On May 31, 2012, at 10:46 PM, Tim Eggleston wrote: > Hi Simon, > >> Having the same secret in several devices is usually not a good idea -- >> instead, how about a scheme to have multiple lines in users.oath for the >> same user but with different OATH secrets? Then each OTP could be >> tested against all lines for a user, to find which device is relevant, >> and then that line could be updated. > > Perfect! This is exactly what I was hoping for. As well as enabling > flexibility in cases such as mine (where I use a couple of Yubikeys > day-to-day), it would also allow us to be a bit stronger with our pam config: > we could configure a backup token which was stored somewhere safe & secure, > and then we could require the OTP to authenticate instead of making it > "sufficient", knowing that even if we lost our primary token we could always > fall back to the backup. >
This is something I too would find very useful. Simon, have you had time to decide if it's something you plan to do? / Fredrik
smime.p7s
Description: S/MIME cryptographic signature
