70 likes | 175 Views
How to Deploy and Get the Most Out of Tokens. Paul Caskey PKI Deployment Forum 2008. Our setup. VeriSign Unified Authentication Active Directory-integrated Based on Microsoft CA, but signed by VeriSign public root Managed via an MMC CA and all operations happen at VeriSign
E N D
How to Deploy and Get the Most Out of Tokens Paul Caskey PKI Deployment Forum 2008
Our setup • VeriSign Unified Authentication • Active Directory-integrated • Based on Microsoft CA, but signed by VeriSign public root • Managed via an MMC • CA and all operations happen at VeriSign • Dual-key approach • Signing, SmartCard login • Encryption, EFS (escrowed) • 3 certificate templates • Signing • Encryption • Key Recovery Agent • All certs are on Aladdin tokens only (no software stores)
Our uses • Email signing and encryption • Document Signing • SmartCard login (Our passwords meet LoA2 entropy, but….) • Remote access??
Enrollment Process • User request to Help Desk • Help Desk prepares token (initialize, assign) • Vetting/Verify Identity • Enrollment authorization granted • User enrolls at help desk via kiosk • That first use of token forces setting a password
Design/implementation issues • Manual vs. Auto-enrollment • Dual-key vs. single-key • Token enrollment (in-person or remote) • Client software deployment • PIN resets • Local • Remote • Lost tokens
Aladdin Token Management System (TMS) 2.0 • Web-based management interface • Look up users, tokens • Initialize • Assign • Web-based user self-service • Enrollment/software installation • Security questions • Report lost tokens • Password reset • Web-based remote service • Virtual tokens