Pilot service for Yubikey two-factor authentication

December 12, 2014

Some background

Filed under: Pilot service for Yubikey two-factor authentication — idurkacz @ 3:04 pm

There is a bit of catching up to do here …

A while ago we collectively wondered whether we could or should be using ‘two-factor authentication’ when accessing our various services. Those questions spawned a precursor project called Project 279 – Options for two-factor authentication.

It turned out that ‘two-factor authentication’ covered a wide variety of very different ‘use cases’ for us – see the various cases in the initial ‘discussion paper.’ Ideally, we’d like to investigate all of those at some stage, but, since trying to do everything at once is never a good idea, we decided to pursue the particular question of how to implement two-factor authentication for external access to our principal access gateways, namely external-facing ssh servers and Cosign-protected websites.

So we then wondered how to do that. It turns out tha the ‘obvious’ answer is to use some kind of hardware and/or software device to generate some kind of ‘one-time password’, and then to integrate the use of that password into the ssh and Cosign authentication processes. Having looked around, we decided to try to use the Yubikey hardware device for this purpose. It’s not the only such device of course, and there are software alternatives – but the hope was (and is) that if we could get ssh and Cosign working with Yubikeys then that might provide us with a good solution. And, if it didn’t, that we could probably use the experience gained to integrate other similar devices or approaches. In summary: we have to start somewhere!

So that’s the brief background. The current project has the aim of producing a pilot two-factor authentication system for ssh and Cosign, all based on the use of Yubikeys.

Theme: Rubric.