On 17/10/2013 01:21, Walter Dnes wrote: > On Mon, Oct 14, 2013 at 10:45:10PM +0200, Alan McKinnon wrote > >> Access to my backend network is two-factor - ssh keys and decent >> passwords. > > That is *NOT* Two-factor authentication. See > http://en.wikipedia.org/wiki/Multi-factor_authentication for the > details. Executive summary... Two-factor authentication requires you to > present two authentication factors each time. I.e. it's A *AND* B. > Your setup is A *OR* B. The usual implimentations include 2 factors... > 1) userID+password > 2) a small credit-card-sized unit that generates random-looking > multi-digit numbers that change every minute. > > In order to logon the user must enter both the userID+password combo > *AND* the current number on the token card. >
It's a poor choice of words on my part. We do have that exact two-factor system to access the network via VPN, but that's just a portal. Accessing the actual backend network is a two stage process: ssh key to the jump host, then password to get onto the actual destination. So it's "two factor" as a generic English language phrase, not "two factor" as a technical description of an exact thing. Keep in mind that English is a highly overloaded language :-) -- Alan McKinnon alan.mckin...@gmail.com
