From: Tom Scavo <trscavo@internet2.edu>
Subject: tech some lingering thoughts from today's call
Date: August 23, 2013 3:20:47 PM CDT
To: tech@lists.cohortium.internet2.edu
Reply-To: Tom Scavo <trscavo@internet2.edu>
This short list of authentication factors covers a significant
fraction (> 50% ?) of what's available out there:
- Password
- Federated Password
- OTP via SMS
- OATH HOTP/TOTP Mobile Token
- OATH HOTP/TOTP Hard Token
- Telephony Voice
Once you have a basic understanding of the comparative strengths and
weaknesses of each of the factors, you can mix and match as needed:
- Password + OTP via SMS (Google, Twitter, Apple, Duo, etc.)
- Password + OATH TOTP Mobile Token (Google, Duo, etc.)
- Password + OATH TOTP Hard Token (YubiKey, Duo, RSA, etc.)
- Password + Telephony Voice (Phonefactor, Duo, etc.)
- Federated Password + OATH TOTP (Yubikey, Duo, etc.)
There are other solutions that are interesting but proprietary:
- Password + Duo Push
- Password + Toopher
A comprehensive analysis in each case would span all of the
"-bilities" plus security and privacy. FWIW, I've done a preliminary
analysis of a few of these factors. See:
https://spaces.at.internet2.edu/x/RoLYAQ
I used the framework documented in "The Quest to Replace Passwords"
but certainly there are many ways to do this depending on what your
requirements are.
Tom