freebsd security - Jun 2019 - Untrusted terminals: OPIE vs security/pam_google_authenticator

Dear Colleagues,

I've used OPIE for many years (and S/Key before that) to login to my
system from untrusted terminals (cafes, libraries etc).

Now I've read an opinion that OPIE is outdated (and indeed its upstream
distribution is gone) and that pam_google_authenticator would be more
secure: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=237270

Is that truly so? With 20 words in OPIE and only 6 digits in
pam_google_authenticator, how strong is pam_google_authenticator against
brute force and other attacks?



-- 
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
2:5005/49 at fidonet http://vas.tomsk.ru/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: not available
URL:
<http://lists.freebsd.org/pipermail/freebsd-security/attachments/20190618/ad9e8845/attachment.sig>

Victor,

To throw a new wrinkle in the equation: Google Authenticator codes can be
intercepted by a phishing page. U2F protocol is even better, and can't be
intercepted via phishing.

There are U2F libraries in ports.

https://en.wikipedia.org/wiki/Universal_2nd_Factor

Cheers,
Rob

On Tue, Jun 18, 2019, 04:01 Victor Sudakov <vas at mpeks.tomsk.su> wrote:
> Dear Colleagues,
>
> I've used OPIE for many years (and S/Key before that) to login to my
> system from untrusted terminals (cafes, libraries etc).
>
> Now I've read an opinion that OPIE is outdated (and indeed its upstream
> distribution is gone) and that pam_google_authenticator would be more
> secure: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=237270
>
> Is that truly so? With 20 words in OPIE and only 6 digits in
> pam_google_authenticator, how strong is pam_google_authenticator against
> brute force and other attacks?
>
>
>
> --
> Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
> 2:5005/49 at fidonet http://vas.tomsk.ru/
>