|
|
Subscribe / Log in / New account

Google Authenticator for multi-factor authentication

December 7, 2011

This article was contributed by Nathan Willis

The security-conscious will tell you that a multi-factor authentication scheme involves requiring items from two or more of the categories "things you know," "things you have," and "things you are." Passwords and passphrases both fall under the "things you know" umbrella, and while there are commercially viable options for the latter two categories — security dongles and biometric fingerprint scanners, for example — neither have taken off with the general public. Partly that is a cost issue, to be sure, but the complexity of public-key infrastructure (PKI) smart cards does not help, either.

Late in 2010, however, Google unveiled an open source project called Google Authenticator that allowed the common smartphone to serve as the "thing you have" factor. The search giant subsequently rolled out support for the scheme for its web applications, but its standards-based functionality and Pluggable Authentication Module (PAM) support have brought it success in a variety of third-party systems as well.

Client

On the smartphone side, the Google Authenticator project provides application software for Android devices, Apple iPhones, and Blackberry handsets. Because these applications are software and generate authentication strings for the user to enter at login time, however, there is some question whether or not they truly "count" as a second factor. Traditionally, hardware authentication tokens must be physically connected to the computer to authenticate a user, though some one-time password (OTP) generators are standalone. Unlike the Android app, however, those devices are meant to make it difficult to extract the key without destroying them. Accessing the key from a phone, then running the app elsewhere (e.g. an Android emulator) would circumvent the "things you have" requirement.

The project's official tagline is "Two-step verification", a subtle acknowledgment of its distinction from a strict definition of multi-factor authentication. But to narrow that security risk, the system generates OTPs that are only valid for a short duration (generally no more than one minute). That does not stop an attacker who steals your device from getting a valid OTP from the application, but it makes it more difficult for an attacker to forge a login through eavesdropping. Specifically, it prevents replay attacks (such as wandering eyes behind you in line at the coffee shop jotting down the passcode) and makes interceptions (such as wandering eyes paired with extremely fast fingers) highly unlikely. Using an OTP will help against credential-stealing attacks, such as those used to compromise kernel.org.

Google Authenticator supports both the Hashed Message Authentication Code (HMAC)-based OTP (HOTP) and the Time-based OTP (TOTP) specifications, both of which were developed by the Initiative for Open Authentication (OATH). Both algorithms use a pseudo-random seed value or key that is known only to the server and the client; the seed is concatenated with a "moving factor" — the piece of the puzzle that makes the password one-time-use only — and the result hashed to create the expected passcode.

HOTP, the older of the two, uses an integer counter that increments for every new passcode. TOTP uses a timestamp as the moving factor instead, with provisions for the server to define whatever time window it wishes to accept as valid. That value enables humans to type in the passcode at a convenient speed, and also allows for clock drift between server and client. Although TOTP is regarded as more secure, HOTP is already finalized as RFC 4226, while TOTP was still at the draft stage when the Google Authenticator project was launched (it has since become RFC 6238).

The mobile clients provided by Google support storing multiple HOTP and TOTP credentials, and can be used to generate passwords for any compliant implementation of the algorithms. There are two mechanisms for entering the seed value associated with each saved account: devices with a camera can take a photograph of a key in an appropriately-formatted QR code, or the user can manually enter the key as a Base32 string.

Server

For the server side of the system, the project provides a command-line tool to provision new keys, and a PAM module — although "server" is not quite accurate; the module will work on traditional desktop Linux distributions as well. According to the user comments on the module's wiki page, Linux appears to be the only operating system supported out of the box; there is a patch reported to work on FreeBSD 8.2 and another for OpenSolaris, but no luck yet for Mac OS X or other PAM-supporting OSes.

The key provisioning tool is called google-authenticator. When run, it generates a new key (primed from /dev/urandom), along with a "verification code" and five "emergency scratch codes." The verification code is used by Google to associate an account with a cellular number via SMS message, and the scratch codes are eight-digit numeric strings designed for use in account recovery — neither is part of the core algorithm. The google-authenticator tool writes the key and the emergency scratch codes into the ~/.google_authenticator file. If libqrencode is installed, it will also generate a QR code formatted for consumption by the mobile applications — the format includes metadata for use by the application, including the hostname, user name, and key type ("totp" or "hotp"). It also writes a URL to stdout containing an HTTPS link to Google's online QR code generator, with the same information as the payload (although, obviously, using the online generator does send your secret key and user/host data to a Google web server...).

