Multiple 2FA on a system?
New on LowEndTalk? Please read our 'Community Rules' by clicking on it in the right menu!

Multiple 2FA on a system?

I currently use Duo for connecting to my systems. Its working great.

Are there any additional systems available which provide 2fa in addition to Duo?

Is it even possible to have additional 2fa available which can be used in conjunction with Duo?

Thanks.

Comments

  • At what point you are accessing this? Via SSH or Web page login? etc...

    YubiKey is one option, Also you can always add more time tokens,
    If you are referring to SSH then try http://krypt.co + Google Auth PAM module.

    Thanked by 1plumberg
  • @plumberg said:
    Is it even possible to have additional 2fa available which can be used in conjunction with Duo?

    It depends on what you are trying to do - are you thinking about adding a third-factor or are you thinking about using Duo in other ways?

    Duo, Google Auth PAM, FreeOTP, Authy, etc. - which are used for OS access, use a standard algorithm that uses a shared secret plus the current time to compute an OTP (one-time password). That algorithm is actually a standard which is why you can use any TOTP compliant authenticator to get the OTP. Another common standard is HOTP which uses a HMAC instead. Generally speaking, most people use TOTP because the OTP is time sensitive and expires. I don't know much about how HOTP OTP's are used but I am guessing that these are used for recovery keys since they are long lived.

    If you decide to use a Yubikey with Duo, you would probably be using U2F which is also a standard.

    Generally speaking - the advantage of using U2F is that is a bit more secure. U2F uses a challenge response mechanism so it's not susceptible to attacks like phishing.

    It really depends on your use case with Duo.

  • MrHMrH Member

    3FA or 4FA

    Thanked by 2plumberg JTR
  • williewillie Member, Moderator

    It's fine to support multiple 2fa systems (TOTP, SMS, U2F, Duo, etc). Whether particular software actually does it is separate question.

  • @birchbeer said:

    @plumberg said:
    Is it even possible to have additional 2fa available which can be used in conjunction with Duo?

    It depends on what you are trying to do - are you thinking about adding a third-factor or are you thinking about using Duo in other ways?

    I am trying to add a third factor... thanks

  • @plumberg said:
    I am trying to add a third factor... thanks

    You must have a fascinating threat model to need that.

    How are you connecting to your servers? I'm guessing you are using ssh - if so - you could just require passphrase, publickey, and duo TOTP.

    But most people would just suggest using a passphrase on the ssh private key. That would be a simpler approach.

    I've never particularly found adding extra authentication factors to necessarily increase security. Plus for it to be a useful third-factor, you would need to some other mechanism to generation that auth process.

    I generally prefer using another layers instead. For example - you could setup a bastion host which require VPN access and place your servers behind that perimeter. You could also implement ingress filtering to further limit remote access only from networks which are trusted.

  • deankdeank Member

    A 3rd factor? Cable unplug should be one.

    LET has IPv6 enabled. This is a clear sign of the end coming near.

  • @birchbeer said:

    @plumberg said:
    I am trying to add a third factor... thanks

    You must have a fascinating threat model to need that.

    How are you connecting to your servers? I'm guessing you are using ssh - if so - you could just require passphrase, publickey, and duo TOTP.

    But most people would just suggest using a passphrase on the ssh private key. That would be a simpler approach.

    I've never particularly found adding extra authentication factors to necessarily increase security. Plus for it to be a useful third-factor, you would need to some other mechanism to generation that auth process.

    I generally prefer using another layers instead. For example - you could setup a bastion host which require VPN access and place your servers behind that perimeter. You could also implement ingress filtering to further limit remote access only from networks which are trusted.

    I hear you. Just a little paranoid.. I am starting to deploy production level, and it's kind of freaking me out.

    To b honest, I have been using password based login to ssh. I am switching to key based. I will check out the passphrase option on the pvt key along with Duo.

    Thanks again.

  • @deank said:
    A 3rd factor? Cable unplug should be one.

    I tried it once, but the system is of no use... Haha. I understand nothing is more secure. I just need to trust what I have setup. Thanks

  • letrocksletrocks Member
    edited August 7

    @plumberg said:
    I hear you. Just a little paranoid.. I am starting to deploy production level, and it's kind of freaking me out.

    To b honest, I have been using password based login to ssh. I am switching to key based. I will check out the passphrase option on the pvt key along with Duo.

    If you are using it for SSH login, then try http://krypt.co/.
    Read more about it on their website. No one has access to the Private key.

    Here is how I use it.
    Have all VPS setup with two public keys under authorized_keys.
    One from the krypt.co app and other one (with very long password) is for backup in case I lose the phone. (You can also setup another device with krypt.co app if you want).

    Also you can setup the Duo or Google Auth PAM module for SSH server, which means post ssh key authentication, you also have to provide the token.

    Also you can setup multiple PAMs in SSH servers, so you can have several layers of authentication.
    Private Key, Password, + Duo/Google Auth.

    It is also common practice to restrict the SSH access from only known IPs.
    Or use the bastion/jump host.
    Also use non-common SSH port.
    Combination of these two will significantly reduce the attack surface.

    Thanked by 2plumberg birchbeer
  • birchbeerbirchbeer Member
    edited August 9

    @letrocks said:
    If you are using it for SSH login, then try http://krypt.co/.
    Read more about it on their website. No one has access to the Private key.

    Interesting product. This isn't something that I would personally use because of how the ssh private key is managed but it's definitely a cool idea. I can see how this concept could be used for other applications that need key management though.

Sign In or Register to comment.