Smart Cards, OTP, Hardware Tokens like SecurID… 2 factor auth is an old standby and considered mandatory for any high security installation. But lets face facts, there are a myriad of problems involved. SecurID is complex and expensive and now has destroyed its credibility following the Lockheed break-in. Smart Cards are really sweet, especially solutions from ActivIdentity, but again its expensive and you have client hardware requirements which can be a problem with many users. OTP is nifty but most of the solutions out there are ancient and may not work with the platform your using. But… that is the price of security right? And what about all these new cloud deployments, traditional 2 factor solutions for your cloud? Just shoot me.
Today I stumbled across Duo Security and was amazed. It is an entirely modern 2 factor auth system that uses a SaaS model, open source client software and open APIs, integrates with just about anything, and uses the phone you already have in your pocket.
Whats amazing is that the guys a Duo have nailed the setup. You go to Duo Security and sign up for an account, before you’ve registered they’ve already verified your phone via an automated voice call. You finish the easy wizard and within 2 minutes your looking at their dashboard with a free account that supports up to 10 users. For a UNIX system you download and compile their software (packages are available for Linux distros) which has a client program as well as a PAM module. You add a new “Integration” (essentially an auth realm with its own API key) and feed the keys into the client configuration (which is only 3 lines long, btw) and run the client which gives you a URL to finish validating the host and your done. 10-15 minutes after first hitting their website you are up and running 2 factor security without a bit of pain. Its so simple is just makes me smile… and how often does anything security related do that?
Duo supplies special variations of the service that are just as easy for Juniper, Cisco and Sonicwall VPN’s as well as a Web API… but I’m not going to address those here.
Once your UNIX host is setup, you have some options on how to employ it. You can use PAM, which will make all users dual auth via Duo, or you can use a nifty per-user SSH trick by adding a command=”/usr/local/sbin/login_duo” to the beginning of your public key in the .ssh/authorized_keys file (which I didn’t even know was possible). If you don’t have the ability to modify PAM this SSH hack is a great solution.
But whats really important is the experience of actually using it for auth. Here is how it works for real using an SSH session. When logging into your system and after accepting your password or key as usual, it stops the auth process and asks how to contact you:
Ben-Rockwoods-MacBook-Pro:~ benr$ ssh cuddletech.com Password: Duo login for benr 1. Duo Push to XXX-XXX-1100 2. Phone call to XXX-XXX-1100 3. SMS passcodes to XXX-XXX-1100 Passcode or option (1-3): 1 Pushed a login request to your phone...
At this point the SSH is stuck. Notice you have 3 choices: Duo Push (smartphone app), phone or SMS. Duo Push is a free app for Android and iPhone which can accept push notifications. When you do your setup part of the process will be installing this app if you wish, which only takes 2-3 minutes. If you choose to use Duo Push, as I did, you’ll see something like this on your phone:
After accepting, your SSH session comes back to life:
Success. Logging you in...
Last login: Wed Jun 8 22:57:20 2011 from xxxxxx
__ __
__ / /___ __ _____ ____ / /_
__/ /___ / / __ \/ / / / _ \/ __ \/ __/
/_ __/ /_/ / /_/ / /_/ / __/ / / / /_
/_/ \____/\____/\__, /\___/_/ /_/\__/
/____/
[cuddletech:~] benr$
It’s that easy!
Duo just got everything spot on, its easy, the documentation is clear and concise, its just beautiful. The best part of it all is that its free for less than 10 users, which means that if you just have a single web server you wish to secure, you can! Thanks to the SSH hack above you could even do it on a Shared Hosting account. There is even a plugin for WordPress to use Duo for WP login.
To get started with it yourself, I recommend this post on the Duo blog: Announcing Duo’s two-factor authentication for Unix. It walks you quickly through the whole process I described above.
In all fairness, I’ve only been using this for less than a day so I’m sure there are kinks I’ll run into and things to be improved, but it truly is amazing that I’ve got what feels like a solid solution working so quickly. Auditing and logging gets a lot more interesting when you don’t have to second guess whether or not the user is in fact the user you think and this product opens up a lot of new possibilities and fills a much needed gap in the world of cloud security.
