Freeradius and 2 Factor Authentication

Michael Ströder michael at stroeder.com
Sat Jun 11 18:23:02 CEST 2016


Peter Lambrechtsen wrote:
> While I agree with you philosophically on OTP in general being a bit of a
> painful experience. And plugging a Yubikey into a USB Port hitting a button
> and getting a bit long string makes for a pleasant end user experience. I
> do see there are multiple sites now support TOTP where the enrollment is
> seamless for end-users. Login to a web site, use Google Authenticator or
> Authy or any other myriad of TOTP clients to scan the QR code. The
> enrollment experience is awesome when you're armed with your smart phone
> using a browser on a desktop and consistent across multiple sites / cloud
> providers as everyone is doing TOTP multi-factor authentication.

And it's also awesome for attackers that the long-term secret is shown as
plain-text on a screen. ;-}

Also the enrollment authentication is only as strong as the login password.

> If you go
> into the Yubikey world, even though it's awesome you are still locked into
> that vendor.

You don't have to use the proprietary Yubico-OTP algorithm. You can initialize
the yubikey with your own shared secret for OATH HOTP (RFC 4226). Still it's
hard work to implement a really secure token enrollment but BTDT.

> The Fortinet FortiToken-200
> is a pretty good build quality physical token yet it still conforms to the
> RFC6238 / OATH standard.

Hmm, still the user has to type in the OTP. Also seems to be limited to 6 digits.

> I really like this site www.xanxys.net/totp/ as it's super easy to
> implement a full client side browser based enrollment process all in a
> single dumb html page.

Every implementation which display the shared secrets as QR code in security
theatre.

> Preaching to the choir here. But I am a big advocate for the open standard
> RFC compliant token solution rather than locking you into any particular
> vendor.

+1

> This blog entry:
> https://blog.evernote.com/tech/2013/06/18/freeradius-openldap-totp-part-2/
> 
> Covers how to do it all using Perl. It's a little dodgy since they use perl
> to query ldap to get the hash which seems a very complex way to go about it
> IMHO.

They have pre-calculated hashes in the directory for the whole drift window?

Ciao, Michael.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20160611/073d83c8/attachment.bin>


More information about the Freeradius-Users mailing list