Easiest for user
I would consider (what Andrew Walters comment refers to) with all the content transmitted over SSL, and additional attention to them like page timeout, session commit, password policies, etc.
The PIN code delivered to your cell phone is a commonly used second factor.
I argue that this is "easiest for the user" because so many large sites (like Google and Facebook, their bank) work this way. There is nothing to install and nothing new to learn.
This is not very desirable from a business point of view.
VPN
Use VPN to restrict access? (Will not work with mobile devices)
This is a common option in corporate environments and is generally considered secure (although this is not an excuse for abandoning other good practices, such as password policies). However, you have options for mobile devices.
See the F5 SSL VPN , in particular their technical documentation on mobile access for iOS and Android , which says: “The BIG-IP Edge Portal for iOS and Android devices makes it easy for mobile users to access corporate web applications [...] securely access internal web pages and web applications. "
You can increase security by adding another factor to the authentication process: a token with an ever-changing PIN .
Certifications
Can I use a client certificate?
Yes it is possible ; whether it suits your business needs is another matter (for example, it takes time / skill / time to manage such a solution).
If you are not familiar with the subject, I suggest reading this article in KB article (quick read).
For implementation, here is an old but very detailed walkthrough and a new walkthrough for IIS 7.
Tim medora
source share