1 |
On 17/10/2013 01:21, Walter Dnes wrote: |
2 |
> On Mon, Oct 14, 2013 at 10:45:10PM +0200, Alan McKinnon wrote |
3 |
> |
4 |
>> Access to my backend network is two-factor - ssh keys and decent |
5 |
>> passwords. |
6 |
> |
7 |
> That is *NOT* Two-factor authentication. See |
8 |
> http://en.wikipedia.org/wiki/Multi-factor_authentication for the |
9 |
> details. Executive summary... Two-factor authentication requires you to |
10 |
> present two authentication factors each time. I.e. it's A *AND* B. |
11 |
> Your setup is A *OR* B. The usual implimentations include 2 factors... |
12 |
> 1) userID+password |
13 |
> 2) a small credit-card-sized unit that generates random-looking |
14 |
> multi-digit numbers that change every minute. |
15 |
> |
16 |
> In order to logon the user must enter both the userID+password combo |
17 |
> *AND* the current number on the token card. |
18 |
> |
19 |
|
20 |
|
21 |
It's a poor choice of words on my part. We do have that exact two-factor |
22 |
system to access the network via VPN, but that's just a portal. |
23 |
|
24 |
Accessing the actual backend network is a two stage process: ssh key to |
25 |
the jump host, then password to get onto the actual destination. |
26 |
|
27 |
So it's "two factor" as a generic English language phrase, not "two |
28 |
factor" as a technical description of an exact thing. Keep in mind that |
29 |
English is a highly overloaded language :-) |
30 |
|
31 |
|
32 |
|
33 |
-- |
34 |
Alan McKinnon |
35 |
alan.mckinnon@×××××.com |