Active Directory 2 Factor Authentication with Smartcards

I need 2 Factor Authentication with Smartcards, so i want to login with an Password and a Smartcard. I know that Smartcards have passwords, but my company doesn't like this solution. Is there a way to require an AD-User and Password and a Smartcard for login.

Solution 1:

If I understand correctly, you want to still use the AD credentials to login, but with the smart card so that way you are still using complex passwords as opposed to using the smart card 'password' which is a PIN number?

You mention that people might use 'stupid' numbers like phone numbers etc. if you use the PIN. However, even a 6 digit PIN with a smart card is still more secure that traditional username/password.

Even if someone uses their phone number as a PIN (not recommended of course), an adversary still couldn't compromise the account and login unless they had the Yubikey.

2FA here means something you know and something you have. To steal a persons Yubikey is a targeted action, meaning that the adversary would be close enough to the person that they most likely would already have gained the password in some manner (eg. shoulder surfing). Without the password, stealing the Yubikey would be pointless.

The other scenario would be if someone lost their Yubikey but of course, if someone randomly found a Yubikey then its useless anyway.

Bottom line is, just use the Yubikey PIN, it may not be as complex as AD password requirements but the smart card solution is still a lot more secure than username/password.

For added security, configure the Yubikey with the touch feature. This ensures that even if somehow the certificate and PIN are compromised, those details won't be able to be used remotely because the system would require further confirmation which can only be generated by the physical key.