Two factor authentication, how hard can it be?
OATH is Open Authentication initiative behind the one-time password (OTP) authentication using event or time based. It's a simple nice algorithm, which you can read about here. It generates 6-8 digit long one time password using a seed (initial secret) and variable. In event based form it's just a sequential counter, in time based it's the time. There are many hardware and software tokens available on the market. So it's one contender I'm looking into.
YubiKey is a battery-less USB token with touch sensitive button. It simulates a usb keyboard and "types" passwords. It can be configured to produce: 32 character yubikey OTP, 6-8 digit OATH HOTP or long static password. Later yubikeys also added challenge-response functionality as well. The cool thing is that the hardware design and yubikey OTP documentation is published. And all the software around it is Open Source. There isn't another hardware vendor though.
Now implementation details. For my use case I need: central validation server, pam authentication module, over the network authentication, authentication plugins for specific applications (e.g. OpenERP, Drupal, etc.).
For Yubikey: there are multiple opensource validation servers, multiple pam modules (including those that work against validation server over the network), multiple plugins for many applications out there. There is an investment cost for the Yubikeys ($25 each, cheaper if buying in bulk +VAT +Shipping) and you are locked to a single vendor of the keys.
For OATH: found only one validation server, which is a dead work of a dead original... there is oath-toolkit with pam module, but it means storing the secret seeds on each machine where you want to authenticate, cause it doesn't talk securely to a validation server over the network.
Underdog is yubikey-yubiserve which is OATH HOTP/YubiKey validation server using YubiKey validation protocol (REST API over SSL with client API signatures). But they aren't HOTP pam modules which know how to talk over YubiKey validation protocol.
I'm thinking to modify c-yubico-pam module to accept OATH HOTP and use yubikey-yubiserve. Then I get open source stack, vendor independence, awesome user experience with yubikey OTP, worse user experience with OATH HOTP, but at least I will be able to mix and match ;-)
ps. fedora project and CERN are using yubikeys, so maybe it's not that bad. any takers for software yubikey generators for JavaME / Android / iPhone / MeeGo / Desktop?
Two factor authentication has two components: something you know, and something you have. Something you know is usually username&password and gives you the first factor. Something you have is a second factor and it isn't usually implemented.
One can argue that private/public key encryption is strong, but it's not two-factor authentication into the computer systems. An ssh key or SSL certificate can be password protected, but it's still just a file on the computer usually. And you don't want someone to compromise user's laptop, take as long as they need to decrypt the password and use that to get access to your intranet.
The criteria are:
- two-factor authentication
- open standard
- vendor independent
- free software stack available
- secure
- user friendly
- low-cost
So let's start running down the systems available today for the two factor authentication:
- Smartcards / Tokens using PKCS #11 API & PKCS #15 standard
- Hardware / Software Tokens using OATH HOTP or TOTP standard
- Yubikey Token with Yubikey Validation standards
OATH is Open Authentication initiative behind the one-time password (OTP) authentication using event or time based. It's a simple nice algorithm, which you can read about here. It generates 6-8 digit long one time password using a seed (initial secret) and variable. In event based form it's just a sequential counter, in time based it's the time. There are many hardware and software tokens available on the market. So it's one contender I'm looking into.
YubiKey is a battery-less USB token with touch sensitive button. It simulates a usb keyboard and "types" passwords. It can be configured to produce: 32 character yubikey OTP, 6-8 digit OATH HOTP or long static password. Later yubikeys also added challenge-response functionality as well. The cool thing is that the hardware design and yubikey OTP documentation is published. And all the software around it is Open Source. There isn't another hardware vendor though.
Now implementation details. For my use case I need: central validation server, pam authentication module, over the network authentication, authentication plugins for specific applications (e.g. OpenERP, Drupal, etc.).
For Yubikey: there are multiple opensource validation servers, multiple pam modules (including those that work against validation server over the network), multiple plugins for many applications out there. There is an investment cost for the Yubikeys ($25 each, cheaper if buying in bulk +VAT +Shipping) and you are locked to a single vendor of the keys.
For OATH: found only one validation server, which is a dead work of a dead original... there is oath-toolkit with pam module, but it means storing the secret seeds on each machine where you want to authenticate, cause it doesn't talk securely to a validation server over the network.
Underdog is yubikey-yubiserve which is OATH HOTP/YubiKey validation server using YubiKey validation protocol (REST API over SSL with client API signatures). But they aren't HOTP pam modules which know how to talk over YubiKey validation protocol.
I'm thinking to modify c-yubico-pam module to accept OATH HOTP and use yubikey-yubiserve. Then I get open source stack, vendor independence, awesome user experience with yubikey OTP, worse user experience with OATH HOTP, but at least I will be able to mix and match ;-)
ps. fedora project and CERN are using yubikeys, so maybe it's not that bad. any takers for software yubikey generators for JavaME / Android / iPhone / MeeGo / Desktop?
This is really great work you're doing, and I applaud it.
ReplyDeleteI'm ignorant about most of the security issues, but would it be possible to use an XMPP server with OTR to send the OTP? That seems it would mean the widest uptake by devices (so that you didn't need to write apps for each device you wanted to support). Then you could count on Android, Blackberry, or iOS to supply the OTP to the user. Google's SMS method seems to work well enough, but SMS charges could be avoided by the use of XMPP.
Just a thought. I'm sort of against a solution which requires specific hardware (Yubikey) to participate.
We invite you to check out our (free) offering at Duo Security: http://www.duosecurity.com
ReplyDeleteDrop-in open-source integrations for Unix, web, etc. and support for HOTP OTPs, phone callback, SMS OTPs, and smartphone push. :-)
I have recently tried a paper-based OTP solution, specifically http://www.cl.cam.ac.uk/~mgk25/otpw.html. It is simple and works like a charm with PAM. At first, paper seems a little low-tech, but it IS cheap.
ReplyDeleteThis is on one server, so I do not know about the central auth server part.
Two factor authentication has two components: something you know, and something you have. Something you know is usually username&password and gives you the first factor. Something you have is a second factor and it isn't usually implemented. Complete agree! Cheap SSL | RapidSSL
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteHi Dmitrijs,
ReplyDeleteHave you made any advances on this?
Have you tried Google Authenticator ? It has a PAM module... http://code.google.com/p/google-authenticator/
Any tests with OpenERP ?
Regards,
-Mario
I want to run my own server. Google Authenticator is simply a client to generate OTP codes locally. The pam module doesn't provide a server that you can authenticate against remotely.
ReplyDeleteOpenERP supports multiple authentication methods, but it's not an OTP server. E.g. you plugin is one of the auth_* modules and OpenERP will listen to what that says.