[wplug-internet] Two-factor authentication

John Lewis oflameo2 at gmail.com
Tue Feb 10 16:33:55 EST 2015 

So is WPLUG going to buy me a smart phone and configure it not to spy on me?

I think it is a a bad idea.

First your solution admittedly doesn't work with GNU/Linux and requires
the use of Google Controlled Android Linux who we both are trying to
move away from?

Secondly is your password really so  weak that you need another layer
security. If so I recommend reading this comic https://xkcd.com/936/ or
man mkpasswd from the Expect package?

Thirdly, are you willing to be responsible to get someone logged in in
case one of the factors break and someone who administrates WPLUG.org
can't log in?

Fourthly, wouldn't the simple fix be encrypting the target data most of
the data we can expunge once we have a digital system that  ties people
to email instead of their address?

Fifthly, who specifically are we trying to keep out?

Sixthly, wouldn't a document be more useful than a tutorial one time
tutorial?

----

Overall I don't think it worth pursuing whatsoever. There are far lower
hanging fruit to catch at the moment then to be implement mandatory two
factor authentication the requires a smart phone dependency. An example
of such low hanging fruit is salting and hashing the mailing list passwords.

In my opinion two factor authentication exists mainly as insurance
against people who cannot be trusted to manage passwords and to cover
for old systems that can't store good passwords.

If you have a login and you feel the need to have two factor
authentication right now, create an ssh key pair with an encrypted
private key and prevent yourself from logging in without it. You don't
even have to ask anybody to do it. It is non-disruptive, the failure of
the setup has a very small chance of locking everyone out of the server,
and has no smart phone dependency and can be used from your smart phone.

----

To digress, why does Haiku need two factor authentication? What is there
to steal?
 
On 02/10/2015 03:37 PM, Justin Smith wrote:
> I'm currently working with Joe to implement two-factor authentication via 
> oath on Haiku's OpenSUSE servers. If you attended January's GUM, you'll 
> recognize that this is the topic Pat presented on. I used his slides as a 
> guide. (Thanks, Pat!)
>
> Since I now understand how to install and configure oath, I'd be willing to 
> set it up on WPLUG's VPS. We store people's personal information - their 
> names, addresses, and so on - so I think the added security would be an 
> asset.
>
> This would require everyone with a user account to have a smartphone 
> with a properly-configured OTP application in order to log in. However, we 
> can make exceptions where appropriate. If John Doe doesn't own a 
> smartphone, we can turn off two-factor authentication for his account.
>
> Is this an idea worth pursuing? I'd be willing to set up oath and create a 
> short tutorial.
>
>
> *Justin Smith*
> GNU/Linux System Administrator
>
> /"Nothing in this world can take the place of persistence. Talent will not; 
> nothing is more common than unsuccessful people with talent. Genius will 
> not; unrewarded genius is almost a proverb. Education will not; the world is 
> full of educated derelicts."/
>
> /-Calvin Coolidge/
>
>
>
> _______________________________________________
> wplug-internet mailing list
> wplug-internet at wplug.org
> http://www.wplug.org/mailman/listinfo/wplug-internet

More information about the wplug-internet mailing list