Active Directory 2 Factor Authentication with Smartcards

Question

I need 2 Factor Authentication with Smartcards, so i want to login with an Password and a Smartcard. I know that Smartcards have passwords, but my company doesn't like this solution. Is there a way to require an AD-User and Password and a Smartcard for login.

In most cases (certainly in the environment I work in) I believe the smart card credential *replaces* the traditional password. Using the smart card *is* 2 factor authentication: something you have (the card) plus something you know (the password or pin for the certificate on the card). Allowing the original AD password is still possible, but I believe (from experience) that authentication would be via the original password *or* the card, not the original password *and* the card. You must use one credential or the other; you cannot guarantee 2FA that way. — pmdba, Apr 28 '21 at 11:21
The problem is that my company doesnt like this because employees still have the possibility to be morons — Björn Max Jakobsen, Apr 28 '21 at 11:23
meaning they could lose the card? wouldn't that be a problem no matter what? — pmdba, Apr 28 '21 at 11:24
No, setting stupid passwords like phonenumbers. And were are using yubikeys so we'd need to set the management key too because you can overwrite the password with it, and the default key is always the same — Björn Max Jakobsen, Apr 28 '21 at 11:26

score 1 · Answer 1 · answered Jun 10 '21 at 02:55

If I understand correctly, you want to still use the AD credentials to login, but with the smart card so that way you are still using complex passwords as opposed to using the smart card 'password' which is a PIN number?

You mention that people might use 'stupid' numbers like phone numbers etc. if you use the PIN. However, even a 6 digit PIN with a smart card is still more secure that traditional username/password.

Even if someone uses their phone number as a PIN (not recommended of course), an adversary still couldn't compromise the account and login unless they had the Yubikey.

2FA here means something you know and something you have. To steal a persons Yubikey is a targeted action, meaning that the adversary would be close enough to the person that they most likely would already have gained the password in some manner (eg. shoulder surfing). Without the password, stealing the Yubikey would be pointless.

The other scenario would be if someone lost their Yubikey but of course, if someone randomly found a Yubikey then its useless anyway.

Bottom line is, just use the Yubikey PIN, it may not be as complex as AD password requirements but the smart card solution is still a lot more secure than username/password.

For added security, configure the Yubikey with the touch feature. This ensures that even if somehow the certificate and PIN are compromised, those details won't be able to be used remotely because the system would require further confirmation which can only be generated by the physical key.