[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OTP or 2FA for Manager Account?

To: Howard Chu <hyc@symas.com>, openldap-technical@openldap.org
Subject: Re: OTP or 2FA for Manager Account?
From: Michael Ströder <michael@stroeder.com>
Date: Fri, 18 May 2018 09:52:56 +0200
In-reply-to: <9f8e0a77-675b-a38b-35d6-c6b633a71d80@symas.com>
References: <CAAKHBKkiN932dxnZUtNxhaSUmD4eHHHxdDxxdbsRCA1U=HPS9w@mail.gmail.com> <96c7a190-22f8-b10b-777f-318df7a46218@stroeder.com> <9d3c4856-6672-76c8-c6b7-dc4eee478d77@daasi.de> <9f8e0a77-675b-a38b-35d6-c6b633a71d80@symas.com>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 SeaMonkey/2.49.3

Howard Chu wrote:

Am 15.05.2018 um 19:06 schrieb Michael Ströder:
Douglas Duckworth wrote:
Does OpenLDAP support use of one time passwords or 2FA for the Manager
account?
There are several solutions:

1. contrib/slapd-modules/passwd/totp/
A proof of concept overlay which AFAICS replaces checking a normalpassword by checking a generated TOTP value. So not really 2FA.
But certainly OTP, which is part of the original question. UnfortunatelyGoogle Authenticator only uses 6 digits. With a longer input, OTP issufficiently strong for most authentication purposes all by itself, noneed for a 2nd factor. (See S/Key, OPIE)

I strongly disagree: If the shared secret (or token) gets lost / stolenthere's no more authentication. I'd never use OTP alone.


Ciao, Michael.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

References:
- OTP or 2FA for Manager Account?
  - From: Douglas Duckworth <dod2014@med.cornell.edu>
- Re: OTP or 2FA for Manager Account?
  - From: Michael Ströder <michael@stroeder.com>
- Re: OTP or 2FA for Manager Account?
  - From: Peter <peter.gietz@daasi.de>
- Re: OTP or 2FA for Manager Account?
  - From: Howard Chu <hyc@symas.com>

Prev by Date: Re: OTP or 2FA for Manager Account?
Next by Date: Re: pwdRESET not working
Index(es):
- Chronological
- Thread