Two-factor authentication provides improved security because it requires the user to meet two authentication criteria: a user name/password combination and a token or certificate, known as something you have, something you know. Forefront TMG supports two-factor authentication in these scenarios:
- The user has a certificate.
- The user has a SecurID token that provides a
passcode.
- The user has a one-time password token that
provides a passcode.
A typical example of two-factor authentication with a certificate is the use of a smart card. The smart card contains the certificate, which Forefront TMG can validate against a server that contains the user and certificate information. By comparing the user information (user name and password) to the certificate provided, the server validates the credentials, and Forefront TMG authenticates the user.
 Important: |
|---|
| Two-factor authentication using a client certificate is not supported for Forefront TMG deployment in a workgroup. |