Dear crypto-hackers,
Your thoughts on the following problem would be appreciated.
Goal: fix bug 570252. Provide 2-factor authentication for some Bugzilla
accounts.
https://bugzilla.mozilla.org/show_bug.cgi?id=570252
Sub-goal: do it in a way which doesn't involve purchasing or running
proprietary software.
General musings on these goals welcome. Here also are some specific
questions:
Q1) There is conflicting advice in that bug about whether a client
certificate-based solution can meet the requirement of "implement it
only for some accounts" (with the implicit requirement that it doesn't
bother or affect people who are not using it). Can a client certificate
solution be made to work?
Q2) If not, does anyone know of any commercial 2-factor systems which
can be implemented entirely with open source tools and software? (I'd
accept having to purchase closed hardware tokens.)
Q3) If not, can we do something smart like issue chip cards and leverage
the devices being shipped for the rollout of the Chip Authentication
Program in various countries?
http://en.wikipedia.org/wiki/Pinsentry
Q4) Or, could we do something in-browser or with a phone app, allowing
people to use their mobile phone as the hardware token?
Gerv
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
