OTP, deployability.

[Nico Williams]

On Thu, Jun 16, 2011 at 12:58 PM, Russ Allbery <rra at stanford.edu> wrote:
> "Roland C. Dowdeswell" <elric at imrryr.org> writes:
>>       6.  web browsers on iPhones, iPads, blackberries, etc. can't
>>           do Kerberos and likely connect to one or more systems that
>>           are likely to have the assumption that user+pass is the
>>           structure of authentication.
>
> Client-side certificates tied to a principal that isn't the user's basic
> principal but instead is a principal scoped to that device that can be
> separately revoked seem to be the way to go here.  The user really wants
> to just authenticate their phone, not themselves using their phone, for
> most things the user does (even if they don't realize that).
>
> That still leaves open the problem that, as you say, applications expect a
> username-password, but I wonder if you couldn't use the certificate on the
> phone and another app to generate the password that the application can
> use and then cut and paste it into the application.

Force the user to use VPN (most smartphones support VPN) if they want
to access internal services.  Use the phone's cert to authenticate the
phone at the edge.  Use password+OTP to authenticate the user,
possibly also at the edge, as well as at sensitive internal services.

Nico
--