Re: two-factor OTP systems

[Chris Gauthier <cgauthie () PCC EDU>]

Gary,

Steve Gibson (of grc.com) does a very in-depth review of the Yubikey and
how he found it at the 2008 RSA Conference.  He talked about it in Show
143.  He has continual updates on it over time.

http://www.grc.com/securitynow.htm -or- http://twit.tv/sn143

It is a fabulous little key that can work for both OTP and static
passwords.  The OTP password is 64 characters and generated using a
256-bit AES encryption algorithm.  As explained to me, each character of
the OTP generated falls in the character set of /[0-9a-zA-Z]/, there is
something about only 4 bits of each character being used.  It was a
while ago that I looked up that explanation, so I'm very rusty on it.

It's big enough of an item now that Google is using it for
authentication to Google Apps.  TrueCrypt is also using it.  In fact,
Yubico made a small modification to their firmware to better accommodate
Yubikeys.  There are several payware utilities out there for integrating
Yubikey OTP's into AD.  I have not looked at them.  The keys themselves
are cheap though.  I bought 2 at $25/ea to try out.  Apparently, they do
have volume discounts.  I have not yet put it into production, mostly
because I have not found the right application in my environment.  I
think they would be good for VPNs, though.

Sorry this is so late of a response.  I have not kept up on the list as
much as I like.

Chris Gauthier
Network Administrator
MaPS Credit Union
Salem, OR 97309

#### Disclaimer ####
I do NOT work for Portland Community College anymore.  Opinions
expressed are mine alone and I am not a vendor trying to sell or
advertise any products on any mailing lists.  I appreciate the tolerance
of the Educause community to my infrequent postings with the occasional
question or experience to share.  I learn a lot from this group and will
not abuse that privilege.
####


Gary Dobbins wrote:
> Just yesterday someone showed me a slick new offering in the OTP keyfob space.
> yubico.com, it's a relatively new product but seems to be gaining traction, especially in Europe (it is based in 
> Sweden).
>
> Looks like a thin tab of plastic, but has USB prongs on one end, a button in the middle, and hangs on a keychain.  When inserted 
> in a USB port, the computer sees it as a USB keyboard, and when you press the button it "types" a very long text 
> password based on a private key.  The leading characters of the password are fixed, which permits linking it to an account 
> (userID).  You operate (or buy time from) a backend authentication server that can tell if the hash just typed is valid for that 
> ID.
>
> I can't offer any substantive endorsement, having used it only once, but I would definitely give it a look.  When you 
> consider things like how it will withstand a run through someone's washing machine, this looks like a survivor.
>
>
>
> > -----Original Message-----
> > From: The EDUCAUSE Security Constituent Group Listserv
> > [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Matthew Dalton
> > Sent: Thursday, April 02, 2009 3:41 PM
> > To: SECURITY () LISTSERV EDUCAUSE EDU
> > Subject: Re: [SECURITY] two-factor OTP systems
> >
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > All,
> >
> > Has anyone explored Phone Factor (www.phonefactor.com) for this
> > purpose?
> >  It has many of these advantages, but I don't know enough about it
> > to
> > get a good measure of the risks.
> >
> > - --
> > Matthew Dalton
> > Director of Information Security
> > Office of Information Technology
> > Ohio University
> > Phone: 740-597-1914
> >
> > Tyler T. Schoenke wrote:
> >
> > > Gary,
> > >
> > > I agree with you about using cell phones for two-factor
> > authentication.
> >
> > >   I think that is the most practical solution for most vendors.
> > Like
> >
> > > you said, high-risk environments will want to continue using
> > token
> >
> > > devices.
> > >
> > > I recall hearing about China using cell phone text messages to
> > > authenticate credit card transactions.  When someone makes a
> > purchase,
> >
> > > the vendor swipes the card, and the credit card company texts an
> > > authorization code to that person's phone.  They tell the code to
> > the
> >
> > > vendor, who keys it back in to complete the transaction.  So if
> > someone
> >
> > > steals your credit card info, they can't use it without also
> > stealing
> >
> > > your cell phone.
> > >
> > > I think the big advantage with text messages is that you can have
> > thirty
> >
> > > higher-risk accounts all sending texts to your cell phone.  That
> > is much
> >
> > > nicer than carrying around thirty tokens.
> > >
> > > Tyler
> > >
> > > --
> > > Tyler Schoenke
> > > IT Security Office
> > > University of Colorado - Boulder
> > >
> > >
> > > Gary Flynn wrote:
> > >
> > > > jeff murphy wrote:
> > > >
> > > > > I'm looking for experiences/recommendations on two-factor OTP
> > systems
> >
> > > > > suitable for plugging into RADIUS and/or Active Directory.
> > > > >
> > > > > I'd be particularly interested in systems that can use
> > smartphones as
> >
> > > > > the token generator. Google lead me to:
> > > > >
> > > > > http://www.deepnetsecurity.com/products2/MobileID.asp
> > > > >
> > > > > but I haven't found much else on that front.
> > > > Did you get any other responses? I'm interested in using
> > > > phones too. I ran across the following a while back but
> > > > I'm getting ready to start looking again...
> > > >
> > > > http://www.phonefactor.com/
> > > > http://motp.sourceforge.net/
> > > >
> > > > There is a lot of stuff on the net now
> > http://www.google.com/search?q=cell+phone+authentication&hl=en&star
> > t=30&sa=N
> >
> > > > It seems to me using cellphones that most people carry
> > > > these days as a second factor would do a lot to get
> > > > rid of reusable passwords at a reasonable cost with
> > > > a lot less impact than singe use token devices. This would
> > > > be particularly useful for populations and applications
> > > > where mandating a more traditional two factor system
> > > > where justification was marginal.
> > > >
> > > > I know the cell phone based schemes aren't as strong as
> > > > traditional 2-factor but if they're more likely to be
> > > > implemented and stop 98% of the problems with reusable
> > > > passwords, what's not to like? Stronger methods can be
> > > > reserved for those applications where that 2% poses a
> > > > high risk.
> > > >
> > > > Heck, even I finally broke down and got a cell phone
> > > > a couple years ago when I said I never would. Now
> > > > I'm looking for a smart phone (actually a mobile
> > > > computer with voice capabilities). :)
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.4.9 (MingW32)
> > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> >
> > iEYEARECAAYFAknVFMkACgkQVKUofGqW+tyVTACg3DRMkUg2euMwwCwADgLEAdfF
> > ySkAoLm/JCurQV5K+/DocIXTVpNp0dWF
> > =lSq3
> > -----END PGP SIGNATURE-----