On 2013 Jan 11, at 15:13 , Corey Quinn wrote: > Right. > > The problem with that is that as the admin, you can't enforce that users set > a passphrase, or remove it later in time from the private key. The idea with > two factor is that they definitely have the device / application you sent > home with them, without being able to disable it for convenience. > > You can also add the passphrase to your ssh keyring so you don't have to type > it each time, which is neither here nor there. :-)
You can also write your SecurID PIN on your keyfob, or put on a sticky on the back of the credit card style token. That's how I used to see the tokens literally handed out. There is no security so foolproof as to avoid the problem between keyboard and chair. A SecurID token is nothing but a fancy way of validating a seed. That seed is rehashed each minute and the user has to type in the hash (if you'll let me abuse the mathematics behind the PRNG), but it is no longer a secret how the seed translates into the displayed number. The whole "something you have that cannot be copied" is a myth today. The real goal of multi-factor authentication is to limit the damage of a compromise. The more I work in security, the more I am discouraged by the options in authentication. We are facing increasingly sophisticated attacks, even if done by script kiddies, and a repeat of the SecurID attack seems likely in the future, along with techniques to bypass the longer PIN. At this point, I feel that getting user cooperation is our best bet for security. If the users want to cooperate, if we make it not a burden for them, they'll follow good practices much more readily, and even help us with efforts to validate that they are complying. If we make it a nuisance, like SecurID does with the one time use (for users who need to login to 20+ systems at once to repair a major app outage), they will bypass things just to get their job done. Sorry for the rant. ---- "The speed of communications is wondrous to behold. It is also true that speed can multiply the distribution of information that we know to be untrue." Edward R Murrow (1964) Mark McCullough [email protected] _______________________________________________ Discuss mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