The PAM module is named pam_google_authenticator.so, and can be enabled by editing the PAM configuration file for the appropriate service (typically located in /etc/pam.d/). Simply adding 

    auth required pam_google_authenticator.so
to, for example, /etc/pam.d/gdm will activate the Google Authenticator module for all accounts; it will request the HOTP or TOTP passcode after asking for the username and account password. Because the keys are stored in $HOME by default, workarounds are required to use the module with encrypted home directories. The project README recommends rearranging the PAM configuration to decrypt home directories earlier, or storing the keys in a different location (which must then be passed to the module as an argument in the configuration file line).

There is a patch available that will require the Google Authenticator module only if a .google_authenticator file is present. This approach could be used to partition accounts into "high-security" and "low-security" groups, but it could also come in handy if something goes haywire during setup. TOTP can handle a certain degree of clock shift, but the last thing you want to do is activate it for all of your login accounts before thoroughly testing it. To that end, the project also provides a demo utility for testing TOTP passcodes, and an interactive online debugger to ferret out clock and interval problems.

Authenticating in practice

Of course, the GDM example above is not Google Authenticator's intended use-case. Securing SSH and other remote-access methods makes more sense for those whose machines are safely tucked away in an office or closet; any attacker with physical access to a local login prompt has many other attractive opportunities. Any PAM-aware application can take advantage of the module, however — including Apache, which opens the door for many multi-user, web-based applications.

Indeed, there are already numerous third-party projects to integrate Google Authenticator into WordPress, Drupal, and other Content Management Systems (CMS), as well as instructions to use the PAM module for security-conscious packages like OpenSSH and OpenVPN.

Perhaps the more pressing question is whether or not it is wise to introduce a dependence on an application available only for iPhone, Android, and Blackberry devices. As popular as these platforms are, they still leave some users out in the cold, and there may be times when you need to log into a machine and your phone is unavailable for any number of reasons — from job site security, to accidental loss, to simple battery failure. USB security fobs do not suffer from the same limitations.

To that end, however, Google Authenticator benefits from the existence of other HOTP and TOTP implementations. While there are not many to choose from, there are a few: OATH Toolkit, multiOTP, and LinOTP are all free software. I tested Google Authenticator TOTP codes against OATH Toolkit's command-line oathtool. You can perform a passcode-generation hash by running: 

    oathtool --totp --now="the_current_time" your_secret_key
The passcodes matched, once I figured out how to correctly convert the Base32 encoding produced by Google Authenticator into the hexadecimal required by oathtool — namely, that the Base32 encoding scheme defined by RFC 4648 is not the same as base-32 mathematical notation (because the encoding avoids easy-to-confuse characters like I and O).

Thus, there are options for users who cannot or will not carry a device with an official Google Authenticator client application. The availability of compatible command-line options is not a completely secure solution for the lost-phone emergency scenario, though, because it requires you to store the secret key in a third (or fourth, or fifth, etc.) location.

Nevertheless, as the CMS extensions and wrappers for various languages demonstrate, the Google Authenticator project has taken off to a degree that other OTP utilities have not (and there are several using other algorithms, including OTPW and Mobile OTP, both of which have PAM support). That makes the project a net gain for system security, perfect multi-factor authentication or not. The code is packaged for Debian and Ubuntu, and there are contributed builds available for OpenSUSE and Fedora, although there does not appear to be an official package for either of the latter distributions. If the distributions come on-board in force, perhaps OTP adoption will one day be commonplace.


Index entries for this article
GuestArticlesWillis, Nathan

to post comments

Google Authenticator for multi-factor authentication

Posted Dec 7, 2011 14:41 UTC (Wed) by fuhchee (guest, #40059) [Link] (28 responses)

`from two or more of the categories "things you know," "things you have," and "things you are."'

For what it's worth, these are all things we "have" - knowledge, objects, body parts, and unfortunately each of them may be maliciously replicated.

Google Authenticator for multi-factor authentication

Posted Dec 7, 2011 15:11 UTC (Wed) by jzbiciak (guest, #5246) [Link] (5 responses)

I don't think you can collapse these so readily. The three categories have rather different properties.

