You didn't specify for what you'd use the two-factor authentication. Generally, any two-factor solution is only as strong as its seed (serial) protection. If someone compromises the seed database your two-factor is worthless. Arguably worse, since you may *think* you're secure when you aren't.
RSA SecurID has already been hacked once and all their token seeds stolen ( http://en.wikipedia.org/wiki/SecurID#March_2011_system_compromise ). Symantec also has to have your seed. Both are susceptible to a future breach compromising YOUR security. If you don't think this is likely, consider that multiple "secure" root CAs have been compromised. A huge database of token seeds is a VERY high-profile target. And it's happened once already! Symantec's VIP solution (and RSA soft tokens) require you to initialize the token somehow. That is another attack vector. For example, I email the token seed to a user. They fail to purge it from their email. An attacker later compromises their email. Now the attacker can create (multiple) duplicate tokens. Even if you get the seed into a smartphone token application securely, smartphones are incapable of protecting installed token seeds. There are exploits that allow extracting a seed from flash with physical access. An attacker seeing the token code onscreen is low risk because there is a very small time window to exploit it. However, anything on-screen is suspect with products like VideoGhost out there ( http://acehackware.com/products/videoghost ). In a targeted attack (where you have wifi) you can even combine it with an Eye-fi card for auto-upload of the captured images. Malware often does the same thing. Grim picture isn't it? Of course you have to trust someone with your seed if you want to authenticate with two-factor on the Internet. Then hope for the best. Internally, though there are alternatives. The best solution I've seen is to use a YubiKey ( http://www.yubico.com/products/yubikey-hardware/yubikey/ ). Setup a private server with no external access. Then re-initialize (with a private OTP) and assign your Yubikeys to users. Unfortunately you'll have to integrate your own PAM module for *NIX authentication. This puts the security of your two factor authentication squarely in your own hands, for better or worse. -Adrian On Jan 11, 2013, at 8:41 AM, Bryan Ramirez <[email protected]> wrote: > at work we're having a discussion about 2 factor authentication. We're > comparing the traditional RSA token with Symantec's VIP Access solution. > > The upside with the RSA token seems to be that it has a token that is > completely separate from your environment that displays the one time portion > of your password. However, it requires that you manage the logistics of > dealing with and tracking the physical tokens. > > The symantec VIP solution allows you to download a client for your phone, > mac, or PC that displays the one-time portion of your password. > > My hesitation with the Symantec solution is that it's most convenient to > download the client onto the computer you'll be using to access your > environment. How much of a risk is this? Is this really two factor > authentication at this point, realistically speaking.. or is the risk of > someone screengrabbing your password too far out there? > > -Bryan > _______________________________________________ > Discuss mailing list > [email protected] > https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss > This list provided by the League of Professional System Administrators > http://lopsa.org/ _______________________________________________ Discuss mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
