Re: two-factor OTP systems

[Gary Dobbins <dobbins () ND EDU>]

Just yesterday someone showed me a slick new offering in the OTP keyfob space.
yubico.com, it's a relatively new product but seems to be gaining traction, especially in Europe (it is based in 
Sweden).

Looks like a thin tab of plastic, but has USB prongs on one end, a button in the middle, and hangs on a keychain.  When 
inserted in a USB port, the computer sees it as a USB keyboard, and when you press the button it "types" a very long 
text password based on a private key.  The leading characters of the password are fixed, which permits linking it to an 
account (userID).  You operate (or buy time from) a backend authentication server that can tell if the hash just typed 
is valid for that ID.

I can't offer any substantive endorsement, having used it only once, but I would definitely give it a look.  When you 
consider things like how it will withstand a run through someone's washing machine, this looks like a survivor.


> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Matthew Dalton
> Sent: Thursday, April 02, 2009 3:41 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] two-factor OTP systems
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> All,
>
> Has anyone explored Phone Factor (www.phonefactor.com) for this
> purpose?
>  It has many of these advantages, but I don't know enough about it
> to
> get a good measure of the risks.
>
> - --
> Matthew Dalton
> Director of Information Security
> Office of Information Technology
> Ohio University
> Phone: 740-597-1914
>
> Tyler T. Schoenke wrote:
> > Gary,
> >
> > I agree with you about using cell phones for two-factor
> authentication.
> >   I think that is the most practical solution for most vendors.
> Like
> > you said, high-risk environments will want to continue using
> token
> > devices.
> >
> > I recall hearing about China using cell phone text messages to
> > authenticate credit card transactions.  When someone makes a
> purchase,
> > the vendor swipes the card, and the credit card company texts an
> > authorization code to that person's phone.  They tell the code to
> the
> > vendor, who keys it back in to complete the transaction.  So if
> someone
> > steals your credit card info, they can't use it without also
> stealing
> > your cell phone.
> >
> > I think the big advantage with text messages is that you can have
> thirty
> > higher-risk accounts all sending texts to your cell phone.  That
> is much
> > nicer than carrying around thirty tokens.
> >
> > Tyler
> >
> > --
> > Tyler Schoenke
> > IT Security Office
> > University of Colorado - Boulder
> >
> >
> > Gary Flynn wrote:
> > > jeff murphy wrote:
> > > > I'm looking for experiences/recommendations on two-factor OTP
> systems
> > > > suitable for plugging into RADIUS and/or Active Directory.
> > > >
> > > > I'd be particularly interested in systems that can use
> smartphones as
> > > > the token generator. Google lead me to:
> > > >
> > > > http://www.deepnetsecurity.com/products2/MobileID.asp
> > > >
> > > > but I haven't found much else on that front.
> > >
> > > Did you get any other responses? I'm interested in using
> > > phones too. I ran across the following a while back but
> > > I'm getting ready to start looking again...
> > >
> > > http://www.phonefactor.com/
> > > http://motp.sourceforge.net/
> > >
> > > There is a lot of stuff on the net now
> http://www.google.com/search?q=cell+phone+authentication&hl=en&star
> t=30&sa=N
> > > It seems to me using cellphones that most people carry
> > > these days as a second factor would do a lot to get
> > > rid of reusable passwords at a reasonable cost with
> > > a lot less impact than singe use token devices. This would
> > > be particularly useful for populations and applications
> > > where mandating a more traditional two factor system
> > > where justification was marginal.
> > >
> > > I know the cell phone based schemes aren't as strong as
> > > traditional 2-factor but if they're more likely to be
> > > implemented and stop 98% of the problems with reusable
> > > passwords, what's not to like? Stronger methods can be
> > > reserved for those applications where that 2% poses a
> > > high risk.
> > >
> > > Heck, even I finally broke down and got a cell phone
> > > a couple years ago when I said I never would. Now
> > > I'm looking for a smart phone (actually a mobile
> > > computer with voice capabilities). :)
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iEYEARECAAYFAknVFMkACgkQVKUofGqW+tyVTACg3DRMkUg2euMwwCwADgLEAdfF
> ySkAoLm/JCurQV5K+/DocIXTVpNp0dWF
> =lSq3
> -----END PGP SIGNATURE-----