  • "Things you have" generally refer to dongles, keys, access cards or other trinkets that you are issued. Someone could steal any of those things without physically harming or maiming you.
  • "Things you know" require you to be at least somewhat conscious, and require at least some level of cooperation to access. Sure, duress can beat a password out of you. (I'm reminded of this XKCD), but if someone kills you, the only other option to get the information is to find someone or something else who has it or brute-force guess it.
  • "Things you are" refers to biometrics, at least as far as I understand. Sure, someone could steal a body part (OUCH!), or in the case of the fingerprint machines, fake your fingerprint by lifting it from a glass. There's different levels here. The retinal scan made famous by many movies is a little harder to fake than the el cheapo thumbprint reader on a laptop. I'd like to see someone replicate an eyeball, maliciously or otherwise.

Still, nobody's arguing security can be made perfect, multifactor or otherwise. But, the more (and more varied) the factors are, the higher the bar gets raised. It requires an attacker to compromise more than one path before they achieve their goal, at a minimum reducing the probability of success to the product of the probabilities of compromising either factor. There's also the increased likelihood of detection, which potentially reduces the probability of success further.

So, I wouldn't be so quick to poo-poo multifactor authentication.

Google Authenticator for multi-factor authentication

Posted Dec 7, 2011 17:42 UTC (Wed) by erwbgy (subscriber, #4104) [Link] (2 responses)

Excellent description. It is also worth noting that biometrics are hard to forge but are not secrets and can be easily stolen

.

Google Authenticator for multi-factor authentication

Posted Dec 15, 2011 14:18 UTC (Thu) by gvy (guest, #11981) [Link] (1 responses)

Biometrics are also being pushed down the general public's throat already through chipification, while Nuremberg process ruled out that enumeration of people is a non-expiring crime against humanity.

Google Authenticator for multi-factor authentication

Posted Dec 16, 2011 16:54 UTC (Fri) by mpr22 (subscriber, #60784) [Link]

Nuremberg process ruled out that enumeration of people is a non-expiring crime against humanity.

I'm having trouble parsing that, since the grammatical inconsistency is such as to make it impossible for me to tell what the intended meaning is. (And what does "enumeration of people" mean, beyond "assigning unique numbers to all members of a group of people"?)

Google Authenticator for multi-factor authentication

Posted Dec 7, 2011 19:03 UTC (Wed) by jimparis (guest, #38647) [Link]

It doesn't seem to be included when people list those three categories, but maybe "things you are" should also include location: "at work", "connecting from 18.0.0.0/24", etc.

Google Authenticator for multi-factor authentication

Posted Dec 13, 2011 3:09 UTC (Tue) by ghane (guest, #1805) [Link]

<quote> I'd like to see someone replicate an eyeball, maliciously or otherwise. </quote>

Does it have to be a working eyeball?

:-)

--
Sanjeev

Google Authenticator for multi-factor authentication

Posted Dec 7, 2011 15:22 UTC (Wed) by jubal (subscriber, #67202) [Link] (2 responses)

A pedant walks into a bar. Well, it's a restaurant with a bar. Technically it's a brewpub since it has an onsite microbrewery.

(also, it's different in various languages.)

Google Authenticator for multi-factor authentication

Posted Dec 8, 2011 13:53 UTC (Thu) by nix (subscriber, #2304) [Link] (1 responses)

A pedant walks into a bar. Ouch.

Google Authenticator for multi-factor authentication

Posted Dec 9, 2011 11:08 UTC (Fri) by sdalley (subscriber, #18550) [Link]

Laughed out loud!

Google Authenticator for multi-factor authentication

Posted Dec 7, 2011 16:43 UTC (Wed) by iabervon (subscriber, #722) [Link] (18 responses)

Make that "things you make up, may forget, and have to reveal to use", "things you can replace, but may lose", and "things you can't lose, but can't change". The idea is that the events that lead to different factors being compromised are as independent as possible; it takes mostly different attacks to get each factor, while having multiple of the same type just means that the attacker has to do a tiny bit more work (take two things out of your pocket or snoop on two passwords).

Google Authenticator for multi-factor authentication

Posted Dec 8, 2011 11:52 UTC (Thu) by ekj (guest, #1524) [Link] (17 responses)

That explains why VISA authenthicates transactions by asking you for several items of the same type.

Card-number (embossed on card) expiry-date (embossed on card) CVC (printed on card) owner name (printed on card).

