two factor authentication

Alon Bar-Lev alon.barlev at gmail.com
Sun Jul 23 15:03:13 EST 2006


Jefferson Ogata wrote:
> Calling public-key "2-factor" is just spin.

That's not true!
Calling a password "security" is the same.

> 1. You can't force people to put a passphrase on their private key.

You cannot force users to not using scripts with hard coded
password.

> 2. You can't keep people from storing the key in ssh-agent.

You cannot force user storing passwords in ssh-agent (Yes,
ssh-agent, will be also patched to allow that, if your solution
will be implemented).

> 3. If the private key--the actual factor--is compromised, it doesn't
> matter if someone originally had a passphrase on it.

If someone bothers to get the private key AND password protects it,
he will also bother to get the user password as well.

> The point of multiple factors is to have a backup in case one of the
> factors is compromised.

No it doesn't. This is your interpretation.
Two factors, when combined, giving you access to resources.

If you want to have real security, use smartcards.
If you don't use smartcards, then you don't have real security.

Best Regards,
Alon Bar-Lev.



More information about the openssh-unix-dev mailing list