Freeradius and 2 Factor Authentication

Nick Owen owen.nick at gmail.com
Mon Jun 6 16:22:31 CEST 2016


On Sun, Jun 5, 2016 at 5:17 PM, Peter Lambrechtsen <peter at crypt.nz> wrote:
> On Jun 6, 2016 8:32 AM, "Michael Ströder" <michael at stroeder.com> wrote:
>>
>> Michael Ströder wrote:
>> > Peter Lambrechtsen wrote:
>> >> do see there are multiple sites now support TOTP where the enrollment
> is
>> >> seamless for end-users. Login to a web site, use Google Authenticator
> or
>> >> Authy or any other myriad of TOTP clients to scan the QR code.
>> >
>> > I really wonder why scanning the shared secret as QR code from a screen
> is
>> > considered an acceptable security practice. :-/
>>
>> BTW: And hosted OTP services have access to all the shared secrets...
>
> How is that any different to SecurID, safeword,Vasco or any of the other
> commercial token vendors?

We are a vendor that uses asymmetric keys generated on the
devices/your on-premises server designed exactly to avoid this
'vendor-in-the-middle' threat.   So, that's different.


>
> By it's very nature the secret needs to be kept somewhere. Yes Yubikey is
> marginally better as you can generate your own.
>
> But the CD that comes with your hard token had to be written somewhere and
> the vendors keep a copy. I have in the past been able to get replacement
> keys when rebuilding a SecurID and Vasco box so it would surprise me if
> they destroyed all copies of the token data. The historic SecurID hack
> seems to indicate they didn't then.
> http://arstechnica.com/security/2011/06/rsa-finally-comes-clean-securid-is-compromised/
>
> The beauty in soft tokens is it's trivial to reenroll everyone on next
> login. "Sorry our db with hashed passwords and otps got hacked. Please
> reenroll by scanning the qr and remove the old one."

This is why I think the OTP algorithm is not that important.  The
important protocol for most orgs is radius, b/c it  will allow you to
move between auth servers easily.

>
> If it were so bad how come Google, dropbox, linkedin, github and a whole
> myriad of different online companies have implemented it for second factor
> auth? And they all enroll you separately so you now need a key locker /
> authy / google authenticator to manage the individual otps for each company.

Like most things in security, it was there and made it easy to check the box.

>
> I see it no worse than any other OTP solution as the secret needs to be
> kept secret.

I'll just say that I am very glad to not have possession of all our
customers' shared secrets.  It helps me sleep at night.

I am very glad to see other people actually care about this.


>
>>
>> Ciao, Michael.
>>
>>
>> -
>> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



-- 
--
Nick Owen
WiKID Systems, Inc.
http://www.wikidsystems.com
Commercial/Open Source Two-Factor Authentication



More information about the Freeradius-Users mailing list