>> If that's the case then it sounds like 2FA doesn't really provide any >> extra assurance. It's another layer but if the machine is hacked then >> it sounds like it becomes a very thin layer. >> >> I'd most like to allow the remote employee to use their own computer, >> but is there any way to have reasonable assurance that a remote >> attacker can't log into my web stuff if the employee's computer is >> compromised? >> >> With a Chromebook, how can I be assured that the employee is only able >> to log into my web stuff with the Chromebook? >> > > It looks like this is possible to do with a Google Apps account: > https://www.google.com/intl/en/chrome/business/devices/features-management-console.html > https://support.google.com/chrome/a/answer/2657289 > https://support.google.com/chrome/a/answer/1375678 > > You can control who can log in, and what sites they can visit (just > blacklist * and then whitelist specific sites). Schools commonly use > this so that they don't have to deal with kids visiting sites of ill > repute. You can also control application/extension installation.
I'm sorry, I meant can I lock down access to my web stuff so that a particular user can only come from a particular device (or from any device containing a key). > It looks like you can also use remote attestation if your application > supports it which prevents access from a tampered device even if it > has the right credentials/etc. (That's the whole "trusted/treacherous > computing" thing.) You could in theory have security such that your > application works with single-sign-on but doesn't work unless > connected to using a trusted device (but I'd have to do more research > on that). It seems like that would be necessary in my case or the remote employee might prefer working from their own device instead of using the Chromebook. Can I somehow require something like a PGP key in order to authenticate successfully in a browser? - Grant
