Educause Security Discussion mailing list archives

Re: password vs pass-phrase

From: "Flynn, Gerald" <flynngn () JMU EDU>
Date: Fri, 19 Mar 2010 13:25:21 -0400

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Eric Case
Sent: Friday, March 19, 2010 10:28 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] password vs pass-phrase

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Russell Fulton
Sent: Friday, March 19, 2010 12:54 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] password vs pass-phrase

On 19/03/2010, at 1:51 PM, Eric Case wrote:


Why not some of the smart phone stuff like the VeriSign's VIP for

Mobile

<http://www.verisign.com/authentication/two-factor-

authentication/vip-access

-for-mobile>?  No reader to buy, no card to purchase.


Based on SMS?


No.  It's an app that runs on the phone.  Basically the app turns your
phone
into a key fob.





There are open source options too:

http://motp.sourceforge.net/



And open source server side stuff:

http://code.google.com/p/mod-authn-otp/
http://code.google.com/p/mod-authn-otp/wiki/Tokens
  (includes list of OATH hardware and software tokens that will 
   work with it without proprietary vendor server software)
  I wonder how hard it would be to make the user file an indirect
  pointer to an LDAP lookup



And integration points http://motp.sourceforge.net/#6 including:

  Radius (VPN OTP auth anyone?)
  Mobile-OTP PAM 
  OpenID http://www.clavid.com/index.php?option=com_content&task=view&id=124&Itemid=157&lang=en



Which brings up interesting integration possibilities:

OpenID for Apache http://www.packetizer.com/security/openid/
OpenID for .NET  http://www.dotnetopenauth.net/
Certification of Identity Providers http://openidentityexchange.org/certification-process
Shibboleth OpenID Identity Provider https://spaces.internet2.edu/display/SHIB2/IdP+OpenID



It just keeps getting better and better :)

Current thread:

Re: password vs pass-phrase Ken Connelly (Mar 18)
- <Possible follow-ups>
- Re: password vs pass-phrase Joel Rosenblatt (Mar 18)
- Re: password vs pass-phrase Eric Case (Mar 18)
- Re: password vs pass-phrase Russell Fulton (Mar 18)
- Re: password vs pass-phrase Eric Case (Mar 18)
- Re: password vs pass-phrase Joel Rosenblatt (Mar 18)
- Re: password vs pass-phrase Russell Fulton (Mar 19)
- Re: password vs pass-phrase Eric Case (Mar 19)
- Re: password vs pass-phrase Flynn, Gerald (Mar 19)
- Re: password vs pass-phrase Allison Dolan (Mar 23)
- Re: password vs pass-phrase Russell Fulton (Mar 27)