[wplug-internet] Two-factor authentication

Vance Kochenderfer vance at happylemur.com
Wed Feb 11 01:35:16 EST 2015


You can use the GPL'd oathtool to generate OATH one-time passwords
<http://nongnu.org/oath-toolkit/oathtool.1.html>, or read the
specifications <http://www.openauthentication.org/specification> and
write your own implementation, so no proprietary software is needed.
For something more convenient, apparently the Yubikey also supports
OATH.

That said, I don't really see the additional benefit to adding this.
When implemented as a software solution, it's just an extra password
(something you know), albeit a possibly more difficult one for an
attacker to obtain depending on how the key is stored.  It's only when
implemented as a hardware-based solution where the keys are not
available to the user and admin that it truly adds a second factor
(something you have).

I do appreciate the effort you're willing to put into this, Justin.  If
you have additional points to put forward in favor, I'm all ears.  It
does seem like it might be a good idea to consider requiring public keys
or other measures for certain accounts (e.g., members of the "board" or
"wheel" groups).

Vance Kochenderfer        |  "Get me out of these ropes and into a
vance at happylemur.com      |   good belt of Scotch"    -Nick Danger


More information about the wplug-internet mailing list