Two-factor Authentication Options?

Henry B. Hotz hotz at jpl.nasa.gov
Thu Jul 15 14:10:00 EDT 2004


In the long run the Kerberos password is a problem because the human  
brain does not obey Moore's law.  As I see it the solution is to use  
some form of two-factor authentication for the initial ticket exchange.

So what options are there in that space?

AFAIK none --- with the standard open source servers.  There are  
patches available for MIT to support CRYPTOcard and SecureID.  There  
are patches available for Heimdal to support X509 certificates  
(PKINIT).

Anything else out there?

While I'm on the subject, let me throw out an idea:  smart card  
authentication that requires an existing tgt to authenticate.  The user  
first gets an ordinary tgt for smith at REALM.  Then (s)he uses that tgt  
in conjunction with with the smart card (IF details unspecificed) to  
acquire a tgt for either smith/secure at REALM, or smith at SECURE.REALM.   
This isn't the forum to discuss a new proposal, but maybe someone knows  
of something?
------------------------------------------------------------------------ 
----
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu



More information about the Kerberos mailing list