Educause Security Discussion mailing list archives
Re: two-factor OTP systems
From: Kevin Schmidt <kps () UCSB EDU>
Date: Fri, 3 Apr 2009 13:36:39 -0700
I've been looking into OTP, and while I'm not even close to deployment, there are a couple of things I found interesting. One is the OATH (OpenAuthentication) <http://www.openauthentication.org/> standardization effort. OATH's HOTP (RFC4226) algorithm is implemented by multiple hardware/software vendors, such as the MobileID product. A rudimentary J2ME client (e.g. for BlackBerry) is available from DS3 at <http://dsssasia.com/cms/index.php?option=com_content&task=view&id=71>. Hardware tokens are available from various companies, including e.g. Authenex; The A-3600 <http://www.authenex.com/authenex-products/akey-token-3600.html> seems decent. Using OATH HOTP provides some flexibility to mix-and-match tokens, or switch vendors as needed. Unfortunately, most hardware token vendors do not make it easy to order a few tokens for R&D/evaluation purposes. The Yubico <http://www.yubico.com> tokens don't have a battery to worry about, so as long as you have an available USB port and the host operating system isn't confused by another HID keyboard this is a convenient device. Simply touch the token for a couple of seconds and the OTP is entered, very simple and no problems with transcription errors. Yubico deserves credit for making lots of software (source) available for all aspects of these tokens, including the software to program tokens with new shared secrets. Tokens may be ordered through their web store in any quantity, and list pricing is cheaper than other hardware tokens -- no battery or LCD must help pricing. Depending on your RADIUS server, requiring a PIN in addition to the OTP can add a layer of security. We're using Radiator <http://www.open.com.au/radiator/index.html> as a RADIUS server, and it has built-in support for Vasco; HOTP can be invoked via PAM and the Tri-ID OTP server. FreeRADIUS has HOTP support as provided by Tri-ID, which was a vendor of tokens and may be out of business. I'm looking for a more supportable HOTP back-end for Radiator, though the fact that Radiator comes as perl source should allow us to develop our own if needed. Kevin On Tuesday 31 March 2009, jeff murphy wrote:
I'm looking for experiences/recommendations on two-factor OTP systems suitable for plugging into RADIUS and/or Active Directory. I'd be particularly interested in systems that can use smartphones as the token generator. Google lead me to: http://www.deepnetsecurity.com/products2/MobileID.asp but I haven't found much else on that front. jeff
-- Kevin Schmidt Office of Information Technology University of California, Santa Barbara North Hall 2124 Santa Barbara, CA 93106-3201 805-893-7779 805-893-5051 FAX kps () ucsb edu
Current thread:
- Re: two-factor OTP systems Russell Fulton (Mar 31)
- <Possible follow-ups>
- Re: two-factor OTP systems Bill Kyle (Apr 02)
- Re: two-factor OTP systems Gary Flynn (Apr 02)
- Re: two-factor OTP systems jeff murphy (Apr 02)
- Re: two-factor OTP systems jeff murphy (Apr 02)
- Re: two-factor OTP systems Tyler T. Schoenke (Apr 02)
- Re: two-factor OTP systems Tyler T. Schoenke (Apr 02)
- Re: two-factor OTP systems Matthew Dalton (Apr 02)
- Re: two-factor OTP systems Gary Dobbins (Apr 02)
- Re: two-factor OTP systems Kevin Schmidt (Apr 03)
- Re: two-factor OTP systems Nick Lewis (Apr 11)
- Re: two-factor OTP systems Russell Fulton (Apr 22)
- Re: two-factor OTP systems Dexter Caldwell (Apr 22)
- Re: two-factor OTP systems jeff murphy (Apr 22)
- Re: two-factor OTP systems Greg Vickers (Apr 22)
- Re: two-factor OTP systems Ken Connelly (Apr 23)
- Re: two-factor OTP systems Dexter Caldwell (Apr 23)
- Re: two-factor OTP systems Dexter Caldwell (Apr 23)
- Re: two-factor OTP systems Chris Gauthier (Jun 13)