[Noisebridge-discuss] Two factor auth, not SecureID
Seth David Schoen
schoen at loyalty.org
Thu Oct 15 23:05:30 UTC 2009
Jacob Appelbaum writes:
> Moxie recently wrote a cool piece of software called Barada that nicely
> fits the bill:
>
> http://sourceforge.net/projects/barada/
> http://barada.sourceforge.net/
>
> "Barada (Barada Aint Respecting Any Deceptive Adversaries) is a PAM
> module designed to provide two-factor authentication support. There is
> companion software which runs on Android devices, essentially turning
> your phone into a SecureID token."
>
> Barada is awesome because it's an implementation of "HOTP: An HMAC-Based
> One-Time Password Algorithm" as found in RFC4226:
Presumably some people liked things like SecurID specifically because
they didn't trust users or users' phones -- so they wanted a two-factor
system where the authentication credential couldn't readily be copied
or exported from the device.
However, Barada looks great to me and it should challenge people
implementing two-factor authentication to think about whether they
are willing to trust users and phones. (Android's interapplication
isolation should make it more trustworthy for this purpose than some
other phone operating systems, but maybe there is still concern that
a rogue Android app that has root on the phone could grab the PIN
when the user enters it and then SMS the PIN to an attacker.)
I only see the source code for the PAM side here. Is the source code
for the Android client also published?
--
Seth David Schoen <schoen at loyalty.org> | Qué empresa fácil no pensar en
http://www.loyalty.org/~schoen/ | un tigre, reflexioné.
http://vitanuova.loyalty.org/ | -- Borges, El Zahir
More information about the Noisebridge-discuss
mailing list