Peter Lambrechtsen wrote:
While I agree with you philosophically on OTP in general being a bit of a painful experience. And plugging a Yubikey into a USB Port hitting a button and getting a bit long string makes for a pleasant end user experience. I do see there are multiple sites now support TOTP where the enrollment is seamless for end-users. Login to a web site, use Google Authenticator or Authy or any other myriad of TOTP clients to scan the QR code. The enrollment experience is awesome when you're armed with your smart phone using a browser on a desktop and consistent across multiple sites / cloud providers as everyone is doing TOTP multi-factor authentication.
And it's also awesome for attackers that the long-term secret is shown as plain-text on a screen. ;-} Also the enrollment authentication is only as strong as the login password.
If you go into the Yubikey world, even though it's awesome you are still locked into that vendor.
You don't have to use the proprietary Yubico-OTP algorithm. You can initialize the yubikey with your own shared secret for OATH HOTP (RFC 4226). Still it's hard work to implement a really secure token enrollment but BTDT.
The Fortinet FortiToken-200 is a pretty good build quality physical token yet it still conforms to the RFC6238 / OATH standard.
Hmm, still the user has to type in the OTP. Also seems to be limited to 6 digits.
I really like this site www.xanxys.net/totp/ as it's super easy to implement a full client side browser based enrollment process all in a single dumb html page.
Every implementation which display the shared secrets as QR code in security theatre.
Preaching to the choir here. But I am a big advocate for the open standard RFC compliant token solution rather than locking you into any particular vendor.
+1
This blog entry: https://blog.evernote.com/tech/2013/06/18/freeradius-openldap-totp-part-2/
Covers how to do it all using Perl. It's a little dodgy since they use perl to query ldap to get the hash which seems a very complex way to go about it IMHO.
They have pre-calculated hashes in the directory for the whole drift window? Ciao, Michael.