two factor authentication

Sun Jul 23 16:50:35 EST 2006

On 2006-07-23 05:03, Alon Bar-Lev wrote:
> Jefferson Ogata wrote:
>> Calling public-key "2-factor" is just spin.
> 
> That's not true!
> Calling a password "security" is the same.

When did I call a password "security"? It's a factor. But the passwords
I talked about in the part of my email that you elided are one-time
passwords, not fixed reusable passwords. This provides a different kind
of factor because it is not something the user knows; the user has to
refer to a password list or token to find out what the password is.

>> 1. You can't force people to put a passphrase on their private key.
> 
> You cannot force users to not using scripts with hard coded
> password.

The motivations are opposite. Lazy users will generate private keys with
no passphrase. Lazy users will not figure out how to write a script to
pass the passphrase to ssh, and really, why would they, when they have
ssh-agent available?

>> 2. You can't keep people from storing the key in ssh-agent.
> 
> You cannot force user storing passwords in ssh-agent (Yes,
> ssh-agent, will be also patched to allow that, if your solution
> will be implemented).

Again with the passwords. ssh-agent has no capability for storing
s/key-style one-time passwords, which are the only passwords I said
anything about. And speaking more generally, ssh-agent cannot be patched
to handle arbitrary one-time password schemes.

And again, even with fixed passwords, your typical lazy user is not
going to figure out how to patch ssh-agent, which--remember--is running
on /his/ system, not yours.

>> 3. If the private key--the actual factor--is compromised, it doesn't
>> matter if someone originally had a passphrase on it.
> 
> If someone bothers to get the private key AND password protects it,
> he will also bother to get the user password as well.

Not if it's a one-time password that the user doesn't even know until he
reads it from a piece of paper in his wallet. Did you even read the
email that you responded to?

>> The point of multiple factors is to have a backup in case one of the
>> factors is compromised.
> 
> No it doesn't. This is your interpretation.
> Two factors, when combined, giving you access to resources.

Yes, and the point of that is to have a backup in case one of the
factors is compromised. Or did you just think two factors is more fun
for everyone?

> If you want to have real security, use smartcards.
> If you don't use smartcards, then you don't have real security.

Actually, if you use smartcards, you have an unknown level of security,
since you're at the mercy of the smartcard vendor. I have nothing
against smartcards, but they're not free, and they don't necessarily
provide the security they claim to. For all I know, any given smartcard
has an RFID backdoor.

-- 
Jefferson Ogata <Jefferson.Ogata at noaa.gov>
NOAA Computer Incident Response Team (N-CIRT) <ncirt at noaa.gov>
"Never try to retrieve anything from a bear."--National Park Service