[/cheapshot]

Google Authenticator for multi-factor authentication

Posted Dec 8, 2011 13:41 UTC (Thu) by epa (subscriber, #39769) [Link] (6 responses)

You're forgetting 'enhanced security' in some countries where a crappy dialogue box asks for your password. If you don't know the password, don't worry, you can reset it by providing your bank account number (embossed on card) and your date of birth (*not* on the card, but hardly a secret either).

Google Authenticator for multi-factor authentication

Posted Dec 9, 2011 15:53 UTC (Fri) by skitt (subscriber, #5367) [Link] (3 responses)

Some websites I place orders on now support an extra step, where my bank sends a one-time code to my mobile phone which I then enter to confirm the transaction. I don't know how widespread this is or what the determining factors are; I've seen it used with cards issued by various banks and via both Visa and MasterCard.

Wikipedia is your friend...

Posted Dec 9, 2011 16:04 UTC (Fri) by khim (subscriber, #9252) [Link] (1 responses)

It all explained in much details where usually such things are explained.

Wikipedia is your friend... or foe

Posted Dec 15, 2011 14:24 UTC (Thu) by gvy (guest, #11981) [Link]

Victor, just for the neutrality (pun intended): the technical articles on wikipedia might be reasonable (but that's not a given), while e.g. historical or national ones tend to get ugly and distorted by a strangely constant factor. You might be interested in [[VP:ISK256]] (translit back to Cyrillic) on ru.wikipedia.org.

Google Authenticator for multi-factor authentication

Posted Dec 9, 2011 16:26 UTC (Fri) by dlang (guest, #313) [Link]

the determining factor is if the website has opted to implement such a feature.

Google Authenticator for multi-factor authentication

Posted Dec 12, 2011 19:00 UTC (Mon) by BenHutchings (subscriber, #37955) [Link] (1 responses)

The implementation used in the UK (Visa calls this 'Verified by Visa'; I forget what Mastercard calls it) is even better: no dialog, but an IFRAME. Cardholders are expected to enter their 'secret' details into random shopping sites that embed a frame that probably comes from the payment network. This is literally indistinguishable from phishing, since most users cannot determine where the frame really comes from, and even if they can a framing site can generally snoop on all interaction with a frame.

Google Authenticator for multi-factor authentication

Posted Dec 13, 2011 7:10 UTC (Tue) by paulj (subscriber, #341) [Link]

So, for the UK, the thing to do is to just ignore the VbV password crap. Hit the "Forgot password" link every time, enter the card data, enter some long, random data for the new password - then forget that.

I don't know if there's causation, but after a couple of times of doing this, I now no longer get prompted at all anymore for a VbV password. ;)

Google Authenticator for multi-factor authentication

Posted Dec 8, 2011 16:21 UTC (Thu) by jwarnica (subscriber, #27492) [Link] (5 responses)

The distinction of those methods (and also, signature, track 2) are ways that the CC companies can use as proof (well, evidence) that you actually have the card when doing that transaction.

Back in the physical swipe days, the embossing of the card and carbon paper made an imprint. The imprint was not just the card number, but demonstration that the card was actually there when the imprint happened.

"Track 2" data is similar; I dunno what it contains, but provides similar evidence that the actual card was actually used.

Expiry date help for phone or internet transactions, as does the CCV2 codes; just more evidence that someone has the card in hand.

Generally, the theory was that it is hard/impossible to copy two of these at the same time. Signature and CC # embossing are on the opposite side of the card. CCV2 # and CC#, opposite sides (for most cards), etc.

Obviously, as time has moved on, the effort/gain ratio of each of these has been overcome, and thus the introduction of more things.

Google Authenticator for multi-factor authentication - credit cards

Posted Dec 9, 2011 17:05 UTC (Fri) by giraffedata (guest, #1954) [Link] (3 responses)

Expiration date is not normally an authenticating factor. I used to successfully submit charges all the time with made up expiration dates. The reason the rules require the merchant to provide that is to prevent the merchant from neglecting to check the expiration date.

The key value of the card verification code (the few digits printed somewhere on the card, aka CCV2 et al) is that it isn't recorded and transmitted all around, like the card account number obviously is. Anyone involved in accounting can see your card account number, but few people ever see your card verification code.

In the original design, secrecy of the card account number wasn't considered a security feature at all. It was public knowledge and security was provided by physical presence of the card and a signature alone. As telephone ordering became more important, banks started trying to keep the account numbers secret as a security measure, but that's obviously pretty weak. Likewise, even secrecy of checking account numbers is now considered a security measure.

