Russ Allbery <[email protected]> writes: > Robbie Harwood <[email protected]> writes: > >> Also! 2FA will mitigate this concern somewhat as well. krb5 is >> prepared to hand off to a RADIUS responder for OTP (freeIPA uses >> this, which I know you're not interested in but is meaningful as a >> PoC); you can then use something like freeOTP or a physical 2fa token >> for acquiring additional credentials. > > I wonder how hard it would be to add WebAuthn as a preauth mechanism > for Kerberos as part of a FAST chain. HOTP/TOTP don't have the > greatest security properties, even though most Kerberos use cases are > inherently less vulnerable to phishing than the typical web > authentication use.
Probably not too bad, but there are some tricky points around RPs and the like. There's work underway (blocked on me actually) to add U2F/FIDO2 as a 2FA mech under SPAKE, though ideally we'd have the SPAKE draft closer to release before unloading that on the world. Thanks, --Robbie
signature.asc
Description: PGP signature
________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
