I agree with Tom (because not doing so is hazardous to one's career), but something I've been meaning to play around with is hooking https://code.google.com/p/google-authenticator/ into ssh.
It's not "enteprisey," but it does serve to make this sort of thing accessible to anyone who wants to take the time to set it up. Unfortunately, I don't have a use case for it yet… Regards, Corey Quinn On Jan 11, 2013, at 11:02 AM, Tom Limoncelli <[email protected]> wrote: > I haven't used those two specific products but I'm in favor of > whatever system requires people to NOT carry yet another device. That > is, the VIP solution with the phone app. > > Security and convenience are often at odds with each other. We, > sysadmins, often want the absolutely most cryptographically secure > thing in the land (closed device). However the phone app may be > slightly less secure (do you really trust a phone not to be hacked?) > but the fact that people always have it with them more than exceeds > the loss of security. There is a big difference between 97% secure > with a device that people like and 99% secure with a device people > hate, forget to bring to work, lose, etc. That extra 1% is not worth > it.* If you are currently at security level "suck" and you have to > choose between "awesome + users like it" and "awesomer + users hate > it", either one puts you in a better position than you were before. > > > Tom > > * For most enterprises. Obviously YMMV. > _______________________________________________ > Discuss mailing list > [email protected] > https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss > This list provided by the League of Professional System Administrators > http://lopsa.org/
_______________________________________________ Discuss mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
