[TriLUG] two factor authentication and remote VPN

Michael Tharp gxti at partiallystapled.com
Wed Dec 17 17:10:49 EST 2008


James Tuttle wrote:
> I'm hoping that the X509 key challenge happens before an opportunity to present a password happens.

Password-protected certificates aren't actually two-factor 
authentication because it's really just one factor (the private key) 
encrypted to protect it during transfer and storage. The user can change 
the password or remove it entirely without contacting the server, and if 
it's "something you know but can get rid of because you are lazy", the 
value of that factor is greatly diminished. On top of that, if the 
attacker has infinite CPU time they can crack the encryption on the key 
off-line, in a massively parallel fashion, and without contacting the 
server or otherwise making it known that the key is compromised. Of 
course, it's far more likely that your security will be derailed 
inadvertently by a user than maliciously by an attacker when strong 
cryptography is involved.

Taking off my security hat, encrypted certificates are fine and beat out 
the password-only case by a long shot, so I'd still recommend that 
unless you need two-factor authentication due to company policy (or 
similar non-technical reasons).

-- m. tharp



More information about the TriLUG mailing list