Educause Security Discussion mailing list archives
Re: two-factor OTP systems
From: Chris Gauthier <cgauthie () PCC EDU>
Date: Sat, 13 Jun 2009 22:15:32 -0700
Gary, Steve Gibson (of grc.com) does a very in-depth review of the Yubikey and how he found it at the 2008 RSA Conference. He talked about it in Show 143. He has continual updates on it over time. http://www.grc.com/securitynow.htm -or- http://twit.tv/sn143 It is a fabulous little key that can work for both OTP and static passwords. The OTP password is 64 characters and generated using a 256-bit AES encryption algorithm. As explained to me, each character of the OTP generated falls in the character set of /[0-9a-zA-Z]/, there is something about only 4 bits of each character being used. It was a while ago that I looked up that explanation, so I'm very rusty on it. It's big enough of an item now that Google is using it for authentication to Google Apps. TrueCrypt is also using it. In fact, Yubico made a small modification to their firmware to better accommodate Yubikeys. There are several payware utilities out there for integrating Yubikey OTP's into AD. I have not looked at them. The keys themselves are cheap though. I bought 2 at $25/ea to try out. Apparently, they do have volume discounts. I have not yet put it into production, mostly because I have not found the right application in my environment. I think they would be good for VPNs, though. Sorry this is so late of a response. I have not kept up on the list as much as I like. Chris Gauthier Network Administrator MaPS Credit Union Salem, OR 97309 #### Disclaimer #### I do NOT work for Portland Community College anymore. Opinions expressed are mine alone and I am not a vendor trying to sell or advertise any products on any mailing lists. I appreciate the tolerance of the Educause community to my infrequent postings with the occasional question or experience to share. I learn a lot from this group and will not abuse that privilege. #### Gary Dobbins wrote:
Just yesterday someone showed me a slick new offering in the OTP keyfob space. yubico.com, it's a relatively new product but seems to be gaining traction, especially in Europe (it is based in Sweden). Looks like a thin tab of plastic, but has USB prongs on one end, a button in the middle, and hangs on a keychain. When inserted in a USB port, the computer sees it as a USB keyboard, and when you press the button it "types" a very long text password based on a private key. The leading characters of the password are fixed, which permits linking it to an account (userID). You operate (or buy time from) a backend authentication server that can tell if the hash just typed is valid for that ID. I can't offer any substantive endorsement, having used it only once, but I would definitely give it a look. When you consider things like how it will withstand a run through someone's washing machine, this looks like a survivor.-----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Matthew Dalton Sent: Thursday, April 02, 2009 3:41 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] two-factor OTP systems -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 All, Has anyone explored Phone Factor (www.phonefactor.com) for this purpose? It has many of these advantages, but I don't know enough about it to get a good measure of the risks. - -- Matthew Dalton Director of Information Security Office of Information Technology Ohio University Phone: 740-597-1914 Tyler T. Schoenke wrote:Gary, I agree with you about using cell phones for two-factorauthentication.I think that is the most practical solution for most vendors.Likeyou said, high-risk environments will want to continue usingtokendevices. I recall hearing about China using cell phone text messages to authenticate credit card transactions. When someone makes apurchase,the vendor swipes the card, and the credit card company texts an authorization code to that person's phone. They tell the code tothevendor, who keys it back in to complete the transaction. So ifsomeonesteals your credit card info, they can't use it without alsostealingyour cell phone. I think the big advantage with text messages is that you can havethirtyhigher-risk accounts all sending texts to your cell phone. Thatis muchnicer than carrying around thirty tokens. Tyler -- Tyler Schoenke IT Security Office University of Colorado - Boulder Gary Flynn wrote:jeff murphy wrote:I'm looking for experiences/recommendations on two-factor OTPsystemssuitable for plugging into RADIUS and/or Active Directory. I'd be particularly interested in systems that can usesmartphones asthe token generator. Google lead me to: http://www.deepnetsecurity.com/products2/MobileID.asp but I haven't found much else on that front.Did you get any other responses? I'm interested in using phones too. I ran across the following a while back but I'm getting ready to start looking again... http://www.phonefactor.com/ http://motp.sourceforge.net/ There is a lot of stuff on the net nowhttp://www.google.com/search?q=cell+phone+authentication&hl=en&star t=30&sa=NIt seems to me using cellphones that most people carry these days as a second factor would do a lot to get rid of reusable passwords at a reasonable cost with a lot less impact than singe use token devices. This would be particularly useful for populations and applications where mandating a more traditional two factor system where justification was marginal. I know the cell phone based schemes aren't as strong as traditional 2-factor but if they're more likely to be implemented and stop 98% of the problems with reusable passwords, what's not to like? Stronger methods can be reserved for those applications where that 2% poses a high risk. Heck, even I finally broke down and got a cell phone a couple years ago when I said I never would. Now I'm looking for a smart phone (actually a mobile computer with voice capabilities). :)-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAknVFMkACgkQVKUofGqW+tyVTACg3DRMkUg2euMwwCwADgLEAdfF ySkAoLm/JCurQV5K+/DocIXTVpNp0dWF =lSq3 -----END PGP SIGNATURE-----
Current thread:
- Re: two-factor OTP systems, (continued)
- Re: two-factor OTP systems Gary Dobbins (Apr 02)
- Re: two-factor OTP systems Kevin Schmidt (Apr 03)
- Re: two-factor OTP systems Nick Lewis (Apr 11)
- Re: two-factor OTP systems Russell Fulton (Apr 22)
- Re: two-factor OTP systems Dexter Caldwell (Apr 22)
- Re: two-factor OTP systems jeff murphy (Apr 22)
- Re: two-factor OTP systems Greg Vickers (Apr 22)
- Re: two-factor OTP systems Ken Connelly (Apr 23)
- Re: two-factor OTP systems Dexter Caldwell (Apr 23)
- Re: two-factor OTP systems Dexter Caldwell (Apr 23)
- Re: two-factor OTP systems Chris Gauthier (Jun 13)