Authentication

Protecting SBS Remote Web Access

I’ve been a firm believer in Two Factor Authentication (TFA) for a long time, and we use ScorpionSoft’s AuthAnvil here on all our servers and laptops. When we upgraded to Windows Small Business Server 2011 Standard early this year on our production network, one of the features that I was missing, and wasn’t happy about, was the lack of that TFA on the new Remote Web Access login page. When we contacted ScorpionSoft, they assured us it was coming soon, and asked us if we’d like to be on the TAP to get an early look at the product. Of course we said yes, and today I’m allowed to talk about it, and show a picture. So, first the picture - RemoteHomePage_01

See, looks just like regular RWA, except that it has an extra field for my AuthAnvil credential. That AuthAnvil credential is a combination of a PIN, and an 8 character one-time password. So, before any one can log on to my RWA site, they need to have three identification factors that assure me that they are who they say they are:

  • They must have an Active Directory account name and password that have permission to use RWA
  • They must know the PIN for that account
  • They must have the correct one-time password for that account

That one-time password (OTP) is generated at the time the user wants to log in from either their smart-phone, or from a hardware dongle. I’ve got both, but I have to say I end up using the generator on my iPhone 99% of the time.

The thing I like the most about AuthAnvil and RWWGuard is that it is completely transparent to my users. I don’t have to train them, make sure they’ve got some special card reader, or give them a different login page or anything. When I rolled out RWWGuard on my production server this morning, it just worked. And my users immediately recognized the new field and logged right in.

Now there are several vendors of two-factor authentication solutions, but the only one that has a product that integrates directly with SBS and with RWA is ScorpionSoft’s AuthAnvil and RWWGuard. And, frankly, their entire way of doing business recognizes that small businesses have just as compelling a need for secure authentication solutions as large businesses, and they’ve designed their product suite and business practices to scale from the large enterprise down to my small business. I like that, and it’s not an easy thing to do.

UPDATE: RWWGuard 2011 is officially available. And it's free to all AuthAnvil customers! Love it.