Two-factor Authentication Options?
Henry B. Hotz
hotz at jpl.nasa.gov
Thu Jul 15 14:10:00 EDT 2004
In the long run the Kerberos password is a problem because the human
brain does not obey Moore's law. As I see it the solution is to use
some form of two-factor authentication for the initial ticket exchange.
So what options are there in that space?
AFAIK none --- with the standard open source servers. There are
patches available for MIT to support CRYPTOcard and SecureID. There
are patches available for Heimdal to support X509 certificates
(PKINIT).
Anything else out there?
While I'm on the subject, let me throw out an idea: smart card
authentication that requires an existing tgt to authenticate. The user
first gets an ordinary tgt for smith at REALM. Then (s)he uses that tgt
in conjunction with with the smart card (IF details unspecificed) to
acquire a tgt for either smith/secure at REALM, or smith at SECURE.REALM.
This isn't the forum to discuss a new proposal, but maybe someone knows
of something?
------------------------------------------------------------------------
----
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu
More information about the Kerberos
mailing list