On Sun, Jun 5, 2016 at 5:17 PM, Peter Lambrechtsen <peter@crypt.nz> wrote:
On Jun 6, 2016 8:32 AM, "Michael Ströder" <michael@stroeder.com> wrote:
Michael Ströder wrote:
Peter Lambrechtsen wrote:
do see there are multiple sites now support TOTP where the enrollment
is
seamless for end-users. Login to a web site, use Google Authenticator or Authy or any other myriad of TOTP clients to scan the QR code.
I really wonder why scanning the shared secret as QR code from a screen is considered an acceptable security practice. :-/
BTW: And hosted OTP services have access to all the shared secrets...
How is that any different to SecurID, safeword,Vasco or any of the other commercial token vendors?
We are a vendor that uses asymmetric keys generated on the devices/your on-premises server designed exactly to avoid this 'vendor-in-the-middle' threat. So, that's different.
By it's very nature the secret needs to be kept somewhere. Yes Yubikey is marginally better as you can generate your own.
But the CD that comes with your hard token had to be written somewhere and the vendors keep a copy. I have in the past been able to get replacement keys when rebuilding a SecurID and Vasco box so it would surprise me if they destroyed all copies of the token data. The historic SecurID hack seems to indicate they didn't then. http://arstechnica.com/security/2011/06/rsa-finally-comes-clean-securid-is-c...
The beauty in soft tokens is it's trivial to reenroll everyone on next login. "Sorry our db with hashed passwords and otps got hacked. Please reenroll by scanning the qr and remove the old one."
This is why I think the OTP algorithm is not that important. The important protocol for most orgs is radius, b/c it will allow you to move between auth servers easily.
If it were so bad how come Google, dropbox, linkedin, github and a whole myriad of different online companies have implemented it for second factor auth? And they all enroll you separately so you now need a key locker / authy / google authenticator to manage the individual otps for each company.
Like most things in security, it was there and made it easy to check the box.
I see it no worse than any other OTP solution as the secret needs to be kept secret.
I'll just say that I am very glad to not have possession of all our customers' shared secrets. It helps me sleep at night. I am very glad to see other people actually care about this.
Ciao, Michael.
- List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- -- Nick Owen WiKID Systems, Inc. http://www.wikidsystems.com Commercial/Open Source Two-Factor Authentication