[TriLUG] Two factor

Aaron Joyner via TriLUG trilug at trilug.org
Thu Feb 23 17:49:12 EST 2017 

U2F is (IMHO) the gold standard.  Conveniently, there are rather cheap $18
devices
<https://www.amazon.com/Yubico-Y-123-FIDO-U2F-Security/dp/B00NLKA0D8>
available from Yubico.  There are various discounts available, the best one
I have seen was briefly $5 for a Yubikey U2F when Github launched U2F
support.  There are often 20% discounts, and you may be able to find one
for $9
<http://www.androidcentral.com/google-apps-work-customers-can-snag-yubico-security-key-9>.
If you really buy into the value of U2F, I highly recommend picking up a Yubico
Nano's <https://www.yubico.com/products/yubikey-hardware/> for each of your
primary devices (desktop, laptop, anything with a USB A port).  There are
also even-less-expensive devices available from HyperFido
<https://www.amazon.com/HyperFido-K5-FIDO-U2F-Security/dp/B00WIX4JMC>, but
I don't have any personal experience with them.

TOPT* is better than no 2nd factor.  It protects your username and password
from brute force attacks, and in the event they're stolen from a database
on the internets, but does not protect you from phishing attacks.  If an
attacker can trick you into thinking you're typing into the correct login
page, but you're really typing into a fake login page, they can capture
your username, password, and TOPT, then replay those to the server,
typically receiving a much-longer-lived credential.  U2F is strictly
better, because you can't make that mistake.

Using SMS for 2nd factor is... strange, but popular.  It leans hard on the
fact that people don't typically lose access to their phone numbers and SMS
is well understood.  It doesn't protect you against nation-state attackers
(I assume Verizon & AT&T are still feeding all SMS data to the NSA), and it
doesn't protect you against phishing (see above).  It also has
complications if you travel to places with internet access but without cell
coverage from your typical carrier (eg. international travel).

Aaron S. Joyner

* - Time-based One Time Password, as implemented by RSA key fobs, Google
Authenticator, and others.  It's typically a 6 digit number which changes
every 60 seconds or so.  It requires relatively close time synchronization
(within a few minutes) between your device and the server you're talking to
(trivial these days).


On Thu, Feb 23, 2017 at 11:20 PM, Mauricio Tavares via TriLUG <
trilug at trilug.org> wrote:

> What I saw is the onyen and then either text sent to you phone or a phone
> app or a USB something. The yubiko works with that
>
> On Feb 23, 2017 5:14 PM, "Matt Flyer via TriLUG" <trilug at trilug.org>
> wrote:
>
> I noticed that UNC CH has been pushing what they call two factor, but I've
> never really gotten how it works in practice. To me, two factor means you
> HAVE something like a USB key in addition to KNOW something like your Onyen
> and Password. I've never liked how Ruth just a UID and password you can
> sign on to just about any hosts as long as your authenticated in that
> domain / ou.
>
> Sent from my iPad
>
>
>
> Sent from my iPad
> > On Feb 23, 2017, at 5:00 PM, Mauricio Tavares via TriLUG <
> trilug at trilug.org> wrote:
> >
> >     So it seems UNC CH chose duo for their two factor
> > authentication, to the point they are pushing people to think the term
> > for 2 factor auth == duo. I did notice that is does like Chrome a lot,
> > ignoring the u2f extensions available for Firefox.
> >
> > What about you? What is your favourite/chosen multi auth means?
> > --
> > This message was sent to: Matt Flyer <matt at noway2.thruhere.net>
> > To unsubscribe, send a blank message to trilug-leave at trilug.org from
> that
> address.
> > TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> > Unsubscribe or edit options on the web    :
> http://www.trilug.org/mailman/
> options/trilug/matt%40noway2.thruhere.net
> > Welcome to TriLUG: http://trilug.org/welcome
>
> --
> This message was sent to: raubvogel at gmail.com <raubvogel at gmail.com>
> To unsubscribe, send a blank message to trilug-leave at trilug.org from that
> address.
> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> Unsubscribe or edit options on the web  : http://www.trilug.org/mailman/
> options/trilug/raubvogel%40gmail.com
> Welcome to TriLUG: http://trilug.org/welcome
> --
> This message was sent to: Aaron S. Joyner <aaron at joyner.ws>
> To unsubscribe, send a blank message to trilug-leave at trilug.org from that
> address.
> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> Unsubscribe or edit options on the web  : http://www.trilug.org/mailman/
> options/trilug/aaron%40joyner.ws
> Welcome to TriLUG: http://trilug.org/welcome
>

More information about the TriLUG mailing list