This is strange...

Posted Dec 10, 2011 6:51 UTC (Sat) by khim (subscriber, #9252) [Link] (2 responses)

I used to successfully submit charges all the time with made up expiration dates.

How can you do that? I've had card from a few banks, but they all reject transactions with incorrect expiration dates (at least electronic ones). This is PITA when card expires: if order is placed with old expiration date and is not shipped before it's annulled and new one is issued then you need to go to the web site and change the data. And not all sites provide nice interface to do that...

This is strange...

Posted Dec 10, 2011 15:16 UTC (Sat) by corbet (editor, #1) [Link] (1 responses)

Our experience as a credit card merchant suggests that banks differ widely in the practices they apply. For a lot of them, if you have a number, that's all they care about. We routinely get emails from people who realize they put in the wrong name or expiration date, but the charges go through just fine. Other banks insist on correct address information and will turn down charges because they don't like the position of the moon that night.

expiration date in credit card authentication

Posted Dec 10, 2011 18:02 UTC (Sat) by giraffedata (guest, #1954) [Link]

It doesn't surprise me that for some charges the expiration date has to be right. There's a lot of diversity in this area.

But I know that traditionally, the expiration date wasn't part of authentication. When I did it, it was in 1999 using a traditional merchant credit card terminal.

Banking computing standards often take a decade to make even a trivial change because regulators are very careful. I'm pretty sure that this terminal wasn't even capable of transmitting the expiration date I typed to its partner.

Google Authenticator for multi-factor authentication

Posted Dec 14, 2011 20:55 UTC (Wed) by eli (guest, #11265) [Link]

Signature and CC # embossing are on the opposite side of the card.
Take out one of your credit cards. Look at the back of it. Notice that everything on the front of the card is embossed into the card, which changes the shape of the back of the card. If you get a good image of the back of that card, you can read the data embossed on the front.

Google Authenticator for multi-factor authentication

Posted Dec 8, 2011 17:17 UTC (Thu) by iabervon (subscriber, #722) [Link] (3 responses)

It was originally something you had (the card), and something you knew (how to get a pen to produce your signature). But neither of these works without a semi-trusted point-of-sale agent who watches you sign and sees that you actually have the card. Providing effective authentication for credit cards now (considering both how they're used and the state of forging technology) would cost more than fraud costs, so they haven't bothered. To the extent that they've done anything, it's just an attempt to make their accounts a bit harder to abuse than other cards. (Asking for an extra password to use a card would probably cut way down on fraud at the moment even if you don't compare the password to anything, because attackers will tend to think, "this one's weird" and go on to the next number in their list, which will work fine without anything special.)

Google Authenticator for multi-factor authentication

Posted Dec 9, 2011 1:23 UTC (Fri) by giraffedata (guest, #1954) [Link] (2 responses)

The signature is something you are, not something you know. It comes from too low a part of the brain to be in the same category as a password.

The system really doesn't rely on a semi-trusted point-of-sale agent; the retailer is about as untrusted as anyone by VISA, which is why he used to have to get an imprint of the card, and now has to swipe it through a reader. To prove to a large extent that the card was actually present. In addition, the retailer has to produce a signature that reasonably matches the one on the card, proving to some extent that the owner of the card was there too.

The only thing I've seen change since the early days is that for small transactions, someone - I don't know if it's Visa or the retailer - is now willing to take the risk of fraud in exchange for speed and convenience.

Google Authenticator for multi-factor authentication

Posted Dec 9, 2011 10:20 UTC (Fri) by mpr22 (subscriber, #60784) [Link] (1 responses)

I find it impossible to regard a signature as being in any useful sense "something you are". The useful property of "something you are" credentials is that a fraudster can't learn to have them, and a fraudster can certainly learn to have your signature.

Google Authenticator for multi-factor authentication

Posted Dec 9, 2011 16:27 UTC (Fri) by giraffedata (guest, #1954) [Link]

I find it impossible to regard a signature as being in any useful sense "something you are". The useful property of "something you are" credentials is that a fraudster can't learn to have them, and a fraudster can certainly learn to have your signature.

And yet the main reason signatures exist is that many people do regard them as something you are, being difficult for a fraudster to learn.

I, for example, could almost certainly not reproduce your signature, no matter how much I practiced. So there's one fewer fraudster to worry about.

