[Noisebridge-discuss] Two factor auth, not SecureID

Jacob Appelbaum jacob at appelbaum.net
Thu Oct 15 22:43:50 UTC 2009 

Matt Peterson wrote:
> (Since we have an abundant number of sysadmin/neteng/security folks  
> here, I though I'd post my question here - apologies if this is off  
> topic)

I've worked with a lot of different token solutions. They all have their
drawbacks, some of them more serious than others. Most of them are not
fitting for me or people that I work with. I think a pure software
solution that has a Free Software implementation is a good alternative
to proprietary, expensive, key escrowed, brittle software and crappy
hardware. I also think that an open standard is a really important
aspect of any new authentication system.

Moxie recently wrote a cool piece of software called Barada that nicely
fits the bill:

	http://sourceforge.net/projects/barada/
	http://barada.sourceforge.net/

"Barada (Barada Aint Respecting Any Deceptive Adversaries) is a PAM
module designed to provide two-factor authentication support. There is
companion software which runs on Android devices, essentially turning
your phone into a SecureID token."

Barada is awesome because it's an implementation of "HOTP: An HMAC-Based
One-Time Password Algorithm" as found in RFC4226:

	http://www.ietf.org/rfc/rfc4226.txt

The abstract for RFC 4226 says:

   This document describes an algorithm to generate one-time password
   values, based on Hashed Message Authentication Code (HMAC).  A
   security analysis of the algorithm is presented, and important
   parameters related to the secure deployment of the algorithm are
   discussed.  The proposed algorithm can be used across a wide range of
   network applications ranging from remote Virtual Private Network
   (VPN) access, Wi-Fi network logon to transaction-oriented Web
   applications.

   This work is a joint effort by the OATH (Open AuTHentication)
   membership to specify an algorithm that can be freely distributed to
   the technical community.  The authors believe that a common and
   shared algorithm will facilitate adoption of two-factor
   authentication on the Internet by enabling interoperability across
   commercial and open-source implementations.

If you have an Android phone, you can just install the app from the
Market and you're ready to go (as far as clients go).

You just need to install the PAM module in your normal PAM stack and you
can _also_ auth with it. Nothing crazy, no java on your servers, no
expensive single purpose or flaky hardware, etc.

Best,
Jake

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 155 bytes
Desc: OpenPGP digital signature
URL: <http://lists.noisebridge.net/pipermail/noisebridge-discuss/attachments/20091015/aa23a427/attachment-0003.sig>

More information about the Noisebridge-discuss mailing list