Educause Security Discussion mailing list archives
Re: two-factor OTP systems
From: jeff murphy <jcmurphy () BUFFALO EDU>
Date: Wed, 22 Apr 2009 17:57:17 -0400
On Apr 22, 2009, at 3:54 PM, Russell Fulton wrote:
That not to say that there are some applications where this model may work well -- password resets for instance?
This article gives me pause about password resets via SMS. http://computerworld.co.nz/news.nsf/netw/E307500B690918D2CC25759F006D7622? I'd like to ask what model people use for deploying 2F OTP systems: 1) associate the OTP mechanism to an account, after which that account must use the FOB to gain access to any/all services. 2) associate the OTP mechanism to a service, meaning that any account needing to access the service must use OTPs but can use traditional password for other services. We're debating which model is best for the end user. The first model means the end user doesn't have to remember when to use the FOB, but could making using services that frequently (re-)login (such as IMAP) tedious to use (we're speculating). The second model requires that the user remember (or be given a hint) that they need to use the FOB for some services and not others. We don't have actual experience in using OTPs, so we're basically speculating about what the pitfalls of deploying it might be. Feedback from people who've been through this is very welcome! jeff
Attachment:
smime.p7s
Description:
Current thread:
- Re: two-factor OTP systems, (continued)
- Re: two-factor OTP systems jeff murphy (Apr 02)
- Re: two-factor OTP systems jeff murphy (Apr 02)
- Re: two-factor OTP systems Tyler T. Schoenke (Apr 02)
- Re: two-factor OTP systems Tyler T. Schoenke (Apr 02)
- Re: two-factor OTP systems Matthew Dalton (Apr 02)
- Re: two-factor OTP systems Gary Dobbins (Apr 02)
- Re: two-factor OTP systems Kevin Schmidt (Apr 03)
- Re: two-factor OTP systems Nick Lewis (Apr 11)
- Re: two-factor OTP systems Russell Fulton (Apr 22)
- Re: two-factor OTP systems Dexter Caldwell (Apr 22)
- Re: two-factor OTP systems jeff murphy (Apr 22)
- Re: two-factor OTP systems Greg Vickers (Apr 22)
- Re: two-factor OTP systems Ken Connelly (Apr 23)
- Re: two-factor OTP systems Dexter Caldwell (Apr 23)
- Re: two-factor OTP systems Dexter Caldwell (Apr 23)
- Re: two-factor OTP systems Chris Gauthier (Jun 13)