[wplug-internet] Two-factor authentication

Joe Prostko joe.prostko at gmail.com
Wed Feb 11 11:22:01 EST 2015


On Tue, Feb 10, 2015 at 4:33 PM, John Lewis <oflameo2 at gmail.com> wrote:
>
> So is WPLUG going to buy me a smart phone and configure it not to spy on
me?

As Justin mentioned, if it is implemented, it would be optional to
participate.

> Secondly is your password really so  weak that you need another layer
> security. If so I recommend reading this comic https://xkcd.com/936/ or
> man mkpasswd from the Expect package?

This doesn't have anything to do with password strength.  It is just
additional way to go about proving one's identity.  You can have a 300
character password, but if there is a keylogger present or somebody watches
you type your password or the like, then they have it and they can use it.
With a second factor, you are giving one more way to convey to the system
that you are indeed the person trying to authenticate with the system.
Yes, as you mentioned, people should be better at managing their passwords,
but well, sometimes even people that "do things right" can get bitten by
something as simple as a man-in-the-middle attack.

> Thirdly, are you willing to be responsible to get someone logged in in
> case one of the factors break and someone who administrates WPLUG.org
> can't log in?

Yes, this could be a pain.  As Pat mentioned at his talk, you can work
around this by having OTP access codes that will "always work", but to me
that isn't really a good thing to have in place, as if somebody gets your
password, there's a good chance they would get your "bail me out since I
the OTP isn't working properly" access code.

> Fourthly, wouldn't the simple fix be encrypting the target data most of
> the data we can expunge once we have a digital system that  ties people
> to email instead of their address?

I suppose that could be done, but to me it's equally important to keep
people mucking up our system or taking the server offline.

> Fifthly, who specifically are we trying to keep out?

Honestly, probably mostly script kiddies.  I kind of doubt anybody is
actively trying to target the WPLUG systems.

> Overall I don't think it worth pursuing whatsoever. There are far lower
> hanging fruit to catch at the moment then to be implement mandatory two
> factor authentication the requires a smart phone dependency. An example
> of such low hanging fruit is salting and hashing the mailing list
passwords.

I understand what you mean, but if it's something that can be implemented
pretty easily since the work is  already done, then it's not going to cost
us a significant amount of time.

> In my opinion two factor authentication exists mainly as insurance
> against people who cannot be trusted to manage passwords and to cover
> for old systems that can't store good passwords.

As mentioned before, at the system level it has nothing to do with these
things.  It is giving higher assurance to the system that you are who you
say you are.  The more distinct factors you present to the system, the
higher probability to the system that you are who you say you are.

> If you have a login and you feel the need to have two factor
> authentication right now, create an ssh key pair with an encrypted
> private key and prevent yourself from logging in without it. You don't
> even have to ask anybody to do it. It is non-disruptive, the failure of
> the setup has a very small chance of locking everyone out of the server,
> and has no smart phone dependency and can be used from your smart phone.

True, but as Justin mentioned, then you have to carry your private key
around everywhere.  I require a key login followed by my account password
on some of the servers I run, and I admit it's a pain sometimes to realize
I can't get into the system since I don't have my private key handy on the
system I am working on at that moment.  Using OTP would make this easier
since I pretty much always have my phone around.  You do have the risk of
your phone getting stolen, but then again, you have the risk of a password
or private key getting stolen as well.

> To digress, why does Haiku need two factor authentication? What is there
> to steal?

This has nothing to do with information being stolen.  It has everything to
do with protecting the hypervisor machine since if that gets compromised,
then all of the VMs that are used for the infrastructure are then at risk.
Yes, backups are done for all servers on a daily basis, but if the
hypervisor got compromised and taken offline, then it would be some time to
be able to get the infrastructure all back in place.  Yes, you could argue
that the servers should be spread out to prevent such disruption and I
wouldn't disagree, but well, that is how things are at the moment, since
our infrastructure has been in place well before "the cloud" became such a
mainstream thing.  There's plans to implement OTP of all of the VMs but the
Git and package repository, seeing as requiring OTP to make a commit would
make things far less convenient.  We have talked about officially hosting
our Git repository elsewhere, but we probably use more tagging than any
other open source project in existence, and Github and Bitbucket and the
like simply fall over and die when trying to handle it.  (Yes, there's a
version of our Git repo on Github, but it has the tags stripped.)  I guess
that could be argued as us doing things wrong, but all of us developers
agreed on the tagging we required when switching from SVN to Git.  Anyway,
I digress.  As Justin mentioned though, all of the servers currently
require mandatory SSH key authentication as of today, and OTP is just
adding another layer on top of that, since again, we as a project agreed it
was a good idea and we are fine with it.  It's one of the benefits of a
tightly knitted open source project where everybody knows each other by
name and generally a consensus can be reached quite quickly on a given
topic.  (That's not to say we haven't had a lot of "bikeshed" discussions.
;))

- joe
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.wplug.org/pipermail/wplug-internet/attachments/20150211/abacf1f1/attachment.html>


More information about the wplug-internet mailing list