Freeradius and 2 Factor Authentication

Cornelius Kölbel cornelius.koelbel at
Sun Jun 12 20:36:37 CEST 2016

Am Montag, den 06.06.2016, 09:17 +1200 schrieb Peter Lambrechtsen:
> On Jun 6, 2016 8:32 AM, "Michael Ströder" <michael at> wrote:
> >
> > Michael Ströder wrote:
> > > Peter Lambrechtsen wrote:
> > >> do see there are multiple sites now support TOTP where the enrollment
> is
> > >> seamless for end-users. Login to a web site, use Google Authenticator
> or
> > >> Authy or any other myriad of TOTP clients to scan the QR code.
> > >
> > > I really wonder why scanning the shared secret as QR code from a screen
> is
> > > considered an acceptable security practice. :-/
> >
> > BTW: And hosted OTP services have access to all the shared secrets...
> How is that any different to SecurID, safeword,Vasco or any of the other
> commercial token vendors?
> By it's very nature the secret needs to be kept somewhere. Yes Yubikey is
> marginally better as you can generate your own.
> But the CD that comes with your hard token had to be written somewhere and
> the vendors keep a copy. I have in the past been able to get replacement
> keys when rebuilding a SecurID and Vasco box so it would surprise me if
> they destroyed all copies of the token data. The historic SecurID hack
> seems to indicate they didn't then.
> The beauty in soft tokens is it's trivial to reenroll everyone on next
> login. "Sorry our db with hashed passwords and otps got hacked. Please
> reenroll by scanning the qr and remove the old one."
> If it were so bad how come Google, dropbox, linkedin, github and a whole
> myriad of different online companies have implemented it for second factor
> auth? And they all enroll you separately so you now need a key locker /
> authy / google authenticator to manage the individual otps for each company.

Google, Dropbox, linkedin have only limited interest in the security of
the user. Or the other way round, the users, enrolling the optional 2nd
factor have an interest in security. This is why Go, Dr, Li can do it
this way. It is convenient for them and the security aware user will
take care.

But in an enterprise environment you must suppose, that the users are
not security aware and care less about enterprise data then their
personal data.

Often you have the problem that users share their passwords.
When using Google Authenticator in TOTP mode it is easy for the users to
also share the 2nd factor.

> I see it no worse than any other OTP solution as the secret needs to be
> kept secret.
> >
> > Ciao, Michael.
> >
> >
> > -
> > List info/subscribe/unsubscribe? See
> -
> List info/subscribe/unsubscribe? See

Cornelius Kölbel
cornelius.koelbel at
+49 151 2960 1417

NetKnights GmbH
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <>

More information about the Freeradius-Users mailing list