Many federal IT departments are being told to provide 2-factor authentication not only for all logins, but also for all privilege elevations, including the launching of critical applications. Here’s how Centrify can help.
For Mac users: Centrify’s agent can handle smart card login at the desktop, and the latest release (Sept ’16) assists with moving toward a “smart card only” network. As Peter Havens wrote in his Sept Blog here, with this latest agent “we have made great strides to ensure that you can do more on your Mac without the need for a password, including: “
· Login with any account on a multi-user or alternate name PIV card.
· Execute sudo with your smart card rather than a password.
· Manage a remote Mac using SSH or VNC leveraging Kerberos regardless of whether you logged in with a smart card or password.
· Securely protect Apple Keychains with either a smart card or password depending on how the user logged in.
For Unix Users: For Red Hat and CentOS desktops, the Centrify agent can handle smart card login at the desktop. Additionally, Centrify allows an AD Kerberos ticket, obtained from any smart card desktop login, to be used to Single-Sign-On (SSO) to a Unix/Linux machine via ssh. Furthermore Centrify has policies to prevent password based logins. Once logged on, Centrify’s Privilege Management functionality, which is a replacement for traditional ‘sudo’, can be configured to use Centrify’s MFA capabilities when a user performs a privileged elevation.
For Windows Users: Centrify allows you to wrap Privilege Management around any application, thus requiring a user to re-authenticate with their smart card pin before they can run the application. This is a simple and effective way to require “2 factor authentication” before users can launch critical applications. Take for example VMware VSphere, which many IT departments want to protect. You can set the security of this application so that no users can run it using their standard privilege, and therefore the only way to launch it is to use Centrify to raise their privilege first, which prompts for their smart card pin.
I have a short video here that demonstrates these above features and more.