Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[farmshare-discuss] Two-Factor Coming to Farmshare June 16th!

Zhiming Wang zmwang at stanford.edu
Wed Aug 19 12:01:38 PDT 2015


> On Aug 19, 2015, at 11:04 AM, Alex Chekholko <chekh at stanford.edu> wrote:

> You are correct that Duo is a proprietary application; unfortunately no equally convenient Free Software alternative exists at the moment.
> 
> Unfortunately the Android version of Google Authenticator doesn't seem to be Free Software either.

That's not entirely true though. Google Authenticator mobile apps might be proprietary, but the TOTP algorithm it uses is an open standard (defined in RFC 6238). I can easily grab my secret key and write my own TOTP generator — I don't really need the Google Authenticator app (or Authy, or whatever) to authenticate. For beginners, there are readily available Python and Ruby solutions: just Google pyotp and rotp.

Meanwhile, although I know little about Duo Mobile, I'm pretty sure that it either doesn't use TOTP, or it uses it under the hood but we can't possibly extract the secret keys.

I don't want to argue about the security aspect of TOTP vs a proprietary solution, but I do want to be offered a TOTP option, which seems to be the industry standard anyway. Right now I'm using my good old TOTP secret key, but I feel for the new users who are forced to use Duo.

Best,
Zhiming

> On 8/19/15 10:24 AM, taltman wrote:
>> A note about the Duo App:
>> 
>> I have been successfully logging in to Corn using the open-source Google
>> Authenticator app for Android. I have not needed to download the Duo App.
>> 
>> How much do we know about the Duo app? Has it been audited? Does it
>> require excessive permissions/access to run on one's phone? Is it
>> sending personal information back to Duo the company?
>> 
>> I personally would advocate for people to use the Google Authenticator
>> app instead. Requiring all of Stanford FarmShare users to install
>> proprietary third-party software on their cellphones seems like a bad
>> policy.
>> 
>> My $0.02,
>> 
>> ~Tomer
>> 
>> 
>> 
>> On 6/11/15 11:30 AM, Addis O'Connor wrote:
>>> Dear Farmshare Community,
>>> 
>>> You may have noticed a new Mesasge of the Day when logging on to
>>> Farmshare machines in the past month or so. It mentions our plan to
>>> enable Duo two-factor authentication on Farmshare machines on Tuesday,
>>> June16th, immediately after the commencement freeze.
>>> 
>>> There will most definitely be a slight change in the way you login to
>>> farmshare, and our hope is to make that as smooth and painless as
>>> possible. We have updated our wiki page
>>> https://web.stanford.edu/group/farmshare/cgi-bin/wiki/index.php/Main_Page#Duo_Two-Factor
>>> with information regarding how to use ssh shared tunnels and avoid
>>> having to use duo every time a new session is opened.
>>> 
>>> There are already a few machines that are already enforcing two-factor
>>> authentication, and we strongly encourage users to try logging in and
>>> test out the new authentication process. The two test machines are
>>> corn19 and corn37, and they are also setup to allow connections to each
>>> other without duo again after the initial connection.
>>> 
>>> This change has come about to ensure the integrity of Farmshare and keep
>>> our system protected from attackers. We hope this change will be
>>> welcomed and will ultimately provide a more secure system on which to do
>>> research.
>>> 
>>> We are happy to answer any questions you may have, and will be ready to
>>> assist any users with the new process if any issues may arise. Please
>>> send questions, comments, and or issues to
>>> research-computing-support at stanford.edu.
>>> 
>>> Regards,
>>> --
>>> Addis O'Connor
>>> Stanford University
>>> Research Computing
>>> addiso at stanford.edu
>>> (650)529-5782
>>> 
>>> 
>>> _______________________________________________
>>> farmshare-discuss mailing list
>>> farmshare-discuss at lists.stanford.edu
>>> https://mailman.stanford.edu/mailman/listinfo/farmshare-discuss
>>> 
>> 
>> 
>> 
>> _______________________________________________
>> farmshare-discuss mailing list
>> farmshare-discuss at lists.stanford.edu
>> https://mailman.stanford.edu/mailman/listinfo/farmshare-discuss

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/farmshare-discuss/attachments/20150819/6d6ee9e6/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mailman.stanford.edu/pipermail/farmshare-discuss/attachments/20150819/6d6ee9e6/attachment-0001.asc>


More information about the farmshare-discuss mailing list