Freeradius and 2 Factor Authentication
Cornelius Kölbel
cornelius.koelbel at netknights.it
Sun Jun 12 20:30:39 CEST 2016
Am Samstag, den 11.06.2016, 21:26 +0100 schrieb Phil Mayers:
> On 11/06/2016 17:23, Michael Ströder wrote:
>
> > Every implementation which display the shared secrets as QR code in security
> > theatre.
>
> For many organisations the primary threat w.r.t. authentication
> credentials is credential theft and remote use (phishing. etc.).
> Provisioning to a soft-token via a QR code is perfectly adequate for
> that threat model. The attacker is not looking over your shoulder, and
> TOFU works great almost all of the time.
>
> We've looked at this in detail, and there are about 250 people in our
> organisation of 30k+ that could justify a hard token.
So you should choose a solution, where you can combine soft tokens, text
messages, OTPs via email *argh* and hardware tokens, just as you wish.
This would make the best sense for your scenario.
>
> If we ever get 2FA deployed, it's going to be soft-tokens deployed w/
> in-band provisioning for almost everyone, because it's the only thing
> that makes sense and it ABSOLUTELY IS NOT security theatre for us. It
> addresses a real threat.
>
> Regards,
> Phil
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Cornelius Kölbel
cornelius.koelbel at netknights.it
+49 151 2960 1417
NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20160612/bbb35f00/attachment.sig>
More information about the Freeradius-Users
mailing list