Two factor authentication, how hard can it be?
OATH is Open Authentication initiative behind the one-time password (OTP) authentication using event or time based. It's a simple nice algorithm, which you can read about here. It generates 6-8 digit long one time password using a seed (initial secret) and variable. In event based form it's just a sequential counter, in time based it's the time. There are many hardware and software tokens available on the market. So it's one contender I'm looking into.
YubiKey is a battery-less USB token with touch sensitive button. It simulates a usb keyboard and "types" passwords. It can be configured to produce: 32 character yubikey OTP, 6-8 digit OATH HOTP or long static password. Later yubikeys also added challenge-response functionality as well. The cool thing is that the hardware design and yubikey OTP documentation is published. And all the software around it is Open Source. There isn't another hardware vendor though.
Now implementation details. For my use case I need: central validation server, pam authentication module, over the network authentication, authentication plugins for specific applications (e.g. OpenERP, Drupal, etc.).
For Yubikey: there are multiple opensource validation servers, multiple pam modules (including those that work against validation server over the network), multiple plugins for many applications out there. There is an investment cost for the Yubikeys ($25 each, cheaper if buying in bulk +VAT +Shipping) and you are locked to a single vendor of the keys.
For OATH: found only one validation server, which is a dead work of a dead original... there is oath-toolkit with pam module, but it means storing the secret seeds on each machine where you want to authenticate, cause it doesn't talk securely to a validation server over the network.
Underdog is yubikey-yubiserve which is OATH HOTP/YubiKey validation server using YubiKey validation protocol (REST API over SSL with client API signatures). But they aren't HOTP pam modules which know how to talk over YubiKey validation protocol.
I'm thinking to modify c-yubico-pam module to accept OATH HOTP and use yubikey-yubiserve. Then I get open source stack, vendor independence, awesome user experience with yubikey OTP, worse user experience with OATH HOTP, but at least I will be able to mix and match ;-)
ps. fedora project and CERN are using yubikeys, so maybe it's not that bad. any takers for software yubikey generators for JavaME / Android / iPhone / MeeGo / Desktop?
Two factor authentication has two components: something you know, and something you have. Something you know is usually username&password and gives you the first factor. Something you have is a second factor and it isn't usually implemented.
One can argue that private/public key encryption is strong, but it's not two-factor authentication into the computer systems. An ssh key or SSL certificate can be password protected, but it's still just a file on the computer usually. And you don't want someone to compromise user's laptop, take as long as they need to decrypt the password and use that to get access to your intranet.
The criteria are:
- two-factor authentication
- open standard
- vendor independent
- free software stack available
- secure
- user friendly
- low-cost
So let's start running down the systems available today for the two factor authentication:
- Smartcards / Tokens using PKCS #11 API & PKCS #15 standard
- Hardware / Software Tokens using OATH HOTP or TOTP standard
- Yubikey Token with Yubikey Validation standards
OATH is Open Authentication initiative behind the one-time password (OTP) authentication using event or time based. It's a simple nice algorithm, which you can read about here. It generates 6-8 digit long one time password using a seed (initial secret) and variable. In event based form it's just a sequential counter, in time based it's the time. There are many hardware and software tokens available on the market. So it's one contender I'm looking into.
YubiKey is a battery-less USB token with touch sensitive button. It simulates a usb keyboard and "types" passwords. It can be configured to produce: 32 character yubikey OTP, 6-8 digit OATH HOTP or long static password. Later yubikeys also added challenge-response functionality as well. The cool thing is that the hardware design and yubikey OTP documentation is published. And all the software around it is Open Source. There isn't another hardware vendor though.
Now implementation details. For my use case I need: central validation server, pam authentication module, over the network authentication, authentication plugins for specific applications (e.g. OpenERP, Drupal, etc.).
For Yubikey: there are multiple opensource validation servers, multiple pam modules (including those that work against validation server over the network), multiple plugins for many applications out there. There is an investment cost for the Yubikeys ($25 each, cheaper if buying in bulk +VAT +Shipping) and you are locked to a single vendor of the keys.
For OATH: found only one validation server, which is a dead work of a dead original... there is oath-toolkit with pam module, but it means storing the secret seeds on each machine where you want to authenticate, cause it doesn't talk securely to a validation server over the network.
Underdog is yubikey-yubiserve which is OATH HOTP/YubiKey validation server using YubiKey validation protocol (REST API over SSL with client API signatures). But they aren't HOTP pam modules which know how to talk over YubiKey validation protocol.
I'm thinking to modify c-yubico-pam module to accept OATH HOTP and use yubikey-yubiserve. Then I get open source stack, vendor independence, awesome user experience with yubikey OTP, worse user experience with OATH HOTP, but at least I will be able to mix and match ;-)
ps. fedora project and CERN are using yubikeys, so maybe it's not that bad. any takers for software yubikey generators for JavaME / Android / iPhone / MeeGo / Desktop?