On Mon, 2011-10-17 at 22:50 +0100, Tristan Santore wrote: > On 17/10/11 22:11, seth vidal wrote: > > The biggest problems with the yubikeys is: > > 1. getting them into people's hands > > 2. getting another one into their hands when they lose or break the > > last one. > > 3. the company who makes them being relatively small and afaict the > > only company who makes them. > > 4. kinda fiddly. > > I find those reasons a bit odd. In response: > > 1. Just mail them to people or let them buy one and configure them > themselves. We send swag to people, so there should be finance for the > most integral part, to what fedora does, that is build packages and > build the OS. So, for the sake of postage, which probably just is a > stamp, as the yubikeys are so light, this should not be a problem. Again - it is not a problem of shipping them - it is the dead time until you get your key in the event of loss. > > 2. Same as above,besides the fact, that they are virtually indestructible! Have you actually used them? They are FAR from indestructible. > 3. Yes, they are the only company, but they adhere to open standards, > apart from the Symantec VIP option, but even that Yubikey, can just be > reprogrammed. open standards, sure - but you still have to have a single-source of the actual hw. > Also see: > http://yubico.com/oath-yubikey > > 4. What is so fiddly about pressing a "button"? Have you used them? I'd say it is extremely fiddly. > Further, any security system that is contained within an operating > system, as with ios, android, etc.. has to be deemed suspicious, a > device could be hijacked. > Also, even with the YubiKey, there should still be a password the user > has/knows. That is the only way to ensure the person is who they claim > to be, and not just in the possession of a token. right - that's the 'something you know' in 2 factor auth. > Another option is OpenGPG cards, but then our users would have to have > or purchase a card writer/reader, and have it available. yes - excactly- and it is another level of complexity to explain to users. > > Any system has a USB port + the yubikey fits on a key chain. I > personally keep a few of them on there, and they haven't even got a > scratch yet. 1. I call foul on 'any system has a usb port' - some don't and depending on what/who we're authenticating that could matter. 2. I'm glad you are happy with them. I do not believe that is universally so. > In terms of OpenGPG cards, that also could still mean that people keep > their keys flying about on their system, and potentially, if FI sent > them cards, they could lock themselves out, by using the wrong pin 3 > times, requiring the admin pin to unlock the card again. which is a strike against those cards, imo. > Another thing I like about yubikeys is, that you can run your own api > for the key validator, and the backend storing the keys. Surely, due to > the nature of what we do, this should not be left to a third party! > Especially, if they host this themselves and then nobody can get back > into the systems. I could not from a glance see, how google makes this work. There are no 3rd parties in use for the google-authenticator 2fa pam module and OTP-app. Go look at how the code works. -sv _______________________________________________ infrastructure mailing list infrastructure@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/infrastructure
