Educause Security Discussion mailing list archives

Re: two-factor OTP systems

From: Ken Connelly <Ken.Connelly () UNI EDU>
Date: Thu, 23 Apr 2009 07:12:26 -0500

jeff murphy wrote:


On Apr 22, 2009, at 3:54 PM, Russell Fulton wrote:

  That not to say that there are some applications where this model
may work well -- password resets for instance?



This article gives me pause about password resets via SMS.

http://computerworld.co.nz/news.nsf/netw/E307500B690918D2CC25759F006D7622?




I'd like to ask what model people use for deploying 2F OTP systems:

1) associate the OTP mechanism to an account, after which that account
must use the FOB to gain access to any/all services.

2) associate the OTP mechanism to a service, meaning that any account
needing to access the service must use OTPs but can use traditional
password for other services.


We're debating which model is best for the end user. The first model
means the end user doesn't have to remember when to use the FOB, but
could making using services that frequently (re-)login (such as IMAP)
tedious to use (we're speculating). The second model requires that the
user remember (or be given a hint) that they need to use the FOB for
some services and not others.

From my years (and years!) of experience as postmaster here, IMAP

clients behave differently with respect to logins.  Most clients,
including Thunderbird, login to the IMAP server only during the initial
connection.  As long as activity is seen, e.g., automated "check for new
messages", from the client before the IMAP server's idle timeout value
expires, the session remains "logged in".  Outlook (used to call it
Lookout here) is different and behaves more like a POP client in that it
logs in each time the "check for new messages" timer trips.  Depending
upon your IMAP client distribution, this particular example may be a
non-issue.

--
- Ken
=================================================================
Ken Connelly             Associate Director, Security and Systems
ITS Network Services                  University of Northern Iowa
email: Ken.Connelly () uni edu   p: (319) 273-5850 f: (319) 273-7373

Current thread:

Re: two-factor OTP systems, (continued)
- Re: two-factor OTP systems Tyler T. Schoenke (Apr 02)
- Re: two-factor OTP systems Tyler T. Schoenke (Apr 02)
- Re: two-factor OTP systems Matthew Dalton (Apr 02)
- Re: two-factor OTP systems Gary Dobbins (Apr 02)
- Re: two-factor OTP systems Kevin Schmidt (Apr 03)
- Re: two-factor OTP systems Nick Lewis (Apr 11)
- Re: two-factor OTP systems Russell Fulton (Apr 22)
- Re: two-factor OTP systems Dexter Caldwell (Apr 22)
- Re: two-factor OTP systems jeff murphy (Apr 22)
- Re: two-factor OTP systems Greg Vickers (Apr 22)
- Re: two-factor OTP systems Ken Connelly (Apr 23)
- Re: two-factor OTP systems Dexter Caldwell (Apr 23)
- Re: two-factor OTP systems Dexter Caldwell (Apr 23)
- Re: two-factor OTP systems Chris Gauthier (Jun 13)