Think about withdrawing money from a bank ATM machine for a moment. How does that work? You need your bank card plus a PIN code, right?
Your bank requires your card to be placed into the ATM machine, and that you enter in your matching PIN code on the pin pad. It doesn’t allow you to do a lot of guessing before locking out your account access. Based on the combination of you HAVING the card, and KNOWING the PIN, you can withdraw money from virtually any bank ATM machine in the world that can communicate with your financial institution. This is exactly how two-factor authentication works: you need to have a unique physical key plus know a private PIN code.
RWWGuard enforces the same combination for the physical key device plus PIN code, adding that requirement in addition to providing your Active Directory account username and password. To remotely access a Small Business Server or Essential Business Server protected by RWWGuard, now it takes something you must HAVE (an AuthAnvil Two Factor Auth hardware token) and something you KNOW (your pin code). At the same time, your logon will continue to request your domain account and password to determine the level of access your account is allowed, just as it did before. If either device/PIN or account/password are not validated, no logon session is provided. This means introducing RWWGuard to your business is rather easy with a low barrier to entry, since you don’t need to change anything else in your normal day to day operations. Inside the network everything continues to works the same way, so there is no need to retrain anyone connecting from outside besides requiring the key device and PIN to be used when they access RWW through the added layer of protection enforced by RWWGuard.
This multi-factor approach will ensure the identity of the user coming in actually is who you expect. So even if someone HAS obtained your Active Directory username and password, it’s useless to them without also having the authentication token and your pin code. With most hardware tokens like AuthAnvil Two Factor Auth, Cryptocard and SecurID the combination of the user’s private pin and a uniquely generated 6 to 8 digit code creates a one time password (OTP) that cannot be guessed. This OTP is then provided to RWW, and must be authenticated before a login can take place.
How does RWWGuard Authenticate?
RWWGuard is designed to communicate with Scorpion Software’s AuthAnvil Two Factor Auth SAS using web services. During the RWW login process RWWGuard will authenticate the user and their OTP against that server. On a failure, RWWGuard will show an error similar to how a bad password is shown in RWW. If it succeeds, it then authenticates the user and their normal password against their Active Directory credentials and pass on the rest of the login sequence to RWW. After that, you use RWW in the same way you always have.