The WiKID Blog

The WiKID Blog, musings on two-factor authentication, information security and some other stuff.

5 issues enterprises should consider before using Google Authenticator for SSH

Posted by: admin 5 years, 7 months ago

There's been a plethora of blog posts on how to add Google Authenticator to SSH on Linux.  Two-factor authentication for SSH is a great, great idea. no doubt about it.  We've done SSH tutorials at least since 2007, some earlier.   If you are adding two-factor authentication to your home server or single server, then Authenticator is a fine choice.  However, if you are a business or an organization with more than one server, you should consider these 5 issues before proceeding:

Are we royally screwing up two-factor authentication

Posted by: admin 5 years, 7 months ago

One of our stated goals has always been to help get rid of passwords (alright,  reduce their prevalence).  They aren't secure enough and are a big pain for the end user.  Attempts to make them stronger, such as 60 day expirations and complexity requirements, make them much much worse.  

I have watched as a number of attacks have shown the weaknesses and hacks have exposed personal data and yet there was no movement for change until Mat Honan's attack.  Then all of the sudden, OMG, we all need two-factor auth and shame on those services that do not provide it.  Web services started adding two-factor authentication and there's even a web site listing which services do and shaming those that don't offer two-factor. There's a full-on rush to two-factor all the things. 

So what's my problem?  We are *adding* two-factor authentication.  We aren't getting rid of passwords at all.  Users now typically login with their usernames and password and are then prompted to authorize the access (as with Twitter, though I haven't been prompted for that in a long while) or to enter an OTP (as with Amazon's EC2).

Even most corporate sysadmins struggle with this concept. Most assume that you need to perform authorization against AD or LDAP using both the username and static password and that the OTP should be an additional process.  This is not case since Windows Server 2008 and IAS for Windows and never for RADIUS/LDAP.  IAS (now NPS) will do the authorization in AD based on the username alone.  If authorization passes, then the username and OTP are proxied to the authentication server as per the RADIUS standard.  Yet many admins still want both an AD password and OTP. If the OTP encompasses both factors then asking for the AD password is just more of the same factor, more risk that the password will be compromised and more hassle for your users.

In addition to being weak, passwords are huge pain in the ass.  We should be taking advantage of this opportunity to vastly improve authentication and we are not.

Getting the most out of your two-factor authentication

Posted by: admin 5 years, 8 months ago

New Amazon AMI for the Open-source Community Edition

Posted by: admin 5 years, 8 months ago

Thanks to the good people at packer.io,  we are creating a whole new set of virtual appliances for the WiKID Two-factor Authentication server.

New WiKID Chrome app software token released

Posted by: admin 5 years, 8 months ago

WiKID continues to advance two-factor authentication by creating the first software tokens for new platforms (fat lot of good the Mobitex Blackberry token did us).

• Page 17 of 134
• ←
• 10
• 11
• 12
• 13
• 14
• 15
• 16
• 17
• 18
• 19
• 20
• 21
• 22
• 23
• 24
• →