I've been a happy Duo user personally (Google, GitHub) for a while. The push/phone integration is nice.
We're moving to Okta for identity federation + SSO and we're going to integrate it with Duo. Kinda over RSA. Our (few) test users liked the Duo push and one-button response compared to the RSA enter digits thing. On Fri, Dec 2, 2016 at 4:55 AM, Robert Hajime Lanning <lann...@lanning.cc> wrote: > Attack vectors... > > The difference is "can the private key (something you have) be copied?" > > PKI hardware token: No. > File on notebook: Yes. > > A PKI key on its own as a file on a harddrive is equal to a really complex > password. So complex that you can't remember it so it is written down. > > So, you encrypt the private encryption key with a passphrase. You have now > put a password on your password. > > If the key can be copied, then it does not subscribe to something you have > being unique. A passphrase can be copied, so it is also not unique. The > combination of the two are not unique. > > Malware can attack a file on notebook and steal keystrokes for a > passphrase. > > For PKI hardware, data is sent to the token itself where the token (using > it's own processor) encrypts/signs the data with the private key. The > private key cannot be copied/read off the token. The private key can only > be generated/used/erased via API calls to the hardware. > > PKI USB tokens are basically smart card readers with a smart card > permanently attached. > > On 12/01/16 11:07, Morgan Blackthorne wrote: > >> I guess I'm not seeing much of a distinction between someone knowing >> your password and someone knowing the passphrase on your key. If you >> have a passphrase set, having a copy of the key does you no good without >> the passphrase. But there's a pretty equivalent concern about someone >> having both pieces of that equation vs. a normal password. Now something >> like an OTP setup is a different story. >> >> I agree with the enforcement perspective on keys; I wish SSH had a way >> to flag whether or not a passphrase was enabled for a key and then >> control restrictions on the server side as to what accounts are >> whitelisted for automation vs. normal users where a passphrase is >> enforced. But at the end of the day I'm unconvinced that a key is any >> less secure than a password, as long as you have a passphrase configured. >> >> On Thu, Dec 1, 2016 at 10:54 AM, Robert Hajime Lanning >> <lann...@lanning.cc <mailto:lann...@lanning.cc>> wrote: >> >> Requiring a passphrase on your private key is not enforceable. >> >> And the key can be duplicated. So if someone has a copy of your key >> and gets/guesses your passphrase, you won't know they have access. >> >> Having the private key generated on a PKI hardware token that >> *enforces* a PIN/passphrase to access, covers those bases. >> >> On Dec 1, 2016, Morgan Blackthorne <mor...@windsofstorm.net >> <mailto:mor...@windsofstorm.net>> wrote: >> >> If you have a passphrase on your private key (as one should), >> would that not be considered something you know as well? >> >> On Thu, Dec 1, 2016 at 10:34 AM, Robert Hajime Lanning >> <lann...@lanning.cc <mailto:lann...@lanning.cc>> wrote: >> >> I have only implemented RSA, but I will be doing a bit of >> research on this topic shortly. >> >> For my current job we'll be needing MFA for a secure >> environment, in the next couple of months. They won't be >> able to afford RSA. >> >> But I do need to note that PKI key+Duo is not MFA. >> (Something you have + Something you have) >> >> MFA is Multi Factor Authentication and is defined as: (pick >> 2+ separate items) >> >> 1) Something you know (password/PIN not written down) >> 2) Something you have (device that can not be copied, RSA >> fob, PKI hardware token/smart card...) >> 3) Something you are (biometrics) >> >> RSA is fob + PIN. >> >> My current plan is a PKI hardware token that requires a >> PIN/passcode to unlock the token to use the private key >> contained within. The key pair is generated on the token and >> the private key cannot be copied off the token. >> >> Ssh and openvpn clients support PKCS#11 for PKI hardware. >> >> >> On Dec 1, 2016, Morgan Blackthorne <mor...@windsofstorm.net >> <mailto:mor...@windsofstorm.net>> wrote: >> >> I'm an end-user of Duo at the day job and relatively >> happy with it. Was not involved in the setup, though. >> OTOH I remember someone in #lopsa saying they had >> problems with them and had been unhappy. Can't remember >> who or why offhand, hopefully they'll chime in on this >> thread. >> >> I will note that the most common problem with Duo that >> I've personally seen is when folks have it configured to >> give them a phone call instead of running the app and >> getting a push notification. In our setup, to access the >> windows jumpbox we start an RDP session, and after >> normal user auth, it then triggers a Duo challenge. But >> the phone call setting seems to get delayed enough that >> the RDP session fails with a network policy error. >> People adjusting their user config with push >> notifications works better. I have not looked into >> seeing if you can just ! blanket disable that o! ption, >> but it seems a bit odd that they offer that as a service >> when it doesn't work; then again, we may have a more >> aggressive timeout policy on the Duo portion than is >> recommended. Again, wasn't involved in the setup as it >> predated me, so I'm not sure. >> >> I know it also works with Linux boxes and that's on my >> list to check out, just haven't gotten to it yet. We'd >> likely only enable it on nodes with public IPs that have >> SSH listening/allowed, so it has been low on my priority >> list. >> >> Duo is also apparently free depending on how many >> users/devices you have, whereas last time I heard about >> the RSA setup, it was very expensive. I'm planning on >> adding Duo support to my personal AWS Linux nodes for >> SSH (so key+MFA auth, no passwords allowed). >> >> On W! ed, Nov 30, 2016 at 10:31 AM, Kyle Stewart >> <_kylestew...@outlook.com >> <mailto:_kylestew...@outlook.com>> wrote: >> >> Hi all, hope this email finds everyone well. We're >> looking into setting up two-factor authentication at >> my company for a 2017 project and I'm in the "Let's >> get the lay of the land" phase. Right now it seems >> like Duo is making big headway in this market, but >> I've heard good things about RSA as well. I'd love >> to get some first-hand feedback from people who have >> used these types of 2FA solutions who aren't sales >> people :) >> >> >> Overall I get what 2FA/MFA does, but I'm blurry on >> how it gets implemented - at face value I'm very >> interested in Duo so if anyone has experience with >> Duo and setting it up (preferably alongside Palo >> Alto's and GlobalProtect) that'd be fantastic. >> >> >> Thanks in advance! >> > > > -- > Mr. Flibble > King of the Potato People > http://www.linkedin.com/in/RobertLanning > _______________________________________________ > Discuss mailing list > Discuss@lists.lopsa.org > https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss > This list provided by the League of Professional System Administrators > http://lopsa.org/ >
_______________________________________________ Discuss mailing list Discuss@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
