Freeradius and 2 Factor Authentication
owen.nick at gmail.com
Mon Jun 6 16:22:31 CEST 2016
On Sun, Jun 5, 2016 at 5:17 PM, Peter Lambrechtsen <peter at crypt.nz> wrote:
> On Jun 6, 2016 8:32 AM, "Michael Ströder" <michael at stroeder.com> wrote:
>> Michael Ströder wrote:
>> > Peter Lambrechtsen wrote:
>> >> do see there are multiple sites now support TOTP where the enrollment
>> >> seamless for end-users. Login to a web site, use Google Authenticator
>> >> Authy or any other myriad of TOTP clients to scan the QR code.
>> > I really wonder why scanning the shared secret as QR code from a screen
>> > considered an acceptable security practice. :-/
>> BTW: And hosted OTP services have access to all the shared secrets...
> How is that any different to SecurID, safeword,Vasco or any of the other
> commercial token vendors?
We are a vendor that uses asymmetric keys generated on the
devices/your on-premises server designed exactly to avoid this
'vendor-in-the-middle' threat. So, that's different.
> By it's very nature the secret needs to be kept somewhere. Yes Yubikey is
> marginally better as you can generate your own.
> But the CD that comes with your hard token had to be written somewhere and
> the vendors keep a copy. I have in the past been able to get replacement
> keys when rebuilding a SecurID and Vasco box so it would surprise me if
> they destroyed all copies of the token data. The historic SecurID hack
> seems to indicate they didn't then.
> The beauty in soft tokens is it's trivial to reenroll everyone on next
> login. "Sorry our db with hashed passwords and otps got hacked. Please
> reenroll by scanning the qr and remove the old one."
This is why I think the OTP algorithm is not that important. The
important protocol for most orgs is radius, b/c it will allow you to
move between auth servers easily.
> If it were so bad how come Google, dropbox, linkedin, github and a whole
> myriad of different online companies have implemented it for second factor
> auth? And they all enroll you separately so you now need a key locker /
> authy / google authenticator to manage the individual otps for each company.
Like most things in security, it was there and made it easy to check the box.
> I see it no worse than any other OTP solution as the secret needs to be
> kept secret.
I'll just say that I am very glad to not have possession of all our
customers' shared secrets. It helps me sleep at night.
I am very glad to see other people actually care about this.
>> Ciao, Michael.
>> List info/subscribe/unsubscribe? See
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
WiKID Systems, Inc.
Commercial/Open Source Two-Factor Authentication
More information about the Freeradius-Users