Rich Freeman on 18 Aug 2012 04:40:45 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Two Factor Authentication


On Tue, Aug 14, 2012 at 2:58 PM, Matt Mossholder <matt@mossholder.com> wrote:
> On Tue, Aug 14, 2012 at 2:49 PM, Art Clemons <artclemons@aol.com> wrote:
>>
>> I noticed the following on howtogeek.  I wonder how reliable Google's
>> setup is for what amounts to a really occasional connection.

I don't see how reliability is going to be a concern here - none of
this relies of Google's infrastructure to actually run.  This is a
time-based authentication code - once you have it set up it just runs
as long as your phone works.

>> Anyone know of
>> a better technique or of possible security holes.  I for example wonder
>> about the rate limiting authentication reliability or the emergency
>> authentication to allow authentication with no cell phone.
>>

I can't see how the rate-limit wouldn't work, but you could easily
test this.  It must store the last connection attempt info locally.
Again, this doesn't use Google infrastructure.

> Of particular note is the part about moving the seed file out of the user's
> directory, and removing the user's access to it.

Unless you're doing the same thing already with the authorized_keys
file I don't see how this is huge security improvement.  It probably
matters more for shared systems where administrators want to enforce
the use of two-factor, which I would guess is a target audience for
CentOS.

Using this for SSH is reminiscent of s/key, which tries to accomplish
something similar but it isn't time-based.  I imagine you could find
an s/key client for android/etc and use that in a similar manner.

Rich
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug