Educause Security Discussion mailing list archives
Re: two-factor OTP systems
From: Ken Connelly <Ken.Connelly () UNI EDU>
Date: Thu, 23 Apr 2009 07:12:26 -0500
jeff murphy wrote:
On Apr 22, 2009, at 3:54 PM, Russell Fulton wrote:That not to say that there are some applications where this model may work well -- password resets for instance?This article gives me pause about password resets via SMS. http://computerworld.co.nz/news.nsf/netw/E307500B690918D2CC25759F006D7622? I'd like to ask what model people use for deploying 2F OTP systems: 1) associate the OTP mechanism to an account, after which that account must use the FOB to gain access to any/all services. 2) associate the OTP mechanism to a service, meaning that any account needing to access the service must use OTPs but can use traditional password for other services. We're debating which model is best for the end user. The first model means the end user doesn't have to remember when to use the FOB, but could making using services that frequently (re-)login (such as IMAP) tedious to use (we're speculating). The second model requires that the user remember (or be given a hint) that they need to use the FOB for some services and not others.
From my years (and years!) of experience as postmaster here, IMAP
clients behave differently with respect to logins. Most clients, including Thunderbird, login to the IMAP server only during the initial connection. As long as activity is seen, e.g., automated "check for new messages", from the client before the IMAP server's idle timeout value expires, the session remains "logged in". Outlook (used to call it Lookout here) is different and behaves more like a POP client in that it logs in each time the "check for new messages" timer trips. Depending upon your IMAP client distribution, this particular example may be a non-issue. -- - Ken ================================================================= Ken Connelly Associate Director, Security and Systems ITS Network Services University of Northern Iowa email: Ken.Connelly () uni edu p: (319) 273-5850 f: (319) 273-7373
Current thread:
- Re: two-factor OTP systems, (continued)
- Re: two-factor OTP systems Tyler T. Schoenke (Apr 02)
- Re: two-factor OTP systems Tyler T. Schoenke (Apr 02)
- Re: two-factor OTP systems Matthew Dalton (Apr 02)
- Re: two-factor OTP systems Gary Dobbins (Apr 02)
- Re: two-factor OTP systems Kevin Schmidt (Apr 03)
- Re: two-factor OTP systems Nick Lewis (Apr 11)
- Re: two-factor OTP systems Russell Fulton (Apr 22)
- Re: two-factor OTP systems Dexter Caldwell (Apr 22)
- Re: two-factor OTP systems jeff murphy (Apr 22)
- Re: two-factor OTP systems Greg Vickers (Apr 22)
- Re: two-factor OTP systems Ken Connelly (Apr 23)
- Re: two-factor OTP systems Dexter Caldwell (Apr 23)
- Re: two-factor OTP systems Dexter Caldwell (Apr 23)
- Re: two-factor OTP systems Chris Gauthier (Jun 13)