What I want out of two factor authentication for my own use

August 5, 2015

Locally, we don't currently use two factor authentication for anything (for reasons that in large part boil down to 'no one has money to fund it'). I don't know if we can change that, but I'd like to at least move in that direction, and one part of any such move is trying to think about what I want out of a two factor authentication system. Since this is a broad area, I'm focusing on my own use today.

Right off the bat, any two factor authentication system we deploy has to be capable of being used for only certain accounts (and only for certain services, like SSH logins). The odds that we'll ever be able to deploy something universally is essentially nil; to put it crudely, no one is going to pay for two-factor authenticators for graduate students (and we can't assume that all grad students will have smartphones). Similarly it's unlikely that we'll ever be able to get all our services to be 2FA capable.

For my own use, what I care about is SSH access and what I want out of 2FA is for it to be as convenient as SSH with an unlocked keypair (while being more secure). I log in to and out of enough of our machines every day that having to enter a 2FA password or challenge every time would be really irritating. At the same time I do want to have to unlock the 2FA system somehow, since I don't want to reduce this down to 'has possession of a magic dongle'. It'd be ideal if some SSH authentication could be configured to require explicit 2FA with a password I have to type as well as whatever 'proof of object' there is (ideally more or less automated).

(Oh, and all of this needs to work from Linux clients to Linux and OmniOS servers, and ideally OpenBSD servers as well.)

Based on some Internet searching today, it seems the way many people are doing this is with a Yubikey Neo from Yubico. They're even cheap enough that we might be able to buy at least one to experiment with (it helps that they don't require expensive software licenses to go with them). If there are other reasonably popular alternatives, they don't seem to come up in my Internet searches.

(A smartphone based solution is not a good one for me because I don't have a smartphone.)

Comments on this page:

I use OpenPGP smart cards for this purpose. You can buy the smart cards with a SIM breakout option for use with a USB memory stick sized card reader (eg Gemalto IDBridge K30).

By Miksa at 2015-08-05 17:24:55:

One solution for people without smartphones or other devices could be one-time password sheets. That is what finnish banks have used pretty since the beginning of internet banking.

You have username/code, a password/pin code and also sheet with numbered pin codes. The sheet folds to credit card size and whenever you log in to the online bank or try to do a money transfer it will give you a number and you have to input the corresponding pin code.

The university I attended in the late 90s used S/KEY pass phrase sheets that were given to students when they joined. Whenever you wanted to change your password you needed to give a pass phrase as verification.

By Jason Ross at 2015-08-05 22:41:58:

I have actually become quite fond of Duo. While its not cheap, especially on a large scale, it has lots of flexibility in one setup. We have users with tokens, smartphones, feature phones, even landlines. It supports every token I have ever wanted, sets of one time codes ( like Google backup codes), sms, phone call, and push notification. We have it integrated in different ways in different places. From RDP, to ssh, to PAM on OS X.

Wow, that reads like an add. I didn't even realize I was that opinionated.

Written on 05 August 2015.
« A lesson to myself: commit my local changes in little bits
Two factor authentication and emergency access to systems »

Page tools: View Source, View Normal, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Wed Aug 5 02:05:27 2015
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.