I interviewed Chris Mayers for this topic.  Chris has been with Citrix since 1998, and in his role as principal security architect at Citrix, Chris has both internal and external responsibilities for promoting security, developing security strategies and advocating the secure enterprise.  Based in Cambourne, Cambridge, Chris's job takes him all over Europe and to the USA, where he can be found advising CIOs and CSOs, presenting White Papers at industry conferences and working to develop Citrix technology to ensure it continues to protect the 'perimeterless' enterprise.

Here is Chris:

Q: Chris, first can you explain what we mean by "Strong Authentication"?
A: Strong Authentication is multiple factor authentication.  The classic definition is something you know (such as a password), coupled with something you have (such as a token or smartcard) or something you are (biometric data.)  For remote access using Web Interface, Citrix recommends that customers always use strong authentication rather than just passwords.

Q: That makes sense.  Why wouldn't everyone use strong authentication for remote access?
A: Everyone should use strong authentication, but there are choices, so it's a question of balance.  Security requirements are balanced against cost and user acceptance.   The number of users who actually need remote access, and the applications they are using must be evaluated.  There may be less expensive ways to secure remote access to simple applications such as email - using Smart Access or XenApp capabilities.

Q: What kind of cost would a customer be looking at for implementing strong authentication?
A: The good news is that the purchase price of second factor devices has come down in recent years.  A security token, for example, costs only a few dollars now.  Unfortunately there are additional costs, such as fulfillment to the user, and administrative and help desk costs; these need watching.

Q: What about user acceptance, why is that an issue for customers?
A: Well, users are required to either carry an item with them for access (something they have) or use biometrics (something they are.)  End users must be involved in this process - authentication is not something administrators can do for them.  So, users may view this as inconvenient. 
One interesting way around this is dual-purpose: combine strong authentication on an item the user can use for other tasks.  There are several solutions based on mobile phones, USB tokens (which can be used generically as well), and smartcards (which can be used for digital signature and encryption as well as authentication).

Q: Counting on users is always risky  How do you recommend IT deal with this?
A: The trick is to manage risks and have a calculated backup plan.  For example, if tokens or smartcards are used for strong authentication, and the user loses, damages or forgets the item, you might enable the help desk to temporarily allow a password to access the account remotely.  That way, even if a user intentionally "forgets" the item, there is no excuse to avoid work!

Q: What about biometrics - that way the user doesn't have to remember a device?
A: Biometrics are great for unlocking things, like laptops and doors.  The big danger for the remote access use case is that the biometric data can go over the network.   The issues with this are nasty - stolen biometric data can be much more damaging than stolen credentials (biometrics don't change like passwords do.) 

Q: Does Citrix provide strong authentication solutions?

A: No, but Citrix has numerous partners - check out Citrix Ready.

I spent some time recently chatting with Ross Duncan, VP of Channels at Gemalto, due to my role as product manager for Citrix Password Manager.While Citrix remains "strong authentication agnostic", Ross raised some great points: - Passwords are bad - I don't think anyone will argue this point!  There have been many solutions to enforce management of passwords to mitigate the inherent weakness.  Then those "solutions" that make passwords more complex can cause user convenience problems - plus bad behavior such as passwords written down, using the same password for many applications, and so on.  Then the help desk calls are both extensive and expensive.  - eSSO means putting all the keys to the kingdom in one place.  This allows IT to use hyper-secure passwords (20+ characters, special characters, etc.) that change rapidly.  However, the end user now has only ONE password to know - therefore there is a case to augment it with a strong authentication device like Gemalto smart cards. - Coupling of eSSO and smart cards brings the ultimate in convenience with maximum security - the user inserts their card, enters their PIN, and they can securely access the system.  This is much easier then entering user name/password - easier and more secure. - Vendors like Gemalto are integrated with Citrix Password Manager, smooth roaming/Hot Desktop, XenApp and CAG, which is convenient for customers.
We also discussed the merits of converging logical and physical security.  This always looks great on powerpoints, but it has been a real slow starter in real life.  It's been discussed for 8 years that I personally know about, but the actual implementations are lagging.  It always struck me this way: the physical security personnel and the IT security personnel are usually in different areas within and organization, and there are numerous political barriers to having the two groups work together and contribute budgets to make a badge/technology/management decision together.  I know Gemalto has partnerships to do this, but it seems to me to face obstacles.  Would like to hear comments!