None of the security mechanisms we're talking about are perfect, so it's all about reducing, not eliminating, the chance of fraud.

In any case, it's not "something you know" -- if it were, then you could instantly disclose to someone how to write your signature.

(Incidentally, the other major purpose of a signature that people often overlook is not as security, but as a statement. The fact that someone wrote his name (or even an X) on a piece of paper makes it impossible for him to argue he didn't mean to commit himself. As most people are honest, whether he signed or not is often not disputed).

Google Authenticator for multi-factor authentication

Posted Dec 7, 2011 19:41 UTC (Wed) by sfromm (guest, #41967) [Link] (10 responses)

It appears you can't use google-authenticator with one's SSH key, which is unfortunate. I would like this a lot better if I could do OTP and still use my SSH key.

Google Authenticator for multi-factor authentication

Posted Dec 7, 2011 23:49 UTC (Wed) by smoogen (subscriber, #97) [Link]

When I looked at something similar a long time ago, ssh code has a certain short code when it comes to ssh-keys. If it sees a key it gives a free pass and you are in. The out-of-tree kerberos code had to do various code hops to get around that.

Google Authenticator for multi-factor authentication

Posted Dec 8, 2011 0:28 UTC (Thu) by dwmw2 (subscriber, #2063) [Link] (8 responses)

It appears you can't use google-authenticator with one's SSH key, which is unfortunate. I would like this a lot better if I could do OTP and still use my SSH key.
I have that working locally. See OpenSSH bug #983.

You really also want to fix GA bug #51 if you want to use Google Authenticator for real. Storing the key in ~/.google_authenticator, so that any code running as your user can read or change it, is entirely stupid. Imagine if your system password was stored in ~/.passwd instead of /etc/shadow where you can't even read it!

Unfortunately, this involves patches to two of the least responsive upstream projects I've ever had to deal with ☹

access to the shared secret

Posted Dec 8, 2011 2:50 UTC (Thu) by tialaramex (subscriber, #21167) [Link] (2 responses)

This is way, way, worse than the password case, because the password, even in /etc/passwd days, was stored as a salted CPU-intensive hash. So the bad guys have to do a bunch of heavy lifting (even today it's far from trivial to reverse those old DES based hashes for a decent 8 character password, and if the user upgraded to PHK-MD5 hashes and a 10 character password, kiss your chances goodbye).

But with these OTP systems the stored value is a shared secret. If the bad guy has it, they can successfully authenticate as you with no additional work.

access to the shared secret

Posted Dec 8, 2011 2:58 UTC (Thu) by dwmw2 (subscriber, #2063) [Link]

"This is way, way, worse…"
You are absolutely correct. I do apologise for understating the astounding stupidity of the default Google Authenticator setup.

access to the shared secret

Posted Dec 8, 2011 13:50 UTC (Thu) by PlaguedByPenguins (subscriber, #3577) [Link]

how about using google authenticator (or yubikeys etc.) via radius - then you can put all the plaintext secrets on a "secure" radius machine that's heavily defended. no more secrets on clients.

Google Authenticator for multi-factor authentication

Posted Dec 8, 2011 6:55 UTC (Thu) by Cato (guest, #7643) [Link] (4 responses)

Thanks for flagging this, that's truly a terrible design decision and makes me wonder about the rest of Google Authenticator.

Google Authenticator for multi-factor authentication

Posted Dec 8, 2011 9:13 UTC (Thu) by dwmw2 (subscriber, #2063) [Link] (3 responses)

"Thanks for flagging this, that's truly a terrible design decision and makes me wonder about the rest of Google Authenticator."
I'd fairly much reached that state as soon as I realised it was kept in Mercurial. The ~/.google_authenticator braindamage just served to confirm my prejudice ☺

Google Authenticator for multi-factor authentication

Posted Dec 8, 2011 10:57 UTC (Thu) by drag (guest, #31333) [Link] (2 responses)

Call me stupid, but I don't really understand what is so horrible about ~/.google_authenticator. I really want to understand exactly why this is bad.

When I am using Kerberos, for example, the ticket cache is stored in something like /tmp/krb5cc_1000. Anybody who has access to my account can read and use those tickets to get access to any service I have access to. These are stored under 700 and are rw by my users. Kerberos can be two-factor if I a service asks for a password in addition to the ticket from the ticket granting service. The 8 hour expiring of the ticket provides plenty of opportunity for mischief.

