Multi-Factor Authentication Ideas Needed

Mhomar
Contributor

Hi Everyone, I am hoping to get some of your valuable insight and time. My company has a multi-factor authentication (MFA) login requirement. We have been using Idaptive (formally Centrify) direct control and smartcards with good success (not the best user experience) over that last 2+ years to meet this requirement.

However, their current client v19.6 does not work with macOS 10.15.x and smartcards. I am told this is a “Bug” within the macOS itself and they have a bug report in for it. At this time, I have not been given much of an update or and ETA.

This means I cannot put any new computer on our network (they ship with Catalina and cannot be back revved) or upgrade any of our Mojave installs. This is getting to be a difficult spot for our company (and me). Here is the question for you. What are my alternatives to Idaptive for MFA?

I do not believe the use of a smartcard is a hard requirement and I think I would prefer to use an RSA token like we do on the Windows side but that is not available for macOS.

I phrased this in a somewhat general way in an effort to not narrow or focus your ideas.

We are bound to AD via the Centrify suite and mostly FileVaulted.

I appreciate any and all ideas you may have.

11 REPLIES 11

boberito
Valued Contributor

Centrify is not required anymore. In fact I’d avoid it like the coronavirus. Check out the man page for SmartCardServices. You can easily implement native smartcard support.

We’ve implemented smart cards and many others have using apples built in methods.

theraven
New Contributor II

We have run into the same issue and the solution we came up with is to stay on the 5.5.1 version and install the Charismathics tokend drivers, after disabling the PIV smart card extension with the command:

sudo defaults write /Library/Preferences/com.apple.security.smartcard DisabledTokens -array com.apple.CryptoTokenKit.pivtoken

boberito
Valued Contributor

Don't disable cryptotokenkit. Do not use tokend. MOVE FORWARD, NOT BACKWARDS. tokend dies before the end of life of 10.15 I will put money on.

lazyGhost
New Contributor III

I'm in a similar situation. We're currently evaluating Cisco Duo but don't like the fact that it only challenges on login, not from lock/screensaver which the PC does. Duo also lacks in the offline MFA for Macs. If Duo did offline MFA and screensaver/lock screen, it'd be a sure fire solution.

We have the same deadline most likely to comply with requirements and stuck wondering what else is out there? If Centrify is out, what's left? Jamf Connect with Azure AD maybe? Will this get the job done? Are there any other alternatives?

Duo Authentication for macOS does not support Apple M1 ARM-based processors. Do not install Duo on these systems.

boberito
Valued Contributor

@lazyGhost if you have PIV smart cards, then the built in cryptotokenkit. Using something like duo or ping or okta will require something like jamf connect. But that’ll only work at the login window(it’s Nomad Login at its core).

lazyGhost
New Contributor III

@boberito Got any recommended smart card vendors? Yubikey comes to mind but if there are others, I’m open to hear about anything at this point. We don’t have smart cards here but if that’s our only choice, I reckon that’s the way forward. Jamf connect with ping/azure is the next best thing I reckon.

boberito
Valued Contributor

I believe Yubikeys might be the only derived PIV option that I can think of, and probably the best option otherwise you need cards and readers and it's a bit of an annoyance.

Though Jamf showed off an upcoming feature of Jamf Connect that looks amazing, using your iPhone as a derived PIV solution https://youtu.be/_oJ9jNbN3GQ?t=5692

lazyGhost
New Contributor III

Yeah, I saw that at JNUC. Thanks though. Time to check out yubikeys.

boberito
Valued Contributor

@lazyGhost unrelated, I am jealous you have the short lived CMA.

tlarkin
Honored Contributor

We do cloud/zero trust, and everything is behind Okta. You then have to have your trusted device (smart phone, yubikey, etc) registered with our IdP. We federate all app auth, all Azuer/AAD auth, and so forth. I know my setup works best in the cloud and with on prem it brings unique issues. The UX is pretty good though. I can get Okta/Duo notifications to my Phone, which in return go to my Apple Watch and I can approve them. I also can hook up and register a Yubikey as an option as well.

I look at Smart Cards a couple years ago and was very glad I was not required to go down that path.