Re: two-factor OTP systems

[jeff murphy <jcmurphy () BUFFALO EDU>]

On Apr 22, 2009, at 3:54 PM, Russell Fulton wrote:

>   That not to say that there are some applications where this model
> may work well -- password resets for instance?


This article gives me pause about password resets via SMS.

http://computerworld.co.nz/news.nsf/netw/E307500B690918D2CC25759F006D7622?



I'd like to ask what model people use for deploying 2F OTP systems:

1) associate the OTP mechanism to an account, after which that account
must use the FOB to gain access to any/all services.

2) associate the OTP mechanism to a service, meaning that any account
needing to access the service must use OTPs but can use traditional
password for other services.


We're debating which model is best for the end user. The first model
means the end user doesn't have to remember when to use the FOB, but
could making using services that frequently (re-)login (such as IMAP)
tedious to use (we're speculating). The second model requires that the
user remember (or be given a hint) that they need to use the FOB for
some services and not others.

We don't have actual experience in using OTPs, so we're basically
speculating about what the pitfalls of deploying it might be. Feedback
from people who've been through this is very welcome!


jeff

Attachment: smime.p7s
Description: