1

I hope this doesn't come across as an idiotic question, but here is the scenario:

We have a server 2008R2 domain, using PKI authentication managed through safenet. For a few systems within our domain, due to design restrictions, several users must use a single shared account. That is easily managed by adding the shared account to their smart card, but this raises the question of non-repudiation. Essentially:

Is there a way to keep track of what card logged into the shared account? or some other way to differentiate user usages to track who was actually using the account at a given time?

Under these conditions, no card would have only the shared account, all cards would also have a designated user account assigned to them, the shared account would be secondary.

Gravy
  • 780
  • 1
  • 5
  • 17

2 Answers2

1

Your design completely circumvents the entire purpose of two-factor authentication. You've taken the "something you have" factor and changed it to "something a bunch of people have/share."

The serial number or unique identifier of the smart card is not transmitted to the server, so it does not know which smart card was used to authenticate, assuming the credentials on the smart cards are all the same.

You could audit the insertion of smart cards on the client side, the PnP Manager (UserPnp, WudfUsbccidDrv, etc.) should write some unique events to the client's event log that contain a serial number that could probably be used to uniquely identify which smart card was inserted at which time, but you may not have control over which client systems your users may insert their smart cards into.

Ryan Ries
  • 55,481
  • 10
  • 142
  • 199
  • You are correct, the design does destroy the purpose of two-factor authentication... Unfortunately my job is not to pick the fruit that goes into the basket. My job is to take the basket of lemons given to me, and make lemonade out of it :\ What you are saying is pretty much what I had come to on my own, But I figured there might be a chance someone knew something I did not. Thanks for the response. – Gravy Nov 03 '14 at 22:12
0

By design we use different user accounts to differentiate users. You can't talk about no repudiation in this scenario. How can you prove that user has used his card if there are multiple cards to identify this user and multiple people assigned to those credentials. To answer your question short, you can implement functionality to track physical insertions and logins but it will not survive security audit. Remember that a token identifies user from the directory not the person inserting the card.

nethero
  • 238
  • 1
  • 9