Freeradius and 2 Factor Authentication

Michael Ströder michael at
Sat Jun 11 18:23:02 CEST 2016

Peter Lambrechtsen wrote:
> While I agree with you philosophically on OTP in general being a bit of a
> painful experience. And plugging a Yubikey into a USB Port hitting a button
> and getting a bit long string makes for a pleasant end user experience. I
> do see there are multiple sites now support TOTP where the enrollment is
> seamless for end-users. Login to a web site, use Google Authenticator or
> Authy or any other myriad of TOTP clients to scan the QR code. The
> enrollment experience is awesome when you're armed with your smart phone
> using a browser on a desktop and consistent across multiple sites / cloud
> providers as everyone is doing TOTP multi-factor authentication.

And it's also awesome for attackers that the long-term secret is shown as
plain-text on a screen. ;-}

Also the enrollment authentication is only as strong as the login password.

> If you go
> into the Yubikey world, even though it's awesome you are still locked into
> that vendor.

You don't have to use the proprietary Yubico-OTP algorithm. You can initialize
the yubikey with your own shared secret for OATH HOTP (RFC 4226). Still it's
hard work to implement a really secure token enrollment but BTDT.

> The Fortinet FortiToken-200
> is a pretty good build quality physical token yet it still conforms to the
> RFC6238 / OATH standard.

Hmm, still the user has to type in the OTP. Also seems to be limited to 6 digits.

> I really like this site as it's super easy to
> implement a full client side browser based enrollment process all in a
> single dumb html page.

Every implementation which display the shared secrets as QR code in security

> Preaching to the choir here. But I am a big advocate for the open standard
> RFC compliant token solution rather than locking you into any particular
> vendor.


> This blog entry:
> Covers how to do it all using Perl. It's a little dodgy since they use perl
> to query ldap to get the hash which seems a very complex way to go about it

They have pre-calculated hashes in the directory for the whole drift window?

Ciao, Michael.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4245 bytes
Desc: S/MIME Cryptographic Signature
URL: <>

More information about the Freeradius-Users mailing list