New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
At what point you are accessing this? Via SSH or Web page login? etc...
YubiKey is one option, Also you can always add more time tokens,
If you are referring to SSH then try http://krypt.co + Google Auth PAM module.
It depends on what you are trying to do - are you thinking about adding a third-factor or are you thinking about using Duo in other ways?
Duo, Google Auth PAM, FreeOTP, Authy, etc. - which are used for OS access, use a standard algorithm that uses a shared secret plus the current time to compute an OTP (one-time password). That algorithm is actually a standard which is why you can use any TOTP compliant authenticator to get the OTP. Another common standard is HOTP which uses a HMAC instead. Generally speaking, most people use TOTP because the OTP is time sensitive and expires. I don't know much about how HOTP OTP's are used but I am guessing that these are used for recovery keys since they are long lived.
If you decide to use a Yubikey with Duo, you would probably be using U2F which is also a standard.
Generally speaking - the advantage of using U2F is that is a bit more secure. U2F uses a challenge response mechanism so it's not susceptible to attacks like phishing.
It really depends on your use case with Duo.
3FA or 4FA
It's fine to support multiple 2fa systems (TOTP, SMS, U2F, Duo, etc). Whether particular software actually does it is separate question.
I am trying to add a third factor... thanks
You must have a fascinating threat model to need that.
How are you connecting to your servers? I'm guessing you are using ssh - if so - you could just require passphrase, publickey, and duo TOTP.
But most people would just suggest using a passphrase on the ssh private key. That would be a simpler approach.
I've never particularly found adding extra authentication factors to necessarily increase security. Plus for it to be a useful third-factor, you would need to some other mechanism to generation that auth process.
I generally prefer using another layers instead. For example - you could setup a bastion host which require VPN access and place your servers behind that perimeter. You could also implement ingress filtering to further limit remote access only from networks which are trusted.
A 3rd factor? Cable unplug should be one.
I hear you. Just a little paranoid.. I am starting to deploy production level, and it's kind of freaking me out.
To b honest, I have been using password based login to ssh. I am switching to key based. I will check out the passphrase option on the pvt key along with Duo.
Thanks again.
I tried it once, but the system is of no use... Haha. I understand nothing is more secure. I just need to trust what I have setup. Thanks
If you are using it for SSH login, then try http://krypt.co/.
Read more about it on their website. No one has access to the Private key.
Here is how I use it.
Have all VPS setup with two public keys under authorized_keys.
One from the krypt.co app and other one (with very long password) is for backup in case I lose the phone. (You can also setup another device with krypt.co app if you want).
Also you can setup the Duo or Google Auth PAM module for SSH server, which means post ssh key authentication, you also have to provide the token.
Also you can setup multiple PAMs in SSH servers, so you can have several layers of authentication.
Private Key, Password, + Duo/Google Auth.
It is also common practice to restrict the SSH access from only known IPs.
Or use the bastion/jump host.
Also use non-common SSH port.
Combination of these two will significantly reduce the attack surface.
Interesting product. This isn't something that I would personally use because of how the ssh private key is managed but it's definitely a cool idea. I can see how this concept could be used for other applications that need key management though.