[wplug-internet] Two-factor authentication
Bryan J Smith
b.j.smith at ieee.org
Tue Feb 10 19:00:52 EST 2015
Doesn't have to be a Smart Phone.
But yes, it's easier if it is.
On Tue, Feb 10, 2015 at 4:33 PM, John Lewis <oflameo2 at gmail.com> wrote:
> So is WPLUG going to buy me a smart phone and configure it not to spy on me?
>
> I think it is a a bad idea.
>
> First your solution admittedly doesn't work with GNU/Linux and requires
> the use of Google Controlled Android Linux who we both are trying to
> move away from?
>
> Secondly is your password really so weak that you need another layer
> security. If so I recommend reading this comic https://xkcd.com/936/ or
> man mkpasswd from the Expect package?
>
> Thirdly, are you willing to be responsible to get someone logged in in
> case one of the factors break and someone who administrates WPLUG.org
> can't log in?
>
> Fourthly, wouldn't the simple fix be encrypting the target data most of
> the data we can expunge once we have a digital system that ties people
> to email instead of their address?
>
> Fifthly, who specifically are we trying to keep out?
>
> Sixthly, wouldn't a document be more useful than a tutorial one time
> tutorial?
>
> ----
>
> Overall I don't think it worth pursuing whatsoever. There are far lower
> hanging fruit to catch at the moment then to be implement mandatory two
> factor authentication the requires a smart phone dependency. An example
> of such low hanging fruit is salting and hashing the mailing list passwords.
>
> In my opinion two factor authentication exists mainly as insurance
> against people who cannot be trusted to manage passwords and to cover
> for old systems that can't store good passwords.
>
> If you have a login and you feel the need to have two factor
> authentication right now, create an ssh key pair with an encrypted
> private key and prevent yourself from logging in without it. You don't
> even have to ask anybody to do it. It is non-disruptive, the failure of
> the setup has a very small chance of locking everyone out of the server,
> and has no smart phone dependency and can be used from your smart phone.
>
> ----
>
> To digress, why does Haiku need two factor authentication? What is there
> to steal?
>
> On 02/10/2015 03:37 PM, Justin Smith wrote:
>> I'm currently working with Joe to implement two-factor authentication via
>> oath on Haiku's OpenSUSE servers. If you attended January's GUM, you'll
>> recognize that this is the topic Pat presented on. I used his slides as a
>> guide. (Thanks, Pat!)
>>
>> Since I now understand how to install and configure oath, I'd be willing to
>> set it up on WPLUG's VPS. We store people's personal information - their
>> names, addresses, and so on - so I think the added security would be an
>> asset.
>>
>> This would require everyone with a user account to have a smartphone
>> with a properly-configured OTP application in order to log in. However, we
>> can make exceptions where appropriate. If John Doe doesn't own a
>> smartphone, we can turn off two-factor authentication for his account.
>>
>> Is this an idea worth pursuing? I'd be willing to set up oath and create a
>> short tutorial.
>>
>>
>> *Justin Smith*
>> GNU/Linux System Administrator
>>
>> /"Nothing in this world can take the place of persistence. Talent will not;
>> nothing is more common than unsuccessful people with talent. Genius will
>> not; unrewarded genius is almost a proverb. Education will not; the world is
>> full of educated derelicts."/
>>
>> /-Calvin Coolidge/
>>
>>
>>
>> _______________________________________________
>> wplug-internet mailing list
>> wplug-internet at wplug.org
>> http://www.wplug.org/mailman/listinfo/wplug-internet
>
> _______________________________________________
> wplug-internet mailing list
> wplug-internet at wplug.org
> http://www.wplug.org/mailman/listinfo/wplug-internet
--
--
Bryan J Smith - http://www.linkedin.com/in/bjsmith
More information about the wplug-internet
mailing list