Comment by bubblethink

7 years ago

Your response is too long, so I'll address only a few points:

>Perhaps if you tried working for a big company or a university and began to understand the scale of the things they deal with in regards to identity and access management

I manage my lab's freeipa setup. It lets you manage TOTP tokens. I think it also allows yubikeys, but I haven't checked. It may not be as full-fledged as other offerings, but you can manage. The university pays several vendors for different sets of services (MS for AD, RedHat for servers, Duo for 2FA etc.) Right now, Duo may be preferred, but there is nothing stopping you from paying RH for a freeipa+totp solution. Vote with your wallet and all that.

>This is not quite true.

It is. The threat model is different. It's about replaying the 2FA token. That's the whole argument against TOTP/HOTP.

> it would be the absence of a working push

The phishing site can generate a working push. It just logs in to the real site at the same time with your first factor, which generates the push.

3 comments

bubblethink

Reply
core-questions  7 years ago

> Your response is too long

Rude. Go ahead and run your small computer lab and pretend you're dealing with issues on the scale that companies with thousands or tens of thousands of employees do. They're absolutely choosing the cheaper option when going with a managed provider vs. your hacked-together TOTP solution.

  • bubblethink  7 years ago

    There is nothing hacked together in this. If you are not aware, freeipa (called idm downstream by RedHat) is a pretty full featured solution with is more or less a replacement for AD if your clients are unix based. And RedHat will absolutely support your scale requirements. It is mostly that AD is a lock-in in itself due to windows, and duo will work better with AD, whereas idm/freeipa does not have a standalone 2fa product that would work with AD.

    • core-questions  7 years ago

      > more or less a replacement for AD if your clients are unix based

      Few people are lucky (?) enough to support a purely unix environment. AD is not expensive when it comes to enterprise-scale projects and plenty of things simply require it for proper support, so I've never seen an enterprise that doesn't have it. I have seen enterprises with classic non-AD pre-Windows-2000 LDAP integrated alongside AD, but usually just as a legacy thing that's too hard to remove.

      Considering the amount of resources available to help with AD vs. the amount you'd need to be able to support a 3rd party solution, it should be no surprise MS still has a stranglehold on this. What's more surprising is how badly they've fumbled the use of Azure AD, SSO, ADFS, etc. as real solutions compared to the cloud-first vendors like OneLogin, Duo, Centrify, etc.