When I am using OpenSSH, again my keys are stored in ~/.ssh/ and is read/writable by my user. Openssh keys are legit and commonly used two-factor authentication since I need both the keys and the password to decrypt them.

How is ~/.google_autheniticator worse?

Even if I have a hardware dongle or a physical RSAkey-style OTP password then if somebody has access to my account they have access to the hardware key or any OTP key I type into the system just as much as I do. If somebody has access to your account on your PC that your using then it doesn't matter what sort of authentication system your using, your screwed anyways.

Is there something I am missing here?

Google Authenticator for multi-factor authentication

Posted Dec 8, 2011 11:43 UTC (Thu) by drag (guest, #31333) [Link] (1 responses)

ok. I think I understand now. The ~/.google-authenticator is on the server-side and is what pam uses to authenticate your user.

I thought it was part of what you needed on the client side. My mistake.

In this case it's not like kerberos tickets or private ssh key at all. It's more like the public key for SSH RSA/DSA authentication.

Even then it's not horrible or stupid, I think. It seems obvious that ~/.google-authenticator file is intended for the user to setup for themselves without administrative help in addition to passwords. So in that case it makes sense that it's in the home directory.

Is there a mode for the administrator to setup the secrets without user intervention; without the ~/.google-authenticator file?

Google Authenticator for multi-factor authentication

Posted Dec 8, 2011 13:12 UTC (Thu) by dwmw2 (subscriber, #2063) [Link]

Google Authenticator doesn't use public/private keys. It has a single symmetric key. Essentially there is no public key; only a private key.

So no, the problematic part is not that it's like the SSH public key. The problematic part is that it's like keeping your SSH private key lying around on the file system without a passphrase.

And yes, the patch I mention above will allow you to keep the files in a root-owned and root-only-readable location.

Google Authenticator for multi-factor authentication

Posted Dec 7, 2011 22:19 UTC (Wed) by Yenya (subscriber, #52846) [Link]

One thing to note is that g-a does not play well with SELinux. A possible solution would be to change the location where the authentication data is stored, but apparently upstream "does not seem to be responding at all" (cited from comment #19 in the Fedora bug #754978:
https://bugzilla.redhat.com/show_bug.cgi?id=754978 )

For those who don't like phones

Posted Dec 8, 2011 4:19 UTC (Thu) by PlaguedByPenguins (subscriber, #3577) [Link] (6 responses)

... or think that hardware is more secure than software, there is at least one TOTP hardware token available.

For those who don't like phones

Posted Dec 8, 2011 6:24 UTC (Thu) by wahern (subscriber, #37304) [Link] (5 responses)

I'll vouch for the Yubikey HOTP system: www.yubico.com. Yubikeys are quite slick. They're much faster than even typing in a short TOTP string, yet still don't require any client software. They pose as a USB keyboard. When you press the button the next OTP is printed along with a line feed. Works for SSH, HTML web forms, etc.

When I create a new shell account on my server I hand one of these out.

I just bought 10 for $99 (holiday special). I think if these were in the $3-$5 range they'd sell much better, but what do I know.

Yubico also sells a tiny USB hardware security module to securely (i.e. irretrievably) store the OTP secrets for authentication. It's pricey but still the cheapest HSM solution by far that I'm aware of. The HSM isn't necessary, of course, but it's an extremely nice option.

For those who don't like phones

Posted Dec 8, 2011 7:02 UTC (Thu) by Cato (guest, #7643) [Link] (4 responses)

I use Yubikey as well - currently with LastPass, a password manager that works on Linux, Mac, Windows, iPhone, Android, etc. More applications (web and other) need to support two-factor - currently Fastmail is an email service that supports Yubikey.

The only issue with Yubikey is that it requires a USB port so there's no way to use it on most smartphones, many of which don't even have a USB port. Same goes for some Internet cafes that don't allow USB devices to be plugged in, and some corporates perhaps. The great thing is that it does work without drivers for any computer that has a USB keyboard interface.

Duo Security might be a better option for desktop and phone use. It is more or less a superset of Google Authenticator, with phone/text callback as well as smartphone apps, but also has the option of a hardware token with display for the random passcode.

