If you have a passphrase on your private key (as one should), would that
not be considered something you know as well?
On Thu, Dec 1, 2016 at 10:34 AM, Robert Hajime Lanning <lann...@lanning.cc>
> I have only implemented RSA, but I will be doing a bit of research on this
> topic shortly.
> For my current job we'll be needing MFA for a secure environment, in the
> next couple of months. They won't be able to afford RSA.
> But I do need to note that PKI key+Duo is not MFA. (Something you have +
> Something you have)
> MFA is Multi Factor Authentication and is defined as: (pick 2+ separate
> 1) Something you know (password/PIN not written down)
> 2) Something you have (device that can not be copied, RSA fob, PKI
> hardware token/smart card...)
> 3) Something you are (biometrics)
> RSA is fob + PIN.
> My current plan is a PKI hardware token that requires a PIN/passcode to
> unlock the token to use the private key contained within. The key pair is
> generated on the token and the private key cannot be copied off the token.
> Ssh and openvpn clients support PKCS#11 for PKI hardware.
> On Dec 1, 2016, Morgan Blackthorne <mor...@windsofstorm.net> wrote:
>> I'm an end-user of Duo at the day job and relatively happy with it. Was
>> not involved in the setup, though. OTOH I remember someone in #lopsa saying
>> they had problems with them and had been unhappy. Can't remember who or why
>> offhand, hopefully they'll chime in on this thread.
>> I will note that the most common problem with Duo that I've personally
>> seen is when folks have it configured to give them a phone call instead of
>> running the app and getting a push notification. In our setup, to access
>> the windows jumpbox we start an RDP session, and after normal user auth, it
>> then triggers a Duo challenge. But the phone call setting seems to get
>> delayed enough that the RDP session fails with a network policy error.
>> People adjusting their user config with push notifications works better. I
>> have not looked into seeing if you can just blanket disable that o! ption,
>> but it seems a bit odd that they offer that as a service when it doesn't
>> work; then again, we may have a more aggressive timeout policy on the Duo
>> portion than is recommended. Again, wasn't involved in the setup as it
>> predated me, so I'm not sure.
>> I know it also works with Linux boxes and that's on my list to check out,
>> just haven't gotten to it yet. We'd likely only enable it on nodes with
>> public IPs that have SSH listening/allowed, so it has been low on my
>> priority list.
>> Duo is also apparently free depending on how many users/devices you have,
>> whereas last time I heard about the RSA setup, it was very expensive. I'm
>> planning on adding Duo support to my personal AWS Linux nodes for SSH (so
>> key+MFA auth, no passwords allowed).
>> On W! ed, Nov 30, 2016 at 10:31 AM, Kyle Stewart <
>> _kylestew...@outlook.com> wrote:
>>> Hi all, hope this email finds everyone well. We're looking into setting
>>> up two-factor authentication at my company for a 2017 project and I'm
>>> in the "Let's get the lay of the land" phase. Right now it seems like Duo
>>> is making big headway in this market, but I've heard good things about RSA
>>> as well. I'd love to get some first-hand feedback from people who have used
>>> these types of 2FA solutions who aren't sales people :)
>>> Overall I get what 2FA/MFA does, but I'm blurry on how it gets
>>> implemented - at face value I'm very interested in Duo so if anyone has
>>> experience with Duo and setting it up (preferably alongside Palo Alto's and
>>> GlobalProtect) that'd be fantastic.
>>> Thanks in advance!
>>> Kyle Stewart
>>> Discuss mailing list
>>> This list provided by the League of Professional System Administrators
>> Discuss mailing list
>> This list provided by the League of Professional System Administrators
> Mr. Flibble
> King of the Potato People
> Discuss mailing list
> This list provided by the League of Professional System Administrators
Discuss mailing list
This list provided by the League of Professional System Administrators