CQ> The problem with that is that as the admin, you can't enforce that
CQ> users set a passphrase, or remove it later in time from the private
CQ> key. The idea with two factor is that they definitely have the device
CQ> / application you sent home with them, without being able to disable
CQ> it for convenience.
Sure, as long as they're actually using the application you sent home with
them, and not a different one that speaks the same protocol. Which may be
hard for them to do (compared to stripping the passphrase off of an SSH
key), but fundamentally, if you want there to be a "thing you have",
software isn't a "thing" in that sense, because it can be copied,
replaced, etc -- if you want a physical object, there needs to be a
physical object.
(Which, as Tom points out, is inconvenient, if you can't somehow also make
it a physical object that they're already carrying. But that's hard to
enforce too, if you don't control the object; which, if it's their phone,
you don't.)
-Josh (iril...@infersys.com)
_______________________________________________
Discuss mailing list
Discuss@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
http://lopsa.org/
