Search Mailing List Archives
[farmshare-discuss] Two-Factor Coming to Farmshare June 16th!
chekh at stanford.edu
Wed Aug 19 13:20:28 PDT 2015
I found some good notes about the differences between plain TOTP (e.g.
Google Authenticator) and Duo Mobile here:
So Duo has the regular TOTP functionality, just like Google
Authenticator, just click the key icon in the Duo app and it will show
you the TOTP code. And I think you can use the Duo mobile app with any
other TOTP system, just snap a picture of the QR code just like you
would with Google Authenticator.
I think we also had some technical trouble integrating the regular
Google implementation of TOTP with OpenSSH and PAM.
But it is true that the Duo Mobile application code is not Free
Software. Though their PAM integration code seems to be GPLv2:
You can file a HelpSU to category "Privacy and Information Security" if
you would like to talk to someone from ISO. Or maybe contact Duo and
ask them to release the source of their mobile app under a Free license.
On 08/19/2015 12:56 PM, Nan McKenna wrote:
> If you have concerns, you need to raise them with ISO - the Information Security Office, not with the Accounts Team. They selected the tool; the Accounts Team implemented and supports it.
> From: farmshare-discuss <farmshare-discuss-bounces at lists.stanford.edu> on behalf of Zhiming Wang <zmwang at stanford.edu>
> Sent: Wednesday, August 19, 2015 12:48 PM
> To: Open discussion for users of FarmShare
> Subject: Re: [farmshare-discuss] Two-Factor Coming to Farmshare June 16th!
>> On Aug 19, 2015, at 12:11 PM, Alex Chekholko <chekh at stanford.edu> wrote:
>> On 8/19/15 12:01 PM, Zhiming Wang wrote:
>>> I don't want to argue about the security aspect of TOTP vs a proprietary
>>> solution, but I do want to be offered a TOTP option, which seems to be
>>> the industry standard anyway. Right now I'm using my good old TOTP
>>> secret key, but I feel for the new users who are forced to use Duo.
>> Hi Zhiming,
>> Our team (Stanford Research Computing) is a user of the services provided by the Stanford Accounts team, just like all our users.
> Yeah, sorry, I wasn't implying that your team is the one to blame. But it is possible to communicate our concerns to the Accounts team?
>> I haven't been through the two-step device configuration setup myself in a while; in what sense are users "forced to use Duo"?
> Quoting from https://itservices.stanford.edu/service/webauth/twostep:
>> Note: If you currently use Google Authenticator for your second factor you can continue to do so. However, you are no longer able to set up Google Authenticator on your smartphone or tablet. The Duo Mobile app is the preferred replacement.
> farmshare-discuss mailing list
> farmshare-discuss at lists.stanford.edu
Alex Chekholko chekh at stanford.edu 347-401-4860
More information about the farmshare-discuss