Hi, i have a question for two factor authentication - when we sue two factor authentication with a security token - are these informations stored in the security toekn of the user? And - if one users don´t have these infos - will there be a popup to ask for the missing two factor authentication? Thanxs... AndyDon´t dream your live - life your dreams!!! Senior Trainer & Consultant TraiCen GmbH http://www.traicen.com

I don't understand your question - do you have an example?

We have implemented 2 factor authentication with tokens. During the implementation, we had to extend the Active Directory schema to store information in AD about the token serial number etc, and I believe that other 2 factor solutions have a similar approach. We have a dedicated server that performs the task of verifying token responses from the user against the expected response. When we use 2 factor authentication, we have used it for securing our IIS websites for external access, and this is done through an ISAPI filter on the IIS server. Effectively the process is that the user is authenticated with their username and password for the domain, then the ISAPI filter goes to AD and gets the token serial number for that user, issues a challenge to the user to enter their token response and then this is sent back to the token server. Only when the token response is verified is the user then given the website content. As far as I know (particularly in our implementation), the token response is not stored in the Security Token for the user along with the SIDs from the domain. Bear in mind that the whole point of 2 factor authentication is that the token response changes frequently, so there would be no benefit in it being stored anywhere. Also the token response needs to be verified by the server that checks the response against the expected token, so this would need to be performed each time the Security Token is used? Not very practical or scalable. If you expect a popup to be issued each time the 2 factor authentication is "missing" - this is not built into Windows and would need a client on every single computer and system so that it can generate the popup or challenge, look up what token is expected, somehow hash or encrypt the information and somehow know where/which server the token response needs to be sent to. In short, it depends upon your implementation, but it is highly unlikely.