Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[farmshare-discuss] Two-Factor Coming to Farmshare June 16th!

Alex Chekholko chekh at stanford.edu
Wed Aug 19 13:20:28 PDT 2015


Hi all,

I found some good notes about the differences between plain TOTP (e.g. 
Google Authenticator) and Duo Mobile here:

https://spaces.internet2.edu/display/InCFederation/2013/11/09/Mobile+Apps+for+OTP

So Duo has the regular TOTP functionality, just like Google 
Authenticator, just click the key icon in the Duo app and it will show 
you the TOTP code.  And I think you can use the Duo mobile app with any 
other TOTP system, just snap a picture of the QR code just like you 
would with Google Authenticator.

I think we also had some technical trouble integrating the regular 
Google implementation of TOTP with OpenSSH and PAM.

But it is true that the Duo Mobile application code is not Free 
Software.  Though their PAM integration code seems to be GPLv2:
https://github.com/duosecurity/duo_unix

You can file a HelpSU to category "Privacy and Information Security" if 
you would like to talk to someone from ISO.  Or maybe contact Duo and 
ask them to release the source of their mobile app under a Free license.

Regards,
Alex

On 08/19/2015 12:56 PM, Nan McKenna wrote:
> Hello:
>
> If you have concerns, you need to raise them with ISO - the Information Security Office, not with the Accounts Team. They selected the tool; the Accounts Team implemented and supports it.
>
> --Nan
>
> ________________________________________
> From: farmshare-discuss <farmshare-discuss-bounces at lists.stanford.edu> on behalf of Zhiming Wang <zmwang at stanford.edu>
> Sent: Wednesday, August 19, 2015 12:48 PM
> To: Open discussion for users of FarmShare
> Subject: Re: [farmshare-discuss] Two-Factor Coming to Farmshare June 16th!
>
>> On Aug 19, 2015, at 12:11 PM, Alex Chekholko <chekh at stanford.edu> wrote:
>>
>> On 8/19/15 12:01 PM, Zhiming Wang wrote:
>>> I don't want to argue about the security aspect of TOTP vs a proprietary
>>> solution, but I do want to be offered a TOTP option, which seems to be
>>> the industry standard anyway. Right now I'm using my good old TOTP
>>> secret key, but I feel for the new users who are forced to use Duo.
>>
>> Hi Zhiming,
>>
>> Our team (Stanford Research Computing) is a user of the services provided by the Stanford Accounts team, just like all our users.
>
> Yeah, sorry, I wasn't implying that your team is the one to blame. But it is possible to communicate our concerns to the Accounts team?
>
>> I haven't been through the two-step device configuration setup myself in a while; in what sense are users "forced to use Duo"?
>
> Quoting from https://itservices.stanford.edu/service/webauth/twostep:
>
>> Note: If you currently use Google Authenticator for your second factor you can continue to do so. However, you are no longer able to set up Google Authenticator on your smartphone or tablet. The Duo Mobile app is the preferred replacement.
>
> Best,
> Zhiming
>
> _______________________________________________
> farmshare-discuss mailing list
> farmshare-discuss at lists.stanford.edu
> https://mailman.stanford.edu/mailman/listinfo/farmshare-discuss
>

-- 
Alex Chekholko chekh at stanford.edu 347-401-4860



More information about the farmshare-discuss mailing list