Links:
- http://yubikey.com/
- http://duosecurity.com/

Yubikey

Posted Dec 8, 2011 9:49 UTC (Thu) by Yenya (subscriber, #52846) [Link] (3 responses)

I have tested yubikey briefly, and altough it is an interesting technology, I found it unusable for my needs, because of two problems:

- central authority: I maintain several servers, and I want to be able to log in even in case the server is half-broken (i.e. DNS or network only partly functional). For an ordinary user, Yubikey is a great technology. For a server admin, not so much.

- multiseat: at home, I have a multiseat workstation, and I have so far not found an easy way how to configure to which head the hot-plugged keyboard (the yubikey module) should be mapped. I have primary keyboards for both seats configured statically in their respective ServerLayout sections in xorg.conf.

Yubikey

Posted Dec 8, 2011 12:30 UTC (Thu) by Cato (guest, #7643) [Link]

For the server case, you would need to have a non-Yubikey login method not using two factor, and this applies to almost any two factor system I would think. Since this 'recovery login' would only be used in the 'something very broken' case, it's not too vulnerable to keyloggers on the client. Google Authenticator has a recovery process with pre-printed emergency token codes, which may be better.

For multiseat, a USB-based login method may not be very suitable as it requires the login process to know more about Yubikey - perhaps a smartphone or traditional token would work better.

Yubikey

Posted Dec 9, 2011 0:49 UTC (Fri) by wahern (subscriber, #37304) [Link] (1 responses)

Regarding the central authority, it's no different than any other method--the server needs access to the secret (or public key) in order to authenticate. Just put the secret on all the servers.

It doesn't matter if the HOTP counters on the servers become out of sync with each other as long as the counter on the key is monotonically increasing. The servers will fast forward until they find a match (within a configurable limit).

Admittedly you open yourself up to replay attacks. But you're hardly in a worse position than with regular passwords. TOTP is better in this regard, but what matters is how much better HOTP is compared to the baseline.

I pine for the day when my Goldkey USB crypto token works out-of-the-box (or my 10 year old Schlumberger crypto card, for that matter), but that day isn't here yet.

Yubikey

Posted Dec 9, 2011 1:01 UTC (Fri) by wahern (subscriber, #37304) [Link]

Has anybody purchased tokens from http://www.gooze.eu/? They're the only seller of single-unit TOTP tokens I have found so far, and other than Goldkey of public-key crypto tokens as well.

Google Authenticator for multi-factor authentication

Posted Dec 8, 2011 7:44 UTC (Thu) by ssmith32 (subscriber, #72404) [Link] (1 responses)

Admittedly I'm a little tired & my eyes glazed over the details.. but, as far as functionality, how is this different than a RSA soft token or a VIP soft token (Versign/Symantec equivalent of RSA's soft token)?

Other than seeming way way way more complicated..

And, I guess, it didn't get hacked when RSA did :D

Google Authenticator for multi-factor authentication

Posted Dec 8, 2011 9:42 UTC (Thu) by pilif (subscriber, #3857) [Link]

compared to the commercial solutions, you can run this yourself, you don't have to pay per authentication and no third party is involved at all for the authentication.

Google Authenticator for multi-factor authentication

Posted Dec 8, 2011 14:21 UTC (Thu) by bdauvergne (subscriber, #6989) [Link]

Some self-promotion....

Here is a Python library implementing all of the OATH OTP-linked standards (HOTP, TOTP and the more obscure OCRA):

https://github.com/bdauvergne/python-oath

Then a little python-snippet to generate a TOTP generator (TOTP client) as a javascript bookmarklet:

https://github.com/bdauvergne/totp-js

If works as google-authenticator but in the browser. You can put the bookmarklet near the QRCode as simple <a/> link, and people can bookmark it. Just click on the bookmark and a message box open with your password. I think it only works with decent browsers (chrome&mozilla).

Google Authenticator for multi-factor authentication

Posted Dec 13, 2011 17:07 UTC (Tue) by beast (subscriber, #227) [Link]

I saw this demonstrated last week at the USENIX LISA conference - a two-factor authentication system that uses QR codes that you scan with your phone camera. There is even a PAM module to generate the QR codes when logging in with ssh.

https://tiqr.org/

I've put up some notes on using this on a java webapp

Posted Dec 23, 2011 17:09 UTC (Fri) by kokopelli (guest, #11341) [Link]

I've put up some notes on using this on a java webapp on my blog: http://invariantproperties.com/2011/12/23/using-google-authenticator-totp-on-your-site/


Copyright © 2011, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds