Remote Desktop Multi-factor Authentication with ThinMan Smart Identity

Modern security is based around verifying and only granting access to critical systems once identity has been verified. Attackers realize that compromising a user’s identity provides easy access to sensitive systems. Therefore, businesses must do their due diligence to protect critical systems and bolster the security of system access based on identity. It presents security challenges in the age of the hybrid workforce where users access critical systems remotely with VDI solutions. ThinMan Smart Identity from Praim is a solution that helps to bolster the security of system access and identity verification. Let’s look at remote desktop multi-factor authentication with ThinMan Smart Identity.

What is ThinMan Smart Identity?

ThinMan Smart Identity from Praim is a module for ThinMan Advanced Server, available in the User+ Feature Pack, allowing users to access workstations using a personal smart card. This provides organizations with an effective multi-factor authentication solution for system access on remote desktops, fully integrated into the endpoint management automation capabilities offered by ThinMan.

With smart card authentication, admins can effectively control user access and enforce strong security across the board, exploiting a physical object often already widespread in the organization (like a badge for identification or entrance). Smart Identity is compliant with most electronic badge technologies (you can also try Smart Identity with your own public-transport card. Very likely, it could be associated to your login on Praim-based endpoints).

With ThinMan Smart Identity, admins can configure security to meet the needs of the business, including:

  • Smartcard only authentication
  • Smartcard insertion, user login plus a password
  • Smartcard insertion, user login plus a PIN

ThinMan Smart Identity lets the administrator decide how to secure access very granularly, deciding which devices can enroll cards and the number of cards each user can enable (allowing new cards to be added or old -or lost- ones to be blocked or definitively removed).

A physical key has many advantages with the speed of secure authentication in providing remote desktop multi-factor authentication, especially in environments where users may move between multiple desktops during the day with the need to have their resources available at each. A classic use case involves hospital workers that may move between various computer systems daily. A physical authentication key provides a much quicker access method and is more secure than a simple password. In addition, admins can block unwanted smart cards and devices instantly.

Moreover, cards can support a secure, fast, and “keyboard-free” use case in those environments with specific requirements such as Manufacturing or Food and Beverage production.

Why use ThinMan Smart Identity?

There are a few key use cases for using ThinMan Smart Identity. These include:

  • Speed up the performance of access – Using Smart Identity allows using a smartcard device instead of the keyboard for remote desktop multi-factor authentication. As a result, it greatly speeds up access in various industries where workers constantly move between computer systems (i.e., healthcare).
  • Granular control over resource access – You can customize the access of systems based on the identity, roles, duties, or groups to which they belong (i.e., doctor/nurse/technician or maintenance worker versus operator, etc.) 
  • Provide effective multi-factor authentication – Need to strengthen access, then add a second factor to a password (i.e., a card or a PIN, or perhaps card + PIN instead of password). It allows easy implementation of remote desktop multi-factor authentication. RDP connection, for example, are historically some of the most compromised connections as hackers typically steal Windows logon accounts and impersonate the secure remote connection.
  • ThinMan integrates with your Active Directory server using the LDAP protocol, and can integrate multiple domains (e.g. controlled companies, collaborating institutions, recent corporate merging, etc…), so you do not need to register your cards to be ready to use Smart Identity.

Other possible use cases and capabilities

  • With ThinMan Smart Identity, the functionality is entirely built into Praim ThinMan Server without needing other products, solutions, special RDP client, remote desktop gateway, Azure MFA, security key, VPN connection, or add-ons for a remote user. In addition to the above use cases already mentioned, a few other scenarios come to mind, including:
  • Businesses already using ThinMan Server user policies can have a quick reconfiguration of the same workstation based on the user
  • You can use multiple cards in one station to enable different uses of the same machine
  • Multiple cards can be associated with the same person for providing access to different types of systems and with varying levels of access, leading to a fast and role/task-based access to the endpoint resources.
  • The ThinMan Smart Identity solution is compatible with different card readers and different types of cards (you can adapt your corporate card already in use or just chose a new type of cards).

How Smart Identity works with Agile4PC

Before enabling ThinMan Smart Identity on your ThinMan Server, there are a few prerequisites. These include:

  • Own a ThinMan Advanced license extended with the User+ Feature Pack
  • Use either Praim ThinOX/ThinOX4PC or Praim Agile/Agile4PC devices with an Identification Device reader attached

Configuration steps in ThinMan:

  1. The references to an LDAP Server must be configured (your Active Directory server in most cases)
  2. Smart identity has to be activated and configured
  3. A Device Policy must be configured to be associated with the devices for card enrollments
Configure LDAP servers before enabling ThinMan Smart Identity
Configure LDAP servers before enabling ThinMan Smart Identity

The Smart Identity feature works by passing credentials through using the smartcard. The credentials pass-through option needs to be enabled on the resource to pass the user credentials to the device/user connections.

  • ThinMan Smart Identity Pass-through – Resources configured with this option will use the same credentials inserted in the ThinMan Login process, to log into resources. This parameter is useful when the ThinMan Login is used to protect the device access, and Agile Mode is enabled. Without ThinMan Login, this option is not applied, and a credential request is presented to the user. This option is not available for all resource types.
To pass the user credentials to the deviceuser connections
To pass the user credentials to the device/user connections

It is necessary to create a Device Policy to enable the devices where it is possible to proceed with the enrollment (for more details, read Smart Identity – Device Policy Configuration).

The user or the administrator can complete the enrollment procedure:

  • The user enrolls his Identification Device (smart card) on any device configured by the administrator to proceed with the enrollment. The user must tap/insert his card on the device and write his username to enroll the card. Finally, the user must insert his password/PIN to activate the card.
  • The administrator enrolls the Identification Device (smart card) and then delivers it to the user. The user completes the Identification Device (smart card) activation on an endpoint by inserting his password/PIN.

Once the card has been enrolled, the endpoint will ask for a password that activates the Identification Device. The administrator or the user must insert the password and click on “Login” (or press Enter on the keyboard).

Viewing Smart Identity connections in ThinMan Server
Viewing Smart Identity connections in ThinMan Server

Wrapping Up

Organizations looking to implement remote desktop multi-factor authentication effectively will find the ThinMan Smart Identity solution as an excellent choice as it provides many advantages. It requires using also something the user physically possesses, unlike only a simple username and password. Admins can also require users to enter a password or PIN in conjunction with using the smartcard for authentication. Instead of establishing a remote desktop connection using, for instance, the normal RDP client built into Windows with the traditional username and password authentication method, Smart Identity enables users to log in sessions through the simplified and locked graphics interface (Agile Mode) of Agile4PC, exploiting the ThinMan integration with LDAP servers to authenticate your domain users and provide them personalized (local, virtual or web) resources.

Learn more about Praim Smart Identity here:

Post a Comment

0 Comments