Freeradius and 2 Factor Authentication

Nick Owen owen.nick at
Mon Jun 6 16:22:31 CEST 2016

On Sun, Jun 5, 2016 at 5:17 PM, Peter Lambrechtsen <peter at> wrote:
> On Jun 6, 2016 8:32 AM, "Michael Ströder" <michael at> wrote:
>> Michael Ströder wrote:
>> > Peter Lambrechtsen wrote:
>> >> do see there are multiple sites now support TOTP where the enrollment
> is
>> >> seamless for end-users. Login to a web site, use Google Authenticator
> or
>> >> Authy or any other myriad of TOTP clients to scan the QR code.
>> >
>> > I really wonder why scanning the shared secret as QR code from a screen
> is
>> > considered an acceptable security practice. :-/
>> BTW: And hosted OTP services have access to all the shared secrets...
> How is that any different to SecurID, safeword,Vasco or any of the other
> commercial token vendors?

We are a vendor that uses asymmetric keys generated on the
devices/your on-premises server designed exactly to avoid this
'vendor-in-the-middle' threat.   So, that's different.

> By it's very nature the secret needs to be kept somewhere. Yes Yubikey is
> marginally better as you can generate your own.
> But the CD that comes with your hard token had to be written somewhere and
> the vendors keep a copy. I have in the past been able to get replacement
> keys when rebuilding a SecurID and Vasco box so it would surprise me if
> they destroyed all copies of the token data. The historic SecurID hack
> seems to indicate they didn't then.
> The beauty in soft tokens is it's trivial to reenroll everyone on next
> login. "Sorry our db with hashed passwords and otps got hacked. Please
> reenroll by scanning the qr and remove the old one."

This is why I think the OTP algorithm is not that important.  The
important protocol for most orgs is radius, b/c it  will allow you to
move between auth servers easily.

> If it were so bad how come Google, dropbox, linkedin, github and a whole
> myriad of different online companies have implemented it for second factor
> auth? And they all enroll you separately so you now need a key locker /
> authy / google authenticator to manage the individual otps for each company.

Like most things in security, it was there and made it easy to check the box.

> I see it no worse than any other OTP solution as the secret needs to be
> kept secret.

I'll just say that I am very glad to not have possession of all our
customers' shared secrets.  It helps me sleep at night.

I am very glad to see other people actually care about this.

>> Ciao, Michael.
>> -
>> List info/subscribe/unsubscribe? See
> -
> List info/subscribe/unsubscribe? See

Nick Owen
WiKID Systems, Inc.
Commercial/Open Source Two-Factor Authentication

More information about the Freeradius-Users mailing list