Re: two-factor OTP systems

[Gary Flynn <flynngn () JMU EDU>]

jeff murphy wrote:
> I'm looking for experiences/recommendations on two-factor OTP systems
> suitable for plugging into RADIUS and/or Active Directory.
>
> I'd be particularly interested in systems that can use smartphones as
> the token generator. Google lead me to:
>
> http://www.deepnetsecurity.com/products2/MobileID.asp
>
> but I haven't found much else on that front.


Did you get any other responses? I'm interested in using
phones too. I ran across the following a while back but
I'm getting ready to start looking again...

http://www.phonefactor.com/
http://motp.sourceforge.net/

There is a lot of stuff on the net now
http://www.google.com/search?q=cell+phone+authentication&hl=en&start=30&sa=N

It seems to me using cellphones that most people carry
these days as a second factor would do a lot to get
rid of reusable passwords at a reasonable cost with
a lot less impact than singe use token devices. This would
be particularly useful for populations and applications
where mandating a more traditional two factor system
where justification was marginal.

I know the cell phone based schemes aren't as strong as
traditional 2-factor but if they're more likely to be
implemented and stop 98% of the problems with reusable
passwords, what's not to like? Stronger methods can be
reserved for those applications where that 2% poses a
high risk.

Heck, even I finally broke down and got a cell phone
a couple years ago when I said I never would. Now
I'm looking for a smart phone (actually a mobile
computer with voice capabilities). :)

--
Gary Flynn
Security Engineer
James Madison University
www.jmu.edu/computing/security

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature