Heh. The "enterprise" solution for this is something like DIGIPASS-ES [1], which is probably TOTP but just broken enough that you have to use their pretty terrible app instead of your existing apps.
I don't agree with the original poster, but to at least supplement: using something like U2F (using pam_u2f) might be more secure, since no secret is transmitted in plaintext, and the secret is usually stored on an untamperable hardware token. Of course, most applications do not require such protection.
That only works for local authentication. Which is fine, the article is about login and sudo.
But there's a problem. If I had partial access and the first factor (password) I'd race the real admin's "sudo" for the U2F touch. Poll list of processes in a loop. If "sudo" was just started, ask for U2F before sudo has a chance. (e.g. by having a pre-started sudo paused in GDB).
U2F has its problems for non-web auth. Just look at how awkward the SSH patches are. (also not secure and/or anonymous (I forget), by the way. See mailing list threads)
In my limited experience "enterprise" 2FA seems limited to RSA tokens. I'm not sure if I'm 10 years out of date particularly since they were hacked a while back.
Wouldn't a more elegant solution be to add Kerberos authentication combined with 2FA? You can then pay the price for access up front but someone phishing your password gets nothing since presumably they cannot answer the second factor challenge.
Yeah, I mean if the goal is the "enterprise" solution, which is usually the solution where the setup, as well as the risk and damages of a break-in, can be shouldered to another company, then yeah RSA is usually the answer. I was primarily referring to the cryptographic security. Yes, RSA does avoid the transfer of plaintext secrets over the network, but instead you are placing your trust in RSA as a company to not have stored the secrets elsewhere (which, in most cases, is probably just fine).
The advantage of U2F is that it uses an asymmetric scheme where a keypair is generated for each authentication endpoint, so the secrets never leave the hardware token in the first place. Compared to RSA SecurID, you would need to have a really severe threat scenario such that you can't even trust RSA with your keys. Of course, U2F is also a much more complicated protocol than say TOTP, and has not existed long enough to stand the cryptographic test of time.
To answer your second question, I'm not sure I understand what you mean. TOTP (Google Authenticator), RSA SecurID, and U2F are all different types of 2FA. They could all be combined with Kerberos if that is what you want.
Out of curiosity when you say "app" are you talking about the pam module or the phone app? I would agree 2FA shouldn't replace a password but I don't see why it would be an issue as an addition to it.
I made the same comment and I got downvoted as well. I don't vacri is saying it is bad to get the app from the Google App store. What is not enterprise ready is the Google Authenticator app itself. I use Google Authenticator for every consumer application which supports it, but it would be a mistake for an organization to use it to protect employee access to networks.
Totp is a standard protocol.there are multiple f/OS's that do it and are installable from f-droid or buildable and deployable as an apk. The method of getting the app isn't important.
