I am thinking about it from the perspective of having one single 2fa across as many systems as possible.
On Tue, Jun 18, 2019, 09:09 Robert Simmons <rsimmo...@gmail.com> wrote: > You are correct for SSH. > > On Tue, Jun 18, 2019, 09:07 Dan Langille <d...@langille.org> wrote: > >> On Jun 18, 2019, at 9:02 AM, Robert Simmons <rsimmo...@gmail.com> wrote: >> >> On Tue, Jun 18, 2019, 04:01 Victor Sudakov <v...@mpeks.tomsk.su> wrote: >> >> Dear Colleagues, >> >> I've used OPIE for many years (and S/Key before that) to login to my >> system from untrusted terminals (cafes, libraries etc). >> >> Now I've read an opinion that OPIE is outdated (and indeed its upstream >> distribution is gone) and that pam_google_authenticator would be more >> secure: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=237270 >> >> Is that truly so? With 20 words in OPIE and only 6 digits in >> pam_google_authenticator, how strong is pam_google_authenticator against >> brute force and other attacks? >> >> >> Victor, >> >> To throw a new wrinkle in the equation: Google Authenticator codes can be >> intercepted by a phishing page. U2F protocol is even better, and can't be >> intercepted via phishing. >> >> There are U2F libraries in ports. >> >> https://en.wikipedia.org/wiki/Universal_2nd_Factor >> >> Cheers, >> Rob >> >> >> >> If my Google Authenticator codes are on my phone, and I'm entering them >> into my ssh session, how is a phishing page involved? >> >> — >> Dan Langille >> http://langille.org/ >> >> >> >> >> >> _______________________________________________ freebsd-security@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"