Freeradius and 2 Factor Authentication

Phil Mayers p.mayers at
Sat Jun 11 22:26:24 CEST 2016

On 11/06/2016 17:23, Michael Ströder wrote:

> Every implementation which display the shared secrets as QR code in security
> theatre.

For many organisations the primary threat w.r.t. authentication 
credentials is credential theft and remote use (phishing. etc.). 
Provisioning to a soft-token via a QR code is perfectly adequate for 
that threat model. The attacker is not looking over your shoulder, and 
TOFU works great almost all of the time.

We've looked at this in detail, and there are about 250 people in our 
organisation of 30k+ that could justify a hard token.

If we ever get 2FA deployed, it's going to be soft-tokens deployed w/ 
in-band provisioning for almost everyone, because it's the only thing 
that makes sense and it ABSOLUTELY IS NOT security theatre for us. It 
addresses a real threat.


More information about the Freeradius-Users mailing list