Presentation is loading. Please wait.

Presentation is loading. Please wait.

Two-factor authentication

Published byBrett Hubbard Modified over 6 years ago

Similar presentations

Presentation on theme: "Two-factor authentication"— Presentation transcript:

1 Two-factor authentication
Ian Durkacz Development Meeting, 20th August 2014

2 Project #279 ‘Examine the options for two-factor authentication’
general statement of overall aspiration InitialCallForRequirements an attempt to unpick the above

3 General requirements Anything we provide has to be: Simple to use
Optional: whether or not users want to be involved is up to them Client platform independent (Question: in view of recent discussions here, are we including mobile phones, tablets etc. in the list of clients we undertake to support?)

4 One specific idea: Yubikey
Hardware OTP generator Presents as a USB keyboard – so works on anything which has a USB port Easy for people to use; cheap – US$20 each Several possible modes of operation: Default: embeds an ever-increasing integer into an encrypted packet. Both Yubikey and the remote authentication server know the symmetric encryption key OATH-HOTP also supported More info:

5 Yubikey and ssh (1/2) Using Yubikey in default mode, this is working (cue demo …) Could be deployed on staff.ssh etc. Simple to use Optional per user (via pam_succeed_if) Client platform independent agnostic (but: does require USB)

6 Yubikey and ssh (2/2) ‘... could be deployed on staff.ssh etc ...’
In practice, in default mode need to: Integrate (Yubikey serial number, uuid) pairs in LDAP Describe Yubikey users as a (net)group Have procedures to maintain the above Have procedures to allocate the actual Yubikeys [Important] Set up an Inf authentication server Further wrangle with Yubico s/w builds to support the above

7 That’s all great, but: Assumption is that user’s password has been compromised, so: If Yubikey/ssh is to be useful, then we need all external access to be similarly restricted: Cosign (definitely feasible; required effort not clear) OpenVPN (don’t know about this) Git? Subversion? CVS? Anything/everything else we might ever use. I might need some help here ...

8 My questions Does Yubikey/ssh as presented here solve (any of) our actual requirements? Do we want to proceed with this? It will require further investment in time – probably not just by me. Should we be looking for a solution which also covers things like mobile phones? Configuring support for Yubikeys in OATH-HOTP mode (rather than default mode) might get us that – but needs work and testing.

Download ppt "Two-factor authentication"

Similar presentations

McAfee One Time Password

McAfee One Time Password
The quest to replace passwords Evangelos Markatos Based on a paper by Joseph Bonneau,Cormac Herley, Paul C. van Oorschot, and Frank Stajanod.

The quest to replace passwords Evangelos Markatos Based on a paper by Joseph Bonneau,Cormac Herley, Paul C. van Oorschot, and Frank Stajanod.
Mobility Extension Gain competitive edge for yourself and comfort for your customers.

Mobility Extension Gain competitive edge for yourself and comfort for your customers.
Mutual OATH HOTP Variants 65th IETF - Dallas, TX March 2006.

Mutual OATH HOTP Variants 65th IETF - Dallas, TX March 2006.
6000 Series Recorders. The Best Paperless Graphic Recorder in the World.

6000 Series Recorders. The Best Paperless Graphic Recorder in the World.
MCDST 70-271: Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 14: Troubleshooting Remote Connections.

MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 14: Troubleshooting Remote Connections.
User Adoption Issues Server Admin Fundamentals Solutions to User Adoption Issues.

User Adoption Issues Server Admin Fundamentals Solutions to User Adoption Issues.
Apache Triplesec: Strong (2-factor)

Apache Triplesec: Strong (2-factor)
Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.

Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.
VPN: An Easy Software / Appliance Solution for Remote Access Robert Gulick, EdD DBA/Technology Trainer Parma City School District

VPN: An Easy Software / Appliance Solution for Remote Access Robert Gulick, EdD DBA/Technology Trainer Parma City School District
OpenVPN OpenVPN: an open source, cross platform client/server, PKI based VPN.

OpenVPN OpenVPN: an open source, cross platform client/server, PKI based VPN.
0Gold 11 0Gold 11 LapLink Gold 11 Firewall Service How Connections are Created A Detailed Overview for the IT Manager.

0Gold 11 0Gold 11 LapLink Gold 11 Firewall Service How Connections are Created A Detailed Overview for the IT Manager.
Feasibility Study.

Feasibility Study.
Chapter 9 How Do Users Share Computer Files?. What is a File Server A (central) computer which stores files which can be accessed by network users.

Chapter 9 How Do Users Share Computer Files?. What is a File Server A (central) computer which stores files which can be accessed by network users.
Lecture 16 Page 1 Advanced Network Security Perimeter Defense in Networks: Virtual Private Networks Advanced Network Security Peter Reiher August, 2014.

Lecture 16 Page 1 Advanced Network Security Perimeter Defense in Networks: Virtual Private Networks Advanced Network Security Peter Reiher August, 2014.
User Access to Router Securing Access.

User Access to Router Securing Access.
All Input is Evil (Part 1) Introduction Will not cover everything Healthy level of paranoia Use my DVD Swap Shop application (week 2)

All Input is Evil (Part 1) Introduction Will not cover everything Healthy level of paranoia Use my DVD Swap Shop application (week 2)
Case Study.  Client needed to build data collection agents for various mobile platform  This needs to be integrated with the existing J2ee server 

Case Study.  Client needed to build data collection agents for various mobile platform  This needs to be integrated with the existing J2ee server 
Permissions Lesson 13. Skills Matrix Security Modes Maintaining data integrity involves creating users, controlling their access and limiting their ability.

Permissions Lesson 13. Skills Matrix Security Modes Maintaining data integrity involves creating users, controlling their access and limiting their ability.
SharePoint in the Education Space Presented by: Daniel Petersen Director of Business Solutions Applied Tech.

SharePoint in the Education Space Presented by: Daniel Petersen Director of Business Solutions Applied Tech.

Similar presentations

Ads by Google