[Noisebridge-discuss] Two factor auth, not SecureID

Jacob Appelbaum jacob at appelbaum.net
Fri Oct 16 00:52:28 UTC 2009 

Seth David Schoen wrote:
> Jacob Appelbaum writes:
> 
>> Moxie recently wrote a cool piece of software called Barada that nicely
>> fits the bill:
>>
>> 	http://sourceforge.net/projects/barada/
>> 	http://barada.sourceforge.net/
>>
>> "Barada (Barada Aint Respecting Any Deceptive Adversaries) is a PAM
>> module designed to provide two-factor authentication support. There is
>> companion software which runs on Android devices, essentially turning
>> your phone into a SecureID token."
>>
>> Barada is awesome because it's an implementation of "HOTP: An HMAC-Based
>> One-Time Password Algorithm" as found in RFC4226:
> 
> Presumably some people liked things like SecurID specifically because
> they didn't trust users or users' phones -- so they wanted a two-factor
> system where the authentication credential couldn't readily be copied
> or exported from the device.
> 

Possibly so. You'd still need to know the pin (depending on implementation).

> However, Barada looks great to me and it should challenge people
> implementing two-factor authentication to think about whether they
> are willing to trust users and phones.  (Android's interapplication
> isolation should make it more trustworthy for this purpose than some
> other phone operating systems, but maybe there is still concern that
> a rogue Android app that has root on the phone could grab the PIN
> when the user enters it and then SMS the PIN to an attacker.)
> 

I think the coolest thing is that it's not tied to a phone per se. It's
android and so it's not just for phones.

> I only see the source code for the PAM side here.  Is the source code
> for the Android client also published?
> 

The apk is available from the Market but you can also build it yourself:

	svn co https://barada.svn.sourceforge.net/svnroot/barada barada

There's currently no Gnu/Linux userland app and Moxie said he'd take one
if someone wants to write it. I'm looking into it at the moment; it
seems like it would be a pretty quick app to hack up...

Best,
Jake

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 155 bytes
Desc: OpenPGP digital signature
URL: <http://lists.noisebridge.net/pipermail/noisebridge-discuss/attachments/20091015/b51fe879/attachment-0003.sig>

More information about the Noisebridge-discuss mailing list