Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[farmshare-discuss] Two-Factor Coming to Farmshare June 16th!

taltman taltman1 at stanford.edu
Wed Aug 19 12:13:38 PDT 2015


Just to clarify, the app that I am using is indeed open source, as the
app package was downloaded from the FDroid repository (fdroid.org),
which only releases open source apps. It is simply a build of the Google
Authenticator open source code base, and works perfectly fine:

http://tinyurl.com/oo52mnm

My gripe is with the Duo app, not the entire Duo solution for 2FA for
Farmshare. What exactly does the Duo app do that a TOTP client like
Google Authenticator does not? Why does the FarmShare wiki page only
provide instructions for using the Duo app? It seems to imply that the
Duo app is essential, when it appears to be optional.

~Tomer


On 8/19/15 12:01 PM, Zhiming Wang wrote:
>> On Aug 19, 2015, at 11:04 AM, Alex Chekholko <chekh at stanford.edu
>> <mailto:chekh at stanford.edu>> wrote:
> 
>> You are correct that Duo is a proprietary application; unfortunately
>> no equally convenient Free Software alternative exists at the moment.
>>
>> Unfortunately the Android version of Google Authenticator doesn't seem
>> to be Free Software either.
> 
> That's not entirely true though. Google Authenticator mobile apps might
> be proprietary, but the TOTP algorithm it uses is an open standard
> (defined in RFC 6238). I can easily grab my secret key and write my own
> TOTP generator — I don't really need the Google Authenticator app (or
> Authy, or whatever) to authenticate. For beginners, there are readily
> available Python and Ruby solutions: just Google pyotp and rotp.
> 
> Meanwhile, although I know little about Duo Mobile, I'm pretty sure that
> it either doesn't use TOTP, or it uses it under the hood but we can't
> possibly extract the secret keys.
> 
> I don't want to argue about the security aspect of TOTP vs a proprietary
> solution, but I do want to be offered a TOTP option, which seems to be
> the industry standard anyway. Right now I'm using my good old TOTP
> secret key, but I feel for the new users who are forced to use Duo.
> 
> Best,
> Zhiming
> 
>> On 8/19/15 10:24 AM, taltman wrote:
>>> A note about the Duo App:
>>>
>>> I have been successfully logging in to Corn using the open-source Google
>>> Authenticator app for Android. I have not needed to download the Duo App.
>>>
>>> How much do we know about the Duo app? Has it been audited? Does it
>>> require excessive permissions/access to run on one's phone? Is it
>>> sending personal information back to Duo the company?
>>>
>>> I personally would advocate for people to use the Google Authenticator
>>> app instead. Requiring all of Stanford FarmShare users to install
>>> proprietary third-party software on their cellphones seems like a bad
>>> policy.
>>>
>>> My $0.02,
>>>
>>> ~Tomer
>>>
>>>
>>>
>>> On 6/11/15 11:30 AM, Addis O'Connor wrote:
>>>> Dear Farmshare Community,
>>>>
>>>> You may have noticed a new Mesasge of the Day when logging on to
>>>> Farmshare machines in the past month or so. It mentions our plan to
>>>> enable Duo two-factor authentication on Farmshare machines on Tuesday,
>>>> June16th, immediately after the commencement freeze.
>>>>
>>>> There will most definitely be a slight change in the way you login to
>>>> farmshare, and our hope is to make that as smooth and painless as
>>>> possible. We have updated our wiki page
>>>> https://web.stanford.edu/group/farmshare/cgi-bin/wiki/index.php/Main_Page#Duo_Two-Factor
>>>> with information regarding how to use ssh shared tunnels and avoid
>>>> having to use duo every time a new session is opened.
>>>>
>>>> There are already a few machines that are already enforcing two-factor
>>>> authentication, and we strongly encourage users to try logging in and
>>>> test out the new authentication process. The two test machines are
>>>> corn19 and corn37, and they are also setup to allow connections to each
>>>> other without duo again after the initial connection.
>>>>
>>>> This change has come about to ensure the integrity of Farmshare and keep
>>>> our system protected from attackers. We hope this change will be
>>>> welcomed and will ultimately provide a more secure system on which to do
>>>> research.
>>>>
>>>> We are happy to answer any questions you may have, and will be ready to
>>>> assist any users with the new process if any issues may arise. Please
>>>> send questions, comments, and or issues to
>>>> research-computing-support at stanford.edu.
>>>>
>>>> Regards,
>>>> --
>>>> Addis O'Connor
>>>> Stanford University
>>>> Research Computing
>>>> addiso at stanford.edu
>>>> (650)529-5782
>>>>
>>>>
>>>> _______________________________________________
>>>> farmshare-discuss mailing list
>>>> farmshare-discuss at lists.stanford.edu
>>>> https://mailman.stanford.edu/mailman/listinfo/farmshare-discuss
>>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> farmshare-discuss mailing list
>>> farmshare-discuss at lists.stanford.edu
>>> <mailto:farmshare-discuss at lists.stanford.edu>
>>> https://mailman.stanford.edu/mailman/listinfo/farmshare-discuss
> 
> 
> 
> _______________________________________________
> farmshare-discuss mailing list
> farmshare-discuss at lists.stanford.edu
> https://mailman.stanford.edu/mailman/listinfo/farmshare-discuss
> 

-- 
----

Tomer Altman, PhD
Biomedical Informatics

---

Encrypted email preferred.
http://taltman.sdf.org/public_key.asc
Key fingerprint = DFE8 7D60 D452 9C4F 5D1F  7515 F55F BB30 1719 7991

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.stanford.edu/pipermail/farmshare-discuss/attachments/20150819/7aafdfa9/attachment.asc>


More information about the farmshare-discuss mailing list