Freeradius and 2 Factor Authentication

Cornelius Kölbel cornelius.koelbel at
Sun Jun 12 20:30:39 CEST 2016

Am Samstag, den 11.06.2016, 21:26 +0100 schrieb Phil Mayers:
> On 11/06/2016 17:23, Michael Ströder wrote:
> > Every implementation which display the shared secrets as QR code in security
> > theatre.
> For many organisations the primary threat w.r.t. authentication 
> credentials is credential theft and remote use (phishing. etc.). 
> Provisioning to a soft-token via a QR code is perfectly adequate for 
> that threat model. The attacker is not looking over your shoulder, and 
> TOFU works great almost all of the time.
> We've looked at this in detail, and there are about 250 people in our 
> organisation of 30k+ that could justify a hard token.

So you should choose a solution, where you can combine soft tokens, text
messages, OTPs via email *argh* and hardware tokens, just as you wish.
This would make the best sense for your scenario.

> If we ever get 2FA deployed, it's going to be soft-tokens deployed w/ 
> in-band provisioning for almost everyone, because it's the only thing 
> that makes sense and it ABSOLUTELY IS NOT security theatre for us. It 
> addresses a real threat.
> Regards,
> Phil
> -
> List info/subscribe/unsubscribe? See

Cornelius Kölbel
cornelius.koelbel at
+49 151 2960 1417

NetKnights GmbH
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <>

More information about the Freeradius-Users mailing list