Am Samstag, den 11.06.2016, 21:26 +0100 schrieb Phil Mayers:
On 11/06/2016 17:23, Michael Ströder wrote:
Every implementation which display the shared secrets as QR code in security theatre.
For many organisations the primary threat w.r.t. authentication credentials is credential theft and remote use (phishing. etc.). Provisioning to a soft-token via a QR code is perfectly adequate for that threat model. The attacker is not looking over your shoulder, and TOFU works great almost all of the time.
We've looked at this in detail, and there are about 250 people in our organisation of 30k+ that could justify a hard token.
So you should choose a solution, where you can combine soft tokens, text messages, OTPs via email *argh* and hardware tokens, just as you wish. This would make the best sense for your scenario.
If we ever get 2FA deployed, it's going to be soft-tokens deployed w/ in-band provisioning for almost everyone, because it's the only thing that makes sense and it ABSOLUTELY IS NOT security theatre for us. It addresses a real threat.
Regards, Phil - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Cornelius Kölbel cornelius.koelbel@netknights.it +49 151 2960 1417 NetKnights GmbH http://www.netknights.it Landgraf-Karl-Str. 19, 34131 Kassel, Germany Tel: +49 561 3166797, Fax: +49 561 3166798 Amtsgericht Kassel, HRB 16405 Geschäftsführer: Cornelius Kölbel