I was super excited when ONTAP 9.3 came out with multi-factor authentication support. I tweeted about it and even went on a Tech ONTAP recap podcast for NetApp Insight 2017 and talked about it.
Usually, there is a trade off with convenience when it comes to security. Security is typically inconvenient. Muti-factor authentication is the exception to this. Having something like a token (something you have) and a pin (something you know) is so much more convenient than having to remember a 15 character (at least 2 uppercase and 2 special characters) password that you are required to change every two months. People end up writing those types of passwords down and putting them under their keyboard.
Because of the improved security with 2FA/MFA, DoD began pushing about 3 years to get all applications to use smart card authentication. The end goal was to have no user accounts in Active Directory with the ability to authenticate with a password. Basically, every account would need to have the “smarcard required” checkbox enabled. Exceptions were only permitted when users had critical applications that did not support smartcard authentication.
For any existing application that wasn’t able to meet the “smartcard required” requirement, we were required to document why we needed that software and WHEN it would be smart card enabled. Any new applications that didn’t support smartcard logon wouldn’t get through procurement