Educause Security Discussion mailing list archives
Re: two-factor OTP systems
From: "Tyler T. Schoenke" <Tyler.Schoenke () COLORADO EDU>
Date: Thu, 2 Apr 2009 12:49:53 -0600
WARNING: The following message makes use of the word "PASSWORD" and may be an attempt to obtain your password. Texas Tech University employees or students should never request password information from you for any reason. In accordance with TTU IT Security Policies (http://www.depts.ttu.edu/infotech/security), you must not reveal your password information to anyone. If you believe that the message below is an attempt to steal your password, forward this message to security () ttu edu and do not respond to this message. Gary, I agree with you about using cell phones for two-factor authentication. I think that is the most practical solution for most vendors. Like you said, high-risk environments will want to continue using token devices. I recall hearing about China using cell phone text messages to authenticate credit card transactions. When someone makes a purchase, the vendor swipes the card, and the credit card company texts an authorization code to that person's phone. They tell the code to the vendor, who keys it back in to complete the transaction. So if someone steals your credit card info, they can't use it without also stealing your cell phone. I think the big advantage with text messages is that you can have thirty higher-risk accounts all sending texts to your cell phone. That is much nicer than carrying around thirty tokens. Tyler -- Tyler Schoenke IT Security Office University of Colorado - Boulder Gary Flynn wrote:
jeff murphy wrote:I'm looking for experiences/recommendations on two-factor OTP systems suitable for plugging into RADIUS and/or Active Directory. I'd be particularly interested in systems that can use smartphones as the token generator. Google lead me to: http://www.deepnetsecurity.com/products2/MobileID.asp but I haven't found much else on that front.Did you get any other responses? I'm interested in using phones too. I ran across the following a while back but I'm getting ready to start looking again... http://www.phonefactor.com/ http://motp.sourceforge.net/ There is a lot of stuff on the net now http://www.google.com/search?q=cell+phone+authentication&hl=en&start=30&sa=N It seems to me using cellphones that most people carry these days as a second factor would do a lot to get rid of reusable passwords at a reasonable cost with a lot less impact than singe use token devices. This would be particularly useful for populations and applications where mandating a more traditional two factor system where justification was marginal. I know the cell phone based schemes aren't as strong as traditional 2-factor but if they're more likely to be implemented and stop 98% of the problems with reusable passwords, what's not to like? Stronger methods can be reserved for those applications where that 2% poses a high risk. Heck, even I finally broke down and got a cell phone a couple years ago when I said I never would. Now I'm looking for a smart phone (actually a mobile computer with voice capabilities). :)
Current thread:
- Re: two-factor OTP systems Russell Fulton (Mar 31)
- <Possible follow-ups>
- Re: two-factor OTP systems Bill Kyle (Apr 02)
- Re: two-factor OTP systems Gary Flynn (Apr 02)
- Re: two-factor OTP systems jeff murphy (Apr 02)
- Re: two-factor OTP systems jeff murphy (Apr 02)
- Re: two-factor OTP systems Tyler T. Schoenke (Apr 02)
- Re: two-factor OTP systems Tyler T. Schoenke (Apr 02)
- Re: two-factor OTP systems Matthew Dalton (Apr 02)
- Re: two-factor OTP systems Gary Dobbins (Apr 02)
- Re: two-factor OTP systems Kevin Schmidt (Apr 03)
- Re: two-factor OTP systems Nick Lewis (Apr 11)
- Re: two-factor OTP systems Russell Fulton (Apr 22)
- Re: two-factor OTP systems Dexter Caldwell (Apr 22)
- Re: two-factor OTP systems jeff murphy (Apr 22)
- Re: two-factor OTP systems Greg Vickers (Apr 22)
- Re: two-factor OTP systems Ken Connelly (Apr 23)
- Re: two-factor OTP systems Dexter Caldwell (Apr 23)
(Thread continues...)