background preloader

Multi-factor authentication

Multi-factor authentication
Multi-factor authentication (also MFA, two-factor authentication, two-step verification, TFA, T-FA or 2FA) is an approach to authentication which requires the presentation of two or more of the three authentication factors: a knowledge factor ("something only the user knows"), a possession factor ("something only the user has"), and an inherence factor ("something only the user is"). After presentation, each factor must be validated by the other party for authentication to occur. Background[edit] Two-factor authentication is commonly found in the electronic computer authentication, where basic authentication is the process of a requesting entity presenting some evidence of its identity to a second entity. Two-factor authentication seeks to decrease the probability that the requester is presenting false evidence of its identity. Two-factor authentication is often confused with other forms of authentication. Regulatory definition[edit] Limitations[edit] Password[edit] PIN[edit] Pattern[edit] Related:  Neat

Hard, Soft, or Smart? Evaluating the Two-Factor Authentication Options - Infosecurity Magazine First, let’s cover the basics. Two-factor authentication (2FA) is where a user’s credentials are made up of two independent factors, such as: Something you know (PIN, simple password, alpha-numeric password, alpha-numeric password with special characters, secret questions, passphrase);Something you have (Keyfob token, key, debit card, smartcard, mobile phone); orSomething you are (biometric data, such as fingerprint, retina, iris, face, veins, DNA, voiceprint, hand, typical usage patterns) Admittedly, this is elementary information that many of you reading this already know. Nevertheless, defining the concept from the outset serves to reinforce your previous education. Hardware Tokens The tried and tested combination used by countless organizations is the hardware keyfob token (something you have) and a secret PIN (something you know). One type is the one-time password (OTP) keyfob, which is typically carried on your key ring and displays a pseudo-random number that changes periodically.

Collective Software | AuthLite: Affordable Two-factor Authentication for Windows Active Directory RFC 2289 - A One-Time Password System [Docs] [txt|pdf] [draft-ietf-otp] [Diff1] [Diff2] INTERNET STANDARD Network Working Group N. Haller Request for Comments: 2289 Bellcore Obsoletes: 1938 C. Metz Category: Standards Track Kaman Sciences Corporation P. Nesser Nesser & Nesser Consulting M. Straw Bellcore February 1998 Status of this Memo This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. This document describes a one-time password authentication system (OTP). One form of attack on networked computing systems is eavesdropping on network connections to obtain authentication information such as the login IDs and passwords of legitimate users. RFC 2289 A One-Time Password System February 1998 or during pass-phrase changes. There are two entities in the operation of the OTP one-time password system. In this document, the words that are used to define the significance of each particular requirement are usually capitalized.

RFC 4226 - HOTP: An HMAC-Based One-Time Password Algorithm [Docs] [txt|pdf] [draft-mraihi-oath...] [Diff1] [Diff2] [IPR] [Errata] INFORMATIONAL Errata Exist Network Working Group D. M'Raihi Request for Comments: 4226 VeriSign Category: Informational M. RFC 4226 HOTP Algorithm December 2005 Table of Contents 1. RFC 4226 HOTP Algorithm December 2005 1. The document introduces first the context around an algorithm that generates one-time password values based on HMAC [BCK1] and, thus, is named the HMAC-Based One-Time Password (HOTP) algorithm. 2. Today, deployment of two-factor authentication remains extremely limited in scope and scale. RFC 4226 HOTP Algorithm December 2005 forms of authentication such as Public-Key Infrastructure (PKI) or biometrics because an air-gap device does not require the installation of any client desktop software on the user machine, therefore allowing them to roam across multiple machines including home computers, kiosks, and personal digital assistants. 3. 4. 5. 5.1. 5.2. 5.3.

Misc/OPIEandSKey - IetfngPub Introduction Often, you will want to log in to a computer you control from a less-than-fully-trusted device (i.e. one that may be keylogging). If you don't have a Factotum in your pocket, or the ability to do RSA in your head, this can pose a challenge. One answer, developed by Bell Labs is S/KEY, a one-time password protocol. (Please note: this page is not intended to be comprehensive; you will have to RTFM if you want more than to copy my setup. How does S/Key work? Wikipedia can answer this better than I can, but here's a summary. To make this go, first, you have a S/Key calculator program which takes four things: A seed (something like En3829; by default it's the first two letters of the host name and a pseudorandom number) The index of the top of the chain A secret passphrase A count of number of passwords to generate You then tell the server that you wish to set your password, and it, or you, provides A seed The index of the top of the chain Setting it up Install OPIE Set up OPIE

Crypt::SKey Crypt::SKey - Perl S/Key calculator use Crypt::SKey qw(compute); $output = compute($sequence_num, $seed, $password); @output = compute($sequence_num, $seed, $password, $count); perl -MCrypt::SKey -e key 500 fo099804 perl -MCrypt::SKey -e key 500 fo099804 100 perl -MCrypt::SKey=key_md4 -e key_md4 500 fo099804 alias key 'perl -MCrypt::SKey -e key' key 500 fo099804 This module contains a simple S/Key calculator (as described in RFC 1760) implemented in Perl. It exports the function key by default, and may optionally export the function compute. compute_md4, compute_md5, key_md4, and key_md5 are provided as convenience functions for selecting either MD4 or MD5 hashes. Most S/Key systems use MD4 hashing, but a few (notably OPIE) use MD5. Follow the usual steps for installing any Perl module: perl Makefile.PL make test make install compute($sequence_num, $seed, $password [, $count]) compute_md4($sequence_num, $seed, $password [, $count]) compute_md5($sequence_num, $seed, $password [, $count]) key()

