On 02/01/2011 10:56 AM, Gervase Markham wrote:
Dear crypto-hackers,
Your thoughts on the following problem would be appreciated.
Goal: fix bug 570252. Provide 2-factor authentication for some Bugzilla
accounts.
https://bugzilla.mozilla.org/show_bug.cgi?id=570252
Sub-goal: do it in a way which doesn't involve purchasing or running
proprietary software.
General musings on these goals welcome. Here also are some specific
questions:
Q1) There is conflicting advice in that bug about whether a client
certificate-based solution
Whether or not client certs count as a second factor is somewhat
philosophical. In some sense, the private key stored in the browser
functions as another "something you know" like a password. If the PC is
pwned, they can get the private key too.
Of course, just about anything is better than just a password alone.
can meet the requirement of "implement it
only for some accounts" (with the implicit requirement that it doesn't
bother or affect people who are not using it). Can a client certificate
solution be made to work?
Those accounts would probably have to access a particular URL and be
banned from the main one. May or may not be an issue.
Q2) If not, does anyone know of any commercial 2-factor systems which
can be implemented entirely with open source tools and software? (I'd
accept having to purchase closed hardware tokens.)
Oooh oooh I do!
I work at PhoneFactor (phonefactor.com). We use any ordinary phone as
the second factor and can integrate with nearly anything. Most people
already have cell phones, which can save a lot of deployment pain.
We have a 25 user version free. We love Mozilla and would love to get
you guys using it. Something tells me we would cut you guys a deal for
open source.
Right now we have an "SDK" web service interface that you could
interface with in the bugzilla code. We have sample client code for all
the main web scripting languages. If it's not already an open source
license, I'm sure we'd release it. But really it's just exchanging a bit
of XML with libcurl or whatever.
We also have a PhoneFactor Agent that runs on MS Windows, but of course
not everyone has that as part of their backend systems.
Sorry if this sounds all sales-y. I'm really just a developer and
hacker. But I do love to discuss this subject.
- Marsh
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
