Educause Security Discussion mailing list archives

Re: two-factor OTP systems

From: Kevin Schmidt <kps () UCSB EDU>
Date: Fri, 3 Apr 2009 13:36:39 -0700

I've been looking into OTP, and while I'm not even close to deployment,
there are a couple of things I found interesting.  One is the OATH
(OpenAuthentication) <http://www.openauthentication.org/>
standardization effort.  OATH's HOTP (RFC4226) algorithm is implemented
by multiple hardware/software vendors, such as the MobileID product.  A
rudimentary J2ME client (e.g. for BlackBerry) is available from DS3 at
<http://dsssasia.com/cms/index.php?option=com_content&task=view&id=71>.
Hardware tokens are available from various companies, including e.g.
Authenex; The A-3600
<http://www.authenex.com/authenex-products/akey-token-3600.html> seems
decent.  Using OATH HOTP provides some flexibility to mix-and-match
tokens, or switch vendors as needed.  Unfortunately, most hardware
token vendors do not make it easy to order a few tokens for
R&D/evaluation purposes.

The Yubico <http://www.yubico.com> tokens don't have a battery to worry
about, so as long as you have an available USB port and the host
operating system isn't confused by another HID keyboard this is a
convenient device.  Simply touch the token for a couple of seconds and
the OTP is entered, very simple and no problems with transcription
errors.  Yubico deserves credit for making lots of software (source)
available for all aspects of these tokens, including the software to
program tokens with new shared secrets.  Tokens may be ordered through
their web store in any quantity, and list pricing is cheaper than other
hardware tokens -- no battery or LCD must help pricing.

Depending on your RADIUS server, requiring a PIN in addition to the OTP
can add a layer of security.  We're using Radiator
<http://www.open.com.au/radiator/index.html> as a RADIUS server, and it
has built-in support for Vasco; HOTP can be invoked via PAM and the
Tri-ID OTP server.  FreeRADIUS has HOTP support as provided by Tri-ID,
which was a vendor of tokens and may be out of business.  I'm looking
for a more supportable HOTP back-end for Radiator, though the fact that
Radiator comes as perl source should allow us to develop our own if
needed.

Kevin

On Tuesday 31 March 2009, jeff murphy wrote:

I'm looking for experiences/recommendations on two-factor OTP systems
suitable for plugging into RADIUS and/or Active Directory.

I'd be particularly interested in systems that can use smartphones as
the token generator. Google lead me to:

http://www.deepnetsecurity.com/products2/MobileID.asp

but I haven't found much else on that front.

jeff




--
Kevin Schmidt
Office of Information Technology
University of California, Santa Barbara
North Hall 2124
Santa Barbara, CA 93106-3201
805-893-7779
805-893-5051 FAX
kps () ucsb edu

Current thread:

Re: two-factor OTP systems Russell Fulton (Mar 31)
- <Possible follow-ups>
- Re: two-factor OTP systems Bill Kyle (Apr 02)
- Re: two-factor OTP systems Gary Flynn (Apr 02)
- Re: two-factor OTP systems jeff murphy (Apr 02)
- Re: two-factor OTP systems jeff murphy (Apr 02)
- Re: two-factor OTP systems Tyler T. Schoenke (Apr 02)
- Re: two-factor OTP systems Tyler T. Schoenke (Apr 02)
- Re: two-factor OTP systems Matthew Dalton (Apr 02)
- Re: two-factor OTP systems Gary Dobbins (Apr 02)
- Re: two-factor OTP systems Kevin Schmidt (Apr 03)
- Re: two-factor OTP systems Nick Lewis (Apr 11)
- Re: two-factor OTP systems Russell Fulton (Apr 22)
- Re: two-factor OTP systems Dexter Caldwell (Apr 22)
- Re: two-factor OTP systems jeff murphy (Apr 22)
- Re: two-factor OTP systems Greg Vickers (Apr 22)
- Re: two-factor OTP systems Ken Connelly (Apr 23)
- Re: two-factor OTP systems Dexter Caldwell (Apr 23)
- Re: two-factor OTP systems Dexter Caldwell (Apr 23)
- Re: two-factor OTP systems Chris Gauthier (Jun 13)