Think about withdrawing money from a bank ATM machine for a moment. How does that work? You need your bank card plus a PIN code, right?

Your bank requires your card to be placed into the ATM machine, and that you enter in your matching PIN code on the pin pad. It doesn't allow you to do a lot of guessing before locking out your account access. Based on the combination of you HAVING the card, and KNOWING the PIN, you can withdraw money from virtually any bank ATM machine in the world that can communicate with your financial institution. This is exactly how two-factor authentication works: you need to have a unique physical key plus know a private PIN code.

RWW-Guard enforces the same combination for the physical key device plus PIN code, adding that requirement in addition to providing your Active Directory account username and password. To remotely access a Small Business Server protected by RWW-Guard, now it takes something you must HAVE (your choice of software or hardware authentication tokens from vendors like Cryptocard and RSA) and something you KNOW (your pin code). At the same time, your logon will continue to request your domain account and password to determine the level of access your account is allowed, just as it did before. If either device/PIN or account/password are not validated, no logon session is provided. This means introducing RWW-Guard to your business is rather easy with a low barrier to entry, since you don't need to change anything else in your normal day to day operations. Inside the network everything continues to works the same way, so there is no need to retrain anyone connecting from outside besides requiring the key device and PIN to be used when they access RWW through the added layer of protection enforced by RWW-Guard.

This multi-factor approach will ensure the identity of the user coming in actually is who you expect. So even if someone HAS obtained your Active Directory username and password, it's useless to them without also having the authentication token and your pin code. With most hardware tokens like Cryptocard and SecurID the combination of the user's private pin and a uniquely generated 6 to 8 digit code creates a one time password (OTP) that cannot be guessed. This OTP is then provided to RWW, and must be authenticated before a login can take place.

How does RWW-Guard Authenticate?
RWW-Guard is designed to communicate with any 3rd party strong authentication server (such as CryptoCard's CryptoServer or RSA's Authentication Manager) using the RADIUS protocol. During the RWW login process RWW-Guard will authenticate the user and their OTP against that server. On a failure, RWW-Guard will show an error similar to how a bad password is shown in RWW. If it succeeds, it then authenticates the user and their normal password against their Active Directory credentials and pass on the rest of the login sequence to RWW. After that, you use RWW in the same way you always have.

Stage the rollout of strong authentication in your business
With the RWW-Guard Manager you can stage the roll out of strong authentication in your small business by associating Active Directory accounts with their strong authentication tokens. As an example, you might decide to only force two-factor authentication on the Administrator account, and a few roaming users who may be exposed to more risk while in the field. In this way, you can reduce risks to acceptable levels while controlling the investment in strong authentication tokens and the training that may need to go with them. And of course when you are ready, you can turn the switch and mandate that all RWW users are forced to authenticate with an OTP when appropriate.

Add better auditability about login access
Since RWW-Guard controls both login sequences for strong authentication and Active Directory authentication, this information can be leveraged as an asset in your account auditing.

You can quickly determine problems with particular accounts over time, and evaluate the actual usage of RWW in a single view. Know WHERE your RWW users are coming from, and ensure you know they are WHO they SAY they are as they log in.