Freeradius and 2 Factor Authentication

Arran Cudbard-Bell a.cudbardb at
Mon Jun 6 00:03:07 CEST 2016

> On 5 Jun 2016, at 17:17, Peter Lambrechtsen <peter at> wrote:
> On Jun 6, 2016 8:32 AM, "Michael Ströder" <michael at> wrote:
>> Michael Ströder wrote:
>>> Peter Lambrechtsen wrote:
>>>> do see there are multiple sites now support TOTP where the enrollment
> is
>>>> seamless for end-users. Login to a web site, use Google Authenticator
> or
>>>> Authy or any other myriad of TOTP clients to scan the QR code.
>>> I really wonder why scanning the shared secret as QR code from a screen
> is
>>> considered an acceptable security practice. :-/
>> BTW: And hosted OTP services have access to all the shared secrets...
> How is that any different to SecurID, safeword,Vasco or any of the other
> commercial token vendors?
> By it's very nature the secret needs to be kept somewhere. Yes Yubikey is
> marginally better as you can generate your own.

I guess they don't open source the code the actually goes on the keys, and
even if they did you would have no way of validating that was on the key,
as they intentionally don't leave any way to access the key firmware.

But the master keys live on *your* servers, and the code to perform the
validation is open sourced. It's just AES 256 encryption.

> But the CD that comes with your hard token had to be written somewhere and
> the vendors keep a copy.
> I have in the past been able to get replacement
> keys when rebuilding a SecurID and Vasco box so it would surprise me if
> they destroyed all copies of the token data.

Ooo that's bad.

> The historic SecurID hack
> seems to indicate they didn't then.
> The beauty in soft tokens is it's trivial to reenroll everyone on next
> login. "Sorry our db with hashed passwords and otps got hacked. Please
> reenroll by scanning the qr and remove the old one."
> If it were so bad how come Google, dropbox, linkedin, github and a whole
> myriad of different online companies have implemented it for second factor
> auth?

Cos it's cheap and easy, and plays into the whole security theatre thing.

> And they all enroll you separately so you now need a key locker /
> authy / google authenticator to manage the individual otps for each company.
> I see it no worse than any other OTP solution as the secret needs to be
> kept secret.

Well, not really worse than any other soft tokens, no.  But it does present
a nice target for malware developers.


Arran Cudbard-Bell <a.cudbardb at>
FreeRADIUS Development Team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 872 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <>

More information about the Freeradius-Users mailing list