On Sat, Jun 11, 2016 at 4:26 PM, Phil Mayers <p.mayers@imperial.ac.uk> wrote:
On 11/06/2016 17:23, Michael Ströder wrote:
Every implementation which display the shared secrets as QR code in security theatre.
For many organisations the primary threat w.r.t. authentication credentials is credential theft and remote use (phishing. etc.). Provisioning to a soft-token via a QR code is perfectly adequate for that threat model. The attacker is not looking over your shoulder, and TOFU works great almost all of the time.
It is difficult to determine since most surveys like the Verizon DBIR to not request the info (yet) but expect to see more companies deploying 2FA for admin access thanks to PCI and the fact that it makes a ton of sense. 2FA can help minimize pass-the-hash attacks and other escalation techniques used to get data once in the network. If I were a new CSO, I would put 2FA on outbound connections too, just to see what's going on. (yes, we are far from radius. apologies.) nick
We've looked at this in detail, and there are about 250 people in our organisation of 30k+ that could justify a hard token.
If we ever get 2FA deployed, it's going to be soft-tokens deployed w/ in-band provisioning for almost everyone, because it's the only thing that makes sense and it ABSOLUTELY IS NOT security theatre for us. It addresses a real threat.
Regards, Phil
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- -- Nick Owen WiKID Systems, Inc. http://www.wikidsystems.com Commercial/Open Source Two-Factor Authentication