Educause Security Discussion mailing list archives

Re: two-factor OTP systems

From: Greg Vickers <g.vickers () QUT EDU AU>
Date: Thu, 23 Apr 2009 10:53:01 +1000

Hi all,

jeff murphy wrote:

<snip>

I'd like to ask what model people use for deploying 2F OTP systems:

1) associate the OTP mechanism to an account, after which that account
must use the FOB to gain access to any/all services.

2) associate the OTP mechanism to a service, meaning that any account
needing to access the service must use OTPs but can use traditional
password for other services.


We are about to do a trial of an OTP product, and due to RADIUS
configuration problems, will be using the OTP code on the VPN access
point, then getting users to use their normal username/password
credentials to access resources behind the VPN.  (Not ideal, but for <10
people for the duration of the pilot.)

During the pilot period, we anticipate resolving the RADIUS problem, so
that access to the VPN will be username, then OTP code and password all
in the password field (since the OTP is always six digits long).  This
is the two-factors-to-gain-access method that we aimed for at the start
of this pilot.

We're debating which model is best for the end user. The first model
means the end user doesn't have to remember when to use the FOB, but
could making using services that frequently (re-)login (such as IMAP)
tedious to use (we're speculating). The second model requires that the
user remember (or be given a hint) that they need to use the FOB for
some services and not others.


We are only going to deploy two factor to the 'crown jewels', assets or
resources which should have an extra factor to protect them, making them
harder to attack.  We do not anticipate deploying 2FA to any service
that is accessed by general staff.  So user education about when to use
the 2FA access method should be manageable.

We don't have actual experience in using OTPs, so we're basically
speculating about what the pitfalls of deploying it might be. Feedback
from people who've been through this is very welcome!


I would also like to hear any feedback :)

Cheers,
--
Greg Vickers
Phone: +61 7 3138 6902
IT Security Engineer & Project Manager
Queensland University of Technology, CRICOS No. 00213J

Current thread:

Re: two-factor OTP systems, (continued)
- Re: two-factor OTP systems jeff murphy (Apr 02)
- Re: two-factor OTP systems Tyler T. Schoenke (Apr 02)
- Re: two-factor OTP systems Tyler T. Schoenke (Apr 02)
- Re: two-factor OTP systems Matthew Dalton (Apr 02)
- Re: two-factor OTP systems Gary Dobbins (Apr 02)
- Re: two-factor OTP systems Kevin Schmidt (Apr 03)
- Re: two-factor OTP systems Nick Lewis (Apr 11)
- Re: two-factor OTP systems Russell Fulton (Apr 22)
- Re: two-factor OTP systems Dexter Caldwell (Apr 22)
- Re: two-factor OTP systems jeff murphy (Apr 22)
- Re: two-factor OTP systems Greg Vickers (Apr 22)
- Re: two-factor OTP systems Ken Connelly (Apr 23)
- Re: two-factor OTP systems Dexter Caldwell (Apr 23)
- Re: two-factor OTP systems Dexter Caldwell (Apr 23)
- Re: two-factor OTP systems Chris Gauthier (Jun 13)