I'd like to enhance my Windows 2003 Server VPN with some 2-factor authentication. My sense is that these capabilities are provided by 3rd parties and layer on top of capabilities native to windows servers. I'm interested in what is: effective; cheap; convenient to set up; convenient to manage; flexible; convenient for users. I'd love to avoid physical tokens and software certificates. Any opinions out there?

Whoa... You are speaking in circles:"I'd like to enhance my Windows 2003 Server VPN with some 2-factor authentication." but....."I'd love to avoid physical tokens and software certificates"These are two conflicting statements. Until you decide which is more important to you and your organization, we can't help you.The definition of two -factor authentication is typically "something you have" (a hardware token/smart card/USB device) and something you know (The PIN protecting the password, a random number generated on the token).Please clarify what you are really after.ThanksBrian

I don't agree that they are contradictory statements, unless you think of your phone as a token. Phone or pager-based solutions (phones are better these days because more people have them) can go a long way towards obviating the need for the kind of physical tokens distributed by IT, while providing the same, if not better, results.

Phone based solutions have come a long way and they are actually more effective and flexible than the old corporate-issued token. At the same time they don't require the corporation to manage them. if people lose their cell-phones you can know for darn sure that they are going to find them again, and quick.

Brian Komar [MVP] said:Whoa... You are speaking in circles:"I'd like to enhance my Windows 2003 Server VPN with some 2-factor authentication." but....."I'd love to avoid physical tokens and software certificates"These are two conflicting statements. Until you decide which is more important to you and your organization, we can't help you.The definition of two -factor authentication is typically "something you have" (a hardware token/smart card/USB device) and something you know (The PIN protecting the password, a random number generated on the token).Please clarify what you are really after.ThanksBrianHey Brian,WHO! What about phone authentication? I don't think a phone would fall under a physical token in the way barrybourse is describing. Barry check out Phone Factor a great tool to secure vpn. www.phonefactor.com/solutions/remote-access-vpns

Thanks Brendan, I checked out the site and it seems like it could fulfill our needs. What about PhoneFactor makes it different/better than other phone-based solutions for enhancing ssl vpn authentication and security?

One aspect I would point out is that PhoneFactor has free versions that are very useful. You can get unlimited users on a single VPN application.