Freeradius and 2 Factor Authentication

Nick Owen owen.nick at
Tue Jun 14 16:12:09 CEST 2016

On Sat, Jun 11, 2016 at 4:26 PM, Phil Mayers <p.mayers at> wrote:
> On 11/06/2016 17:23, Michael Ströder wrote:
>> Every implementation which display the shared secrets as QR code in
>> security
>> theatre.
> For many organisations the primary threat w.r.t. authentication credentials
> is credential theft and remote use (phishing. etc.). Provisioning to a
> soft-token via a QR code is perfectly adequate for that threat model. The
> attacker is not looking over your shoulder, and TOFU works great almost all
> of the time.

It is difficult to determine since most surveys like the Verizon DBIR
to not request the info (yet) but expect to see more companies
deploying 2FA for admin access thanks to PCI and the fact that it
makes a ton of sense.  2FA can help minimize pass-the-hash attacks and
other escalation techniques used to get data once in the network. If I
were a new CSO, I would put 2FA on outbound connections too, just to
see what's going on.

(yes, we are far from radius.  apologies.)


> We've looked at this in detail, and there are about 250 people in our
> organisation of 30k+ that could justify a hard token.
> If we ever get 2FA deployed, it's going to be soft-tokens deployed w/
> in-band provisioning for almost everyone, because it's the only thing that
> makes sense and it ABSOLUTELY IS NOT security theatre for us. It addresses a
> real threat.
> Regards,
> Phil
> -
> List info/subscribe/unsubscribe? See

Nick Owen
WiKID Systems, Inc.
Commercial/Open Source Two-Factor Authentication

More information about the Freeradius-Users mailing list