On Tue, Jan 19, 2016 at 9:02 AM, Grant <emailgr...@gmail.com> wrote: > > If that's the case then it sounds like 2FA doesn't really provide any > extra assurance. It's another layer but if the machine is hacked then > it sounds like it becomes a very thin layer. > > I'd most like to allow the remote employee to use their own computer, > but is there any way to have reasonable assurance that a remote > attacker can't log into my web stuff if the employee's computer is > compromised? > > With a Chromebook, how can I be assured that the employee is only able > to log into my web stuff with the Chromebook? >
It looks like this is possible to do with a Google Apps account: https://www.google.com/intl/en/chrome/business/devices/features-management-console.html https://support.google.com/chrome/a/answer/2657289 https://support.google.com/chrome/a/answer/1375678 You can control who can log in, and what sites they can visit (just blacklist * and then whitelist specific sites). Schools commonly use this so that they don't have to deal with kids visiting sites of ill repute. You can also control application/extension installation. It looks like you can also use remote attestation if your application supports it which prevents access from a tampered device even if it has the right credentials/etc. (That's the whole "trusted/treacherous computing" thing.) You could in theory have security such that your application works with single-sign-on but doesn't work unless connected to using a trusted device (but I'd have to do more research on that). The one thing you will have to be careful about is printing. They can only print to PDF, or to cloud print. I'm not sure if that is an issue for your use case. I've never used it personally, but it is apparently quite popular with schools. I'd suggest looking into it. The service isn't free - you need google apps to make it work. However, it sounds like it is relatively cheap. I'd certainly be interested in hearing from anybody who knows more about it, but if I had a small business that was purely web-based I'd strongly consider a solution like this. -- Rich