We planning to deploy Windows 7 in the next few months. We have about 8000 workstations around the globe. Currently, we use Cisco IPSEC VPN for remote connectivity. We'd like to implement DirectAccess using Server 2012 (no UAG). We have been trying to figure out how to do user authentication. We know that Smart Cards are an option for a second factor for authentication, but we would have to convert all of our machines (or get add-on card readers) in order to use Smart Cards. Since we have SecurID in place today, our security team would like to consider using it for our second factor.
So, my question is, do we need to use a second factor - from a security and HIPPA standpoint - or is the default DirectAccess security model strong enough that it wouldn't be necessary? If so, what resources are there that can help me make my case?
I've read that Microsoft uses Smart Cards for their DA implementation, but haven't really found any other information to support either side of the argument.