Educause Security Discussion mailing list archives
Re: two-factor OTP systems
From: Greg Vickers <g.vickers () QUT EDU AU>
Date: Thu, 23 Apr 2009 10:53:01 +1000
Hi all, jeff murphy wrote: <snip>
I'd like to ask what model people use for deploying 2F OTP systems: 1) associate the OTP mechanism to an account, after which that account must use the FOB to gain access to any/all services. 2) associate the OTP mechanism to a service, meaning that any account needing to access the service must use OTPs but can use traditional password for other services.
We are about to do a trial of an OTP product, and due to RADIUS configuration problems, will be using the OTP code on the VPN access point, then getting users to use their normal username/password credentials to access resources behind the VPN. (Not ideal, but for <10 people for the duration of the pilot.) During the pilot period, we anticipate resolving the RADIUS problem, so that access to the VPN will be username, then OTP code and password all in the password field (since the OTP is always six digits long). This is the two-factors-to-gain-access method that we aimed for at the start of this pilot.
We're debating which model is best for the end user. The first model means the end user doesn't have to remember when to use the FOB, but could making using services that frequently (re-)login (such as IMAP) tedious to use (we're speculating). The second model requires that the user remember (or be given a hint) that they need to use the FOB for some services and not others.
We are only going to deploy two factor to the 'crown jewels', assets or resources which should have an extra factor to protect them, making them harder to attack. We do not anticipate deploying 2FA to any service that is accessed by general staff. So user education about when to use the 2FA access method should be manageable.
We don't have actual experience in using OTPs, so we're basically speculating about what the pitfalls of deploying it might be. Feedback from people who've been through this is very welcome!
I would also like to hear any feedback :) Cheers, -- Greg Vickers Phone: +61 7 3138 6902 IT Security Engineer & Project Manager Queensland University of Technology, CRICOS No. 00213J
Current thread:
- Re: two-factor OTP systems, (continued)
- Re: two-factor OTP systems jeff murphy (Apr 02)
- Re: two-factor OTP systems Tyler T. Schoenke (Apr 02)
- Re: two-factor OTP systems Tyler T. Schoenke (Apr 02)
- Re: two-factor OTP systems Matthew Dalton (Apr 02)
- Re: two-factor OTP systems Gary Dobbins (Apr 02)
- Re: two-factor OTP systems Kevin Schmidt (Apr 03)
- Re: two-factor OTP systems Nick Lewis (Apr 11)
- Re: two-factor OTP systems Russell Fulton (Apr 22)
- Re: two-factor OTP systems Dexter Caldwell (Apr 22)
- Re: two-factor OTP systems jeff murphy (Apr 22)
- Re: two-factor OTP systems Greg Vickers (Apr 22)
- Re: two-factor OTP systems Ken Connelly (Apr 23)
- Re: two-factor OTP systems Dexter Caldwell (Apr 23)
- Re: two-factor OTP systems Dexter Caldwell (Apr 23)
- Re: two-factor OTP systems Chris Gauthier (Jun 13)