two factor authentication

Alon Bar-Lev alon.barlev at gmail.com
Tue Jul 25 15:17:06 EST 2006


Jefferson Ogata wrote:
> Well, I was actually provisionally agreeing with you that with a
> smartcard from which the key is not directly accessible, yes you may
> arguably have two factors. But I don't think the White House will
> consider it so.

Why do you guess? Ask them!

Smartcard *IS* two factor, this is why they exist. There is no
better security solution than smartcards.

You can, how-ever, wish your users to enter the password for the
smartcard and then enter the password for the server. But I really
pity your users.

If you don't trust your users you can provide them with a smartcard
with a pre-defined complex-enough password, they cannot change.
The result is smartcard being locked if someone try to guess that
password.

You can also consider biometric enabled smartcards, and have 3 factors.
But biometric is the worse from user perspective.

Best Regards,
Alon Bar-Lev.



More information about the openssh-unix-dev mailing list