Russ Allbery <ea...@eyrie.org> writes: > Robbie Harwood <rharw...@redhat.com> writes: > >> Also! 2FA will mitigate this concern somewhat as well. krb5 is >> prepared to hand off to a RADIUS responder for OTP (freeIPA uses >> this, which I know you're not interested in but is meaningful as a >> PoC); you can then use something like freeOTP or a physical 2fa token >> for acquiring additional credentials. > > I wonder how hard it would be to add WebAuthn as a preauth mechanism > for Kerberos as part of a FAST chain. HOTP/TOTP don't have the > greatest security properties, even though most Kerberos use cases are > inherently less vulnerable to phishing than the typical web > authentication use.
Probably not too bad, but there are some tricky points around RPs and the like. There's work underway (blocked on me actually) to add U2F/FIDO2 as a 2FA mech under SPAKE, though ideally we'd have the SPAKE draft closer to release before unloading that on the world. Thanks, --Robbie
signature.asc
Description: PGP signature
________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
