Freeradius and 2 Factor Authentication

Peter Lambrechtsen peter at
Sun Jun 5 23:17:22 CEST 2016

On Jun 6, 2016 8:32 AM, "Michael Ströder" <michael at> wrote:
> Michael Ströder wrote:
> > Peter Lambrechtsen wrote:
> >> do see there are multiple sites now support TOTP where the enrollment
> >> seamless for end-users. Login to a web site, use Google Authenticator
> >> Authy or any other myriad of TOTP clients to scan the QR code.
> >
> > I really wonder why scanning the shared secret as QR code from a screen
> > considered an acceptable security practice. :-/
> BTW: And hosted OTP services have access to all the shared secrets...

How is that any different to SecurID, safeword,Vasco or any of the other
commercial token vendors?

By it's very nature the secret needs to be kept somewhere. Yes Yubikey is
marginally better as you can generate your own.

But the CD that comes with your hard token had to be written somewhere and
the vendors keep a copy. I have in the past been able to get replacement
keys when rebuilding a SecurID and Vasco box so it would surprise me if
they destroyed all copies of the token data. The historic SecurID hack
seems to indicate they didn't then.

The beauty in soft tokens is it's trivial to reenroll everyone on next
login. "Sorry our db with hashed passwords and otps got hacked. Please
reenroll by scanning the qr and remove the old one."

If it were so bad how come Google, dropbox, linkedin, github and a whole
myriad of different online companies have implemented it for second factor
auth? And they all enroll you separately so you now need a key locker /
authy / google authenticator to manage the individual otps for each company.

I see it no worse than any other OTP solution as the secret needs to be
kept secret.

> Ciao, Michael.
> -
> List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list