I'm looking for 2 factor authentication options to layer on to my Terminal Services implementation. Anyone have any experience or opinions?

There are some nice tokenless options in this space. check out https://www.phonefactor.com/terminalservices. It may be just what you're looking for, though we haven't actually implemented it ourselves yet. Anyone else have experience with them?

I'll have a look, thanks. How significant is Out of Band response from a security perspective?

Given that Phishing is a significant security threat, the opportunity to use PhoneFactor to enter the 2nd factor through a channel other than the browser is a pretty big deal.

What do you mean when you say the 2nd Factor is out of band with PhoneFactor?

It's out of band because it relies on a different network (phone network) to provide the second factor. When you think about it, someone would need to have infiltrated both networks and know to put them together in order to get access to an identity

Thanks for the help. I tried it and it has worked pretty well. Trying to figure out what the downside is. More that I think about, the more the Out of Band response is a big deal. Couple other things are a big deal, like price and token-less.

Tokenless is pretty significant. Tokens cost $4-$5 apiece which can add up when you support thousands of users, especially if you assume they have to be replaced every year or two.

BTW, we tried PhoneFactor for Outlook Web Access as well. Had to upgrade to a paid version in order to support multiple apps, but at least it works well technically.

BTW, we tried PhoneFactor for Outlook Web Access as well. Had to upgrade to a paid version in order to support multiple apps, but at least it works well technically.