server alone.

Question: What implementations of this requirement are possible?

This is a Windows setup.

The only implementation I can think of is the following: 2 people both connect to the machine (say, remotely), first person enters first part of the password he knows, and the second person enters the second half.

Explanation / Answer

One approach is to use temporary passwords, and a password management application. The process could work like:

I have seen systems like this, but they all used some bespoke scripting, based on an existing request management system. I don't know anywhere you can just download such an application.

Of course, once the admin has the temporary password, they have single-handed access to the server. If you need the two-man rule the whole way - that there have to be two admins sat at one computer to perform the work - this approach won't work.

A variant on this I have seen is that a secure ID token is held by ops staff. When the admin needs to login to the server, they provide a password (that only they know) and also phone the ops desk to get the code from the secure ID token. I'm not convinced this arrangement is a good idea, but it does get used.

Related Questions

Navigate

• Browse (All)
• Browse A
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.