Viewing posts tagged Two Factor Authentication
X2Go on Centos
Posted by: admin 10 years, 6 months ago
I recently did a tutorial on how to add two-factor authentication to X2Go via pam-radius on Ubuntu. I've been playing with X2go since then on CentOS. I've released the packer.io scripts that I used to create my X2Go virtual boxes on Github. In addition, since packer can output AMIs, we've released a public AMI of the output. It is ami-c854d7a0 (based on a Rightscale image).
Update Bash if you are running OpenVPN
Posted by: admin 10 years, 7 months ago
You can see the details about the attack. All of the OpenVPN tutorials we have done use "auth-user-pass-verify" on the client side to get the client to prompt for a username and password. The exploit can be delivered as part of the username. And it is before authentication.
More on the security concerns for SSH and Key Management
Posted by: admin 10 years, 9 months ago
We've blogged previously about the potential compliance issues around SSH keys and about the risks of poor SSH key management. A recent Forrester survey (PDF warning!) revealed:
Are we royally screwing up two-factor authentication
Posted by: admin 10 years, 9 months ago
One of our stated goals has always been to help get rid of passwords (alright, reduce their prevalence). They aren't secure enough and are a big pain for the end user. Attempts to make them stronger, such as 60 day expirations and complexity requirements, make them much much worse. 
I have watched as a number of attacks have shown the weaknesses and hacks have exposed personal data and yet there was no movement for change until Mat Honan's attack. Then all of the sudden, OMG, we all need two-factor auth and shame on those services that do not provide it. Web services started adding two-factor authentication and there's even a web site listing which services do and shaming those that don't offer two-factor. There's a full-on rush to two-factor all the things.
So what's my problem? We are *adding* two-factor authentication. We aren't getting rid of passwords at all. Users now typically login with their usernames and password and are then prompted to authorize the access (as with Twitter, though I haven't been prompted for that in a long while) or to enter an OTP (as with Amazon's EC2).
Even most corporate sysadmins struggle with this concept. Most assume that you need to perform authorization against AD or LDAP using both the username and static password and that the OTP should be an additional process. This is not case since Windows Server 2008 and IAS for Windows and never for RADIUS/LDAP. IAS (now NPS) will do the authorization in AD based on the username alone. If authorization passes, then the username and OTP are proxied to the authentication server as per the RADIUS standard. Yet many admins still want both an AD password and OTP. If the OTP encompasses both factors then asking for the AD password is just more of the same factor, more risk that the password will be compromised and more hassle for your users.
In addition to being weak, passwords are huge pain in the ass. We should be taking advantage of this opportunity to vastly improve authentication and we are not.
Our big list of two-factor authentication tutorials
Posted by: admin 11 years, 1 month ago
There's a great new site promoting the use of two-factor authentication by various web services: http://twofactorauth.org/.
Recent Posts
- Blast-RADIUS attack
- The latest WiKID version includes an SBOM
- WiKID 6 is released!
- Log4j CVE-2021-44228
- Questions about 2FA for AD admins
Archive
2024
2022
- December (1)
2021
2019
2018
2017
2016
2015
2014
- December (2)
- November (3)
- October (3)
- September (5)
- August (4)
- July (5)
- June (5)
- May (2)
- April (2)
- March (2)
- February (3)
- January (1)
2013
2012
- December (1)
- November (1)
- October (5)
- September (1)
- August (1)
- June (2)
- May (2)
- April (1)
- March (2)
- February (3)
- January (1)
2011
2010
- December (2)
- November (3)
- October (3)
- September (4)
- August (1)
- July (1)
- June (3)
- May (3)
- April (1)
- March (1)
- February (6)
- January (3)
2009
- December (4)
- November (1)
- October (3)
- September (3)
- August (2)
- July (5)
- June (6)
- May (8)
- April (7)
- March (6)
- February (4)
- January (427)
2008
- December (1)
Categories
- PCI-DSS (2)
- Two-factor authentication (3)
Tags
- wireless-cellular-mobile-devices (7)
- Two-factor authentication (10)
- Wireless, cellular, mobile devices (6)
- NPS (1)
- Phishing and Fraud (111)
- Active Directory (1)
- pam-radius (3)
- privileged access (2)
- Cloud Security (10)
- Mutual Authentication (60)
- Web Application Authentication (1)
- Authentication Attacks (99)
- pci (50)
- Security and Economics (97)
- WiKID (133)
- pam (2)
- VPN (1)
- Installation (2)
- RADIUS Server (1)
- Open Source (64)
- Tutorial (2)
- Strong Authentication (35)
- Information Security (137)
- Transaction Authentication (13)
- Miscellaneous (100)
- Linux (2)
- transaction-authentication (6)
- Two Factor Authentication (254)