1 |
>> If that's the case then it sounds like 2FA doesn't really provide any |
2 |
>> extra assurance. It's another layer but if the machine is hacked then |
3 |
>> it sounds like it becomes a very thin layer. |
4 |
>> |
5 |
>> I'd most like to allow the remote employee to use their own computer, |
6 |
>> but is there any way to have reasonable assurance that a remote |
7 |
>> attacker can't log into my web stuff if the employee's computer is |
8 |
>> compromised? |
9 |
>> |
10 |
>> With a Chromebook, how can I be assured that the employee is only able |
11 |
>> to log into my web stuff with the Chromebook? |
12 |
>> |
13 |
> |
14 |
> It looks like this is possible to do with a Google Apps account: |
15 |
> https://www.google.com/intl/en/chrome/business/devices/features-management-console.html |
16 |
> https://support.google.com/chrome/a/answer/2657289 |
17 |
> https://support.google.com/chrome/a/answer/1375678 |
18 |
> |
19 |
> You can control who can log in, and what sites they can visit (just |
20 |
> blacklist * and then whitelist specific sites). Schools commonly use |
21 |
> this so that they don't have to deal with kids visiting sites of ill |
22 |
> repute. You can also control application/extension installation. |
23 |
|
24 |
|
25 |
I'm sorry, I meant can I lock down access to my web stuff so that a |
26 |
particular user can only come from a particular device (or from any |
27 |
device containing a key). |
28 |
|
29 |
|
30 |
> It looks like you can also use remote attestation if your application |
31 |
> supports it which prevents access from a tampered device even if it |
32 |
> has the right credentials/etc. (That's the whole "trusted/treacherous |
33 |
> computing" thing.) You could in theory have security such that your |
34 |
> application works with single-sign-on but doesn't work unless |
35 |
> connected to using a trusted device (but I'd have to do more research |
36 |
> on that). |
37 |
|
38 |
|
39 |
It seems like that would be necessary in my case or the remote |
40 |
employee might prefer working from their own device instead of using |
41 |
the Chromebook. Can I somehow require something like a PGP key in |
42 |
order to authenticate successfully in a browser? |
43 |
|
44 |
- Grant |