Introduction to Moonshot - Moonshot - Moonshot Wiki Moonshot is a single, unifying technology for extending the benefits of federated identity to a broad range of non-web services, including cloud infrastructures, high performance computing & grid infrastructures, and other commonly deployed services including mail, file store, remote access, and instant messaging. It is a secure and flexible means by which people can use the credentials issued to them by their home organisation to authenticate to a wide variety of systems, services, and applications, and all in a manner that gives these users Single Sign On (SSO). Moonshot builds on deployed, proven technology, including: Strong authentication as used by eduroam (EAP/RADIUS); Strong authorisation as used by many national federations (SAML); and Strong service/application integration as used by many major applications (operating system security APIs).

Overview of Moonshot Components - Moonshot - Moonshot Wiki At the highest level, Moonshot consists of three main components and the interactions between them over specific protocols: ClientRelying Party (RP)Identity Provider (IdP) Client The Client consists of parts of the software that exists on the user’s device (e.g., laptop) that make up both the start and end point of a Moonshot transaction. A request starts with the Client sending a session request to the Service (Relying Party) and includes an identity selection mechanism that enables the user to choose which identity to use at the Service. Relying Party (RP) The RP is essentially the Service that the Client attempts to connect to. The Service itselfThe Relying Party Proxy (RP Proxy). The Service is the home of the resource that the user is attempting to connect to; most commonly, some server software or a gateway to computing resources (e.g., an OpenSSH or Microsoft Exchange server). Identity Provider (IdP)

OTPW – a one-time password login package Markus Kuhn, Computer Laboratory, University of Cambridge Latest release: Version 1.5, 2014-08-07 Abstract The OTPW package consists of the one-time-password generator otpw-gen plus two verification routines otpw_prepare() and otpw_verify() that can easily be added to programs such as login or ftpd on POSIX systems. For platforms that support the Pluggable Authentication Method (PAM) interface, a suitable wrapper is included as well. Introduction A well-known classic vulnerability of the Internet application protocol suite is the frequent cleartext transfer of passwords in the telnet, rsh, and ftp protocols. However, traveling computer users often want to connect to their home system via untrusted terminals at conference hotels, other universities, and airports, where trusted encryption software is not available. A widely known one-time-password scheme is S/KEY [Hal94, HM96]. How it works A user who wants to setup the one-time-password capability just executes the otpw-gen program. License

Security | New IT Farmer original: Apache Hadoop is equipped with a robust and scalable security infrastructure. It is being used at some of the biggest cluster installations in the world, where hundreds of terabytes of sensitive and critical data are processed every day. Owen O’Malley provided a nice overview of Apache Hadoop security in his blog Motivations for Apache Hadoop Security. The intent of this blog is to cover some of the features of the Apache Hadoop security infrastructure that will help cluster administrators fine-tune the security settings of their clusters. Quality of Protection Security infrastructure for Hadoop RPC uses Java SASL APIs. Java SASL provides following QOP settings: “auth” – This is the default setting and stands for authentication only. Hadoop lets cluster administrators control the quality of protection via the configuration parameter “” in core-site.xml. Hostname in the Principals Thanks!

Making Windows Usable Some of us can't avoid using Windows, whether for work or for software that won't run elsewhere. But there are things one can do to make using Windows more bearable. I've compiled here the steps I typically take to transform a Windows box into something a little more usable, with things we take for granted on other operating systems: powerful command-line tools, remote access, etc. The most important software to install is cygwin, which provides both a set of UNIX tools and a set of UNIX compatibility libraries. IMO, Windows is completely unusable without cygwin's shells and utilities, in particular bash, perl, ssh, sshd, rsync, grep, and awk. Installing cygwin Install cygwin by running setup.exe from If you plan on installing cygwin on multiple machines and do not want every package, you should download locally the packages you want. Mounts Cygwin's current mounts can be displayed with the mount command: mkdir /c; mount c: /c c:/ /c ntfs binary,posix=0,user 0 0 Rxvt

Tokyo Cabinet: a modern implementation of DBM Copyright (C) 2006-2011 FAL Labs Last Update: Thu, 05 Aug 2010 15:05:11 +0900 BTW, do you know Kyoto Cabinet? Overview Tokyo Cabinet is a library of routines for managing a database. Tokyo Cabinet is developed as the successor of GDBM and QDBM on the following purposes. improves space efficiency : smaller size of database file.improves time efficiency : faster processing speed.improves parallelism : higher performance in multi-thread environment.improves usability : simplified API.improves robustness : database file is not corrupted even under catastrophic situation.supports 64-bit architecture : enormous memory space and database file are available. Tokyo Cabinet is written in the C language, and provided as API of C, Perl, Ruby, Java, and Lua. Documents The following are documents of Tokyo Cabinet. Fundamental Specifications Packages The following are the source packages of Tokyo Cabinet. Related Packages Information Tokyo Cabinet was written and is maintained by FAL Labs.