Two-factor authentication (also known as
2-step verification) relies on something you know (like a password) and
something you have (like a cell phone). Crackers have a harder time getting
into your account, because even if they figure out your password, they still
only have half of what they need.
A CAPTCHA is a type of challenge-response test used in computing as an attempt to ensure that the response is generated by a person
Automated requests can easily use a brute force attack on a company's WI website & crack into their systems, or at least in most cases succeed to permanently lock out AD account(s) (in MS Win environments with lockout policy enabled) .
I managed to successfully implement captcha for WI 5.3, but I am sure the same code would work on other 5.x interfaces without major mods.
Two-factor authentication (TFA, T-FA or 2FA) is an approach to authentication which requires the presentation of two different kinds of evidence that someone is who they say they are. It is a part of the broader family of multi-factor authentication, which is a defense in depth approach to security. From a security perspective, the idea is to use evidences which have separate range of attack vectors (e.g. logical, physical) leading to more complex attack scenario and consequently, lower risk.
You can configure the following two-factor authentication methods for XenApp Web sites:
- Aladdin SafeWord for Citrix
- RSA SecurID
- RADIUS server
First two options are secure but not free. Third option , RADIUS server, can be implemented with no additional cost, but if it is a "classic" RADIUS, it brings no more additional security: if the main password can be compromised, the second password can be compromised as well. Of course, it is harder to crack it using techniques like brute-force etc., but if the passwords are being stolen by a trojan or hw/sw keylogger, the risk is still there.
The whole idea is to use OTP (one time password) for 2nd factor, as it is implemented with Safeword and SecurId.
To implement this at no cost, I suggest the solution below, which is based on mOTP (Mobile-OTP).
Mobile-OTP is a free "strong authentication" solution for java capable mobile devices like phones or PDAs. The solution is based on time synchronous one time passwords. It consists of a client component (a J2ME MIDlet) and a server component (a unix shell script). The server component can easily be plugged into free RADIUS servers like XTRadius to authenticate users at routers, firewalls, web servers, access points, unix machines, etc.
The shell script should run without modification on any BSD-Unix or Linux.
The MIDlet and RADIUS server are freely available under the terms of GPL.