Conclusion

Two-factor authentication is the new baseline for VPN security, but standard methods are costly in terms of hard dollar amounts or degrada4on in end-user experience. PortalGuard's PassiveKey for VPN provides the security of two-factor by leveraging user's laptop as: something they have; which eliminates the need for additional hardware tokens and pay per use software-based solutions.It is also easy to deploy and use which ensures the security of two-factor does not come at the expense of the end-user's experience and usability

Addendum - PassiveKey Technologies

The PassiveKey component of the PortalGuard Desktop serves to validate both the user -AND- the device they're using. PassiveKey is implemented as a client-side software solution that can automatically generate a Time-based One-time Password (TOTP).

Once installed, the user is automatically prompted to perform a one-time enrollment. The enrollment workflow occurs entirely over HTTP/HTTPS and is as follows:

1) TTTEnrollment.exe on workstation automatically runs when user logs into Windows. It checks the state of the local enrollment data. It exits immediately if all parts are present and valid. If the signed public certificate is missing, then the process continues.

2) The PortalGuard enrollment website is contacted in the background via HTTP/HTTPS.

3) If Active Directory is being used as the PortalGuard user repository, then the PortalGuard enrollment website can be configured for Integrated Windows authentication so the user is automatically logged in using Kerberos or NTLM. If Active Directory is not the repository, then the user will receive a prompt to manually authenticate to PortalGuard.

4) If two-factor authentication is required for enrollment, the user can use any of the enabled OTP methods they've already enrolled.

5) On the workstation, a 2048-bit public/private key pair is generated and an associated certificate Signing Request (CSR) is created and sent to the PortalGuard enrollment website.

6) If the user's policy allows PassiveKey enrollment, then a signed public certificate is created and stored in the user's PortalGuard pro?le on the server.

7) The signed public certificate and the certificate Authority's public certificate are sent back to the workstation and saved.

8) The workstation then submits a TOTP enrollment request to the server.

9) If the user's policy allows PassiveKey enrollment, then a random TOTP seed is generated, encrypted with the user's public key and sent back. The TOTP seed is encrypted using the server's public key and saved in the user's PortalGuard profiles on the server.

10) The workstation decrypts the TOTP seed with the user's private key to ensure validity. It then saves all data in a container, AES-256 encrypts it with a randomly generated 64-character passphrase, then protects that passphrase with Microsoft DPAPI.