The registry for that can be disabled. Not that it makes Windows much better
Thanks for the thorough reply! I'll look through all the links especially the NIST doc.
Will it be cheaper? If Okta is an oauth service they have $1500 as their base price. Unless they're the exception
Google Workspace but all Windows laptops. No Apple devices, OT, or self-hosted infra. Hybrid, I guess.
As a startup it's a very simple business operation and there's no security protocol to speak of at the moment. We just use a dozen sass apps and I don't think we're ready for any full-on enterprise level security services.
Aren't USB sticks too unreliable for something important like 2FA codes?
Assuming they replace their own phone you mean? There's also productivity loss that we'd like to avoid. Temporary token stocked in what way?
I'm not familiar with AD so I'll have to do some more research into it.
It seems there are two options when it comes to passwords: 1) SSO 2) DIY with a password manager and 2FA ideally with a security key.
SSO is too pricey ($1500 base @ Okta) at the moment and SAAS prices are ever increasing so that leaves us with option 2. Using an authenticator app means using personal phones, which is tricky, and if someone were to lose their phone the replacement cost would be high. So a security key seems better in that regard despite their upfront cost. Plus security keys like yubikey offer the ability to store TOTPs, which is necessary since not all the apps we use provide security keys as a 2FA option.
Did I arrive at the right conclusion on 2FA with security keys or did I miss something?
The other consideration is deployment. Without interrupting workflow, I figured the best way would be to set up all the keys (backup key as well for each employee) on a Friday after work and then 2-day ship them to our remote staff so they're ready for use when they return to work on Monday. It's possible we could also do it while they're on a week-long vacation to save on shipping costs.
Do your research from Tor or mullvad browser before going out instead of on the go searches.
What about using a password manager to store 2FAs for apps and websites and then a security key for the password manager 2FA?
For our business we use a number of different apps and websites but only two of them offer 2FA with a security key. The rest allow for an authenticator app. In this case, it seems just using an authenticator app would be best for consistency and without needing to purchase keys.
Of course, installing authenticatior apps on each device would be a no-no since it wouldn't technically be 2FA. Then do we use each employee's personal phones? Not sure how to proceed.