Wandering Thoughts archives


What I want out of two factor authentication for my own use

Locally, we don't currently use two factor authentication for anything (for reasons that in large part boil down to 'no one has money to fund it'). I don't know if we can change that, but I'd like to at least move in that direction, and one part of any such move is trying to think about what I want out of a two factor authentication system. Since this is a broad area, I'm focusing on my own use today.

Right off the bat, any two factor authentication system we deploy has to be capable of being used for only certain accounts (and only for certain services, like SSH logins). The odds that we'll ever be able to deploy something universally is essentially nil; to put it crudely, no one is going to pay for two-factor authenticators for graduate students (and we can't assume that all grad students will have smartphones). Similarly it's unlikely that we'll ever be able to get all our services to be 2FA capable.

For my own use, what I care about is SSH access and what I want out of 2FA is for it to be as convenient as SSH with an unlocked keypair (while being more secure). I log in to and out of enough of our machines every day that having to enter a 2FA password or challenge every time would be really irritating. At the same time I do want to have to unlock the 2FA system somehow, since I don't want to reduce this down to 'has possession of a magic dongle'. It'd be ideal if some SSH authentication could be configured to require explicit 2FA with a password I have to type as well as whatever 'proof of object' there is (ideally more or less automated).

(Oh, and all of this needs to work from Linux clients to Linux and OmniOS servers, and ideally OpenBSD servers as well.)

Based on some Internet searching today, it seems the way many people are doing this is with a Yubikey Neo from Yubico. They're even cheap enough that we might be able to buy at least one to experiment with (it helps that they don't require expensive software licenses to go with them). If there are other reasonably popular alternatives, they don't seem to come up in my Internet searches.

(A smartphone based solution is not a good one for me because I don't have a smartphone.)

sysadmin/TwoFactorAuthMyWants written at 02:05:27; Add Comment

Page tools: See As Normal.
Login: Password:
Atom Syndication: Recent Pages, Recent Comments.

This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.