Thursday, November 13, 2008 1:21 AM
Depends on what you mean by excessive. I would say the benefit--i.e., making sure you know that the people accessing your system are the right people--is a reasonably important desire. Unfortunately the effort--i.e., managing tokens and certificates and lots of users and system integration--can be significant.
Thursday, November 13, 2008 1:27 AM
There are some new solutions available you might want to look into, mainly based on old technologies but new realities. The main new reality is that everyone has a cell phone. This makes it possible to get users to manage what used to be managed by IT--the token. This transfer of responsibility makes a big difference.
Thursday, November 13, 2008 1:33 AM
Interesting idea. The additional benefit from a vpn security POV is that a phone-based solution will provide authentication through a completely separate, or Out Of Band channel. You gotta believe this is better than the traditional token approach in which the second factor is actually translated into the first channel (a number valid at a particular moment) and submitted.
Thursday, November 13, 2008 1:36 AMVery true. You might want to check out PhoneFactor at www.phonefactor.com/solutions/remote-access-vpns/. Good thing about this particular service is that they have a solution designed to sit on top of cisco, microsoft, and other vpns, which makes it easier to setup and manage.