On 11/06/2016 17:23, Michael Ströder wrote:
Every implementation which display the shared secrets as QR code in security theatre.
For many organisations the primary threat w.r.t. authentication credentials is credential theft and remote use (phishing. etc.). Provisioning to a soft-token via a QR code is perfectly adequate for that threat model. The attacker is not looking over your shoulder, and TOFU works great almost all of the time. We've looked at this in detail, and there are about 250 people in our organisation of 30k+ that could justify a hard token. If we ever get 2FA deployed, it's going to be soft-tokens deployed w/ in-band provisioning for almost everyone, because it's the only thing that makes sense and it ABSOLUTELY IS NOT security theatre for us. It addresses a real threat. Regards, Phil