[Noisebridge-discuss] Two factor auth, not SecureID

[seph]

Matt Peterson <matt at peterson.org> writes:

> I've been asked to setup a two-factor authorization system (not for  
> the space ;), traditionally most folks go with RSA SecureID.

What kind of use case are you looking at? 

Can you meet it with ssl certs on user machines? (counts as a second
factor in my corner of the regulatory universe)

Do you want some usb key style device, or some hardware fob that
displays a password?

I've been idly watching for inexpensive hardware tokens with reasonable
open source support. I think we're finally starting to see them. It
sounds like there's a chunk of OATH that supports such, and you can now
buy tokens and compile a suitable server. I'm not sure if there's any
good software, but I expect it'll show up eventually

Amazon just started supporting tokens for AWS, see
http://aws.amazon.com/mfa/ which links to an inexpensive device vendor,
and the ietf draft spec.

seph