[talk] 2FA on BSD (was Re: Reducing password fatigue on OpenBSD (or any BSD))

N.J. Thomas njt at ayvali.org
Tue Apr 21 02:38:52 EDT 2015


* Isaac (.ike) Levy <ike at blackskyresearch.net> [2015-04-20 23:50:04-0400]:
> Just started playing with a Yubikey.  Didn't really understand the
> thing at first.
> 
> And then it hit me: this is the cheap, easily introspectable, hardware
> auth token I've been dying for for like a decade...

On a slightly tangential note, I started playing with Google
Authenticator recently:

    https://github.com/google/google-authenticator/

It's worked very well so far:

    - there are iPhone/Android apps for it

    - there is a port on FreeBSD to build a PAM module out of the box
      (security/pam_google_authenticator)

    - it only took me a few minutes to get my FreeBSD servers running it
      (basically building the port and adding a single line to
      /etc/pam.d/sshd)

    - in addition to TOTP (time based one time passwords) it also
      gives you some single use OTPs (is that redundant?) that you print
      and put in your wallet or wherever to use if your phone is not
      available

    - it works with LastPass as well

The nice thing about Google Authenticator is that apart from the
smartphone app, there is no physical token to carry around. Whether or
not that makes it less secure, I'm not entirely sure. The TOTP Wikipedia
page mentions that printed codes and email resets (which LastPass
allows) is a weakness which allows for additional exploitable vectors,
so be aware of that if you are using it.

Thomas


More information about the talk mailing list