ANAHEIM, Calif. -- The traditional username and password combination alone is no longer a sufficient authentication...
mechanism, but there are some ways to make it more robust.
Citrix administrators have a few options for implementing multifactor authentication (MFA) through the vendor's NetScaler product, either on premises or in the cloud. Thorsten Rood, CTO at Braincon GmbH, a medical device company based in Austria, presented two on-premises NetScaler authentication methods in a session here at Citrix Synergy 2018.
"Every customer is on a certain journey to the cloud," Rood said. "But reality says that we all love our existing on-premises environments."
Two NetScaler authentication methods
Microsoft Azure presents one option for on-premises multifactor NetScaler authentication. Citrix admins with a NetScaler Gateway device can easily integrate with Azure Active Directory (AD) to implement MFA in their on-premises infrastructure, although they would also have to pay additional Azure licensing, Rood said. Through this integration, admins can require that users provide a soft token -- such as a fingerprint on Apple Touch ID-enabled devices, or a code received via SMS -- to authenticate.
IT can also use a cloud-based AD Federation Services plug-in or a Network Policy Server (NPS) extension within an existing Microsoft RADIUS infrastructure, but this method is less flexible and requires interaction with Azure AD for user onboarding, Rood said. There's also a stand-alone offering for Windows Server that admins can download from the Azure AD administration panel.
Thorsten RoodCTO, Braincon GmbH
Azure MFA is a good option for IT admins with a known audience, such as employees, Rood said.
Taylor Smilnak, a managed services administrator at Tessitura Network, an IT services company based in Dallas, currently uses physical tokens as an authentication method. He is interested in using Azure MFA, but the added licensing fees are a concern, he said.
"We buy a bunch of token keys for our users every couple of years, so it might balance out," he said.
Another option is Google ReCAPTCHA, a free service that aims to prevent bots from infiltrating websites and logging into systems by asking users to complete tasks that only humans could do, such as identifying photos that contain a stop sign. The service integrates well with NetScaler Gateway and is best for an unknown audience, such as B2C customers, but IT needs to install Citrix's NFactor technology first, Rood said.
IT could implement both on-premises NetScaler authentication methods, but at the risk of sacrificing user experience, he said.
"ReCAPTCHA is the admin's best friend, but it's complicated from a user perspective," he added.
Citrix and the authentication market
Citrix isn't a major player in the authentication market, but NetScaler Gateway offers secure remote access and single-sign on capabilities for VDI, web and SaaS applications.
Robert Miller, a Windows systems engineer at Draper Laboratory, an engineering company in Cambridge, Mass., said NetScaler Gateway is robust enough to handle his company's strict government compliance standards, but the company uses RSA's MFA as well.
"Citrix is in a strong position that a lot of the identity providers aren't because they have such visibility into not just the authentication mechanism, but also around the software-defined perimeter and their network capabilities, as well as being able to manage devices in app management, too," said Andrew Hewitt, an analyst at Forrester.
Citrix has a much broader view into what types of information IT could use to make an authentication or access decision, Hewitt said.
"In that light, I think they're pretty well-positioned to capitalize on their existing customer base," he added. "But their focus is really around choice, so I don't think they'll be heavy-handed in pushing people towards the Citrix way."