Freeradius and 2 Factor Authentication
Phil Mayers
p.mayers at imperial.ac.uk
Sat Jun 11 22:26:24 CEST 2016
On 11/06/2016 17:23, Michael Ströder wrote:
> Every implementation which display the shared secrets as QR code in security
> theatre.
For many organisations the primary threat w.r.t. authentication
credentials is credential theft and remote use (phishing. etc.).
Provisioning to a soft-token via a QR code is perfectly adequate for
that threat model. The attacker is not looking over your shoulder, and
TOFU works great almost all of the time.
We've looked at this in detail, and there are about 250 people in our
organisation of 30k+ that could justify a hard token.
If we ever get 2FA deployed, it's going to be soft-tokens deployed w/
in-band provisioning for almost everyone, because it's the only thing
that makes sense and it ABSOLUTELY IS NOT security theatre for us. It
addresses a real threat.
Regards,
Phil
More information about the Freeradius-Users
mailing list