a) Passwords should be easily rememberable. Pick four words are string them together (e.g. correcthorsebatterystaple).
b) You must have a physical security key to authenticate - a Yubikey etc.
If those two factors are not enough, then forget working from home / mobile authentication - require people to arrive in-person and work in-person, with network restrictions on top of the two-factor authentication.
If two-factor authentication isn't enough, and IP address restrictions aren't of help to enforce know-your-user when they show up in person, then I swear, God help you. At that point, you're no longer practicing security, you're practicing paranoia.
>network restrictions on top of the two -factor authentication
That is exactly what I thought was the case too until I recently entered the code Google Authenticator gave me although my mobile was not connected to the internet. And it worked.
a) Passwords should be easily rememberable. Pick four words are string them together (e.g. correcthorsebatterystaple). b) You must have a physical security key to authenticate - a Yubikey etc.
If those two factors are not enough, then forget working from home / mobile authentication - require people to arrive in-person and work in-person, with network restrictions on top of the two-factor authentication.
If two-factor authentication isn't enough, and IP address restrictions aren't of help to enforce know-your-user when they show up in person, then I swear, God help you. At that point, you're no longer practicing security, you're practicing paranoia.