NOTE FOR OPENSOLARIS/ILLUMOS PAM USERS:
After you download and unpack duo_unix-1.6.tar.gz, run “./configure –enable-pam”. Before you run “make” edit config.h and comment out the the line “#define HAVE_ASPRINTF 1″. After that PAM will compile fine. If you don’t, you’ll get “pam_extra.h:10: error: syntax error before “va_list”". Also, make sure that you have an ‘sshd’ user for Duo to use.
All smart Phone systems have e Problem:
You forget, that the SmartPhone ist a computer but you are not the Guy that have the control of this Computer.
You have to trust many Vendors (OS, all installed Apps).
On Hardware Tokes you have to trust one Vendor.
How do you feel this compares to Google Authenticator?
For those people who still want a separate physical token, you may want to check out Yubikey:
http://www.google.com/search?q=yubikey
http://www.google.com/search?q=yubikey+review
The basic idea is to plug in the USB key and press its button. The key registers itself as a USB keyboard, so no special software is required, and the one time passwords are generated in about a second. The key and the authentication server share an AES key and the one time passwords are validated by keeping track of how many times the key has been used.
By default the tokens come pre-programmed, and so you can use Yubico’s ‘cloud’ infrastructure to do authentication.
The good thing is that you can program the keys locally, and so you don’t have to worry about the AES key being compromised in a third party location. The authentication software is also open source, so you don’t have to worry about license keys.
[Not affiliated with them in any way.
]
I think Duo beats out both YubiKey and Google Authenticator and any other OTP scheme…. the reason is simple, they are automated. Duo is the only system I’m aware of that actually asks YOU (the human) to authorize the authentication. And what we’re really after is knowing that the person logged in as “benr” is in fact really “benr”.
With Yubi or SecurID or Google Auth it is entirely possible that someone could hack the system and connect without my ever knowing it. In the Duo system if someone got my password and tried to auth I’d get a notice. That makes front-door attacks really problematic and if you are going to attack Duo its going to be on the wire so that it never gets to the user.
I think its really a question of what you really want from security… do you want to validate identities or just make really hard passwords?
Wow, thank you for the kind review, Ben!
@Falk – we also offer cheap hardware tokens for folks who must have them. You can order them via the Billing page in our admin UI. Old habits die hard!
@Steve – Google Authenticator is much like OPIE, S/Key, and previous systems – largely roll-your-own in terms of deployment, user enrollment, and management, and subject to the same issues as other in-band factors (e.g. vulnerable to man-in-the-middle attacks – or else only one login allowed every 30s). It also won’t protect SSH pubkey auth, and is Unix-only (perhaps not an issue for Cuddletech readers though
@David – Yubikey is limited much in the same way as Google Authenticator (see above), although we’ll be providing support for them in our service soon as well (using the standard HOTP, and not their AES algorithm).
I acknowledge it’s a different philosophy, but in most cases I’d rather choose to trust my own infrastructure rather than a third party notifying me. You now have to trust not only your own system/s, but someone else’s as well. If there can be some in-house software (appliance?) I’d personally feel more comfortable: also, I currently work for a company that has personal health data, and there’s no way an external validator would fly (though with my previous gig at a software company, it would be less of an issue).
Just my two cents.
P. S. I noticed that a bunch of your screen shots have red “Deny” and green “Allow” icons: you may want to change the green to blue. AFAIK, the most common form of colour blindness is red/green (especially among males), and so the distinguishing colours are not very distinguishing to a bunch of people. The only way a friend of mine knows whether the traffic light is green or red is whether the light at the top or bottom is lit up.
http://www.wrongdiagnosis.com/c/color_blindness/prevalence.htm
http://www.hhmi.org/senses/b130.html
Duo strictly manages the mapping of an opaque local identifier (your users) to remote devices (their phones), without the need for any personally-identifiable information. By design, we enforce a least-privilege strategy to scope trust in our service.
Our healthcare, PCI, and financial services customers all have strict regulatory concerns that we address in this privilege-separated way (e.g. our first healthcare customer was actually the second-largest physician-owned healthcare group in the US). Even our inline web authentication is performed in a completely separate security domain, which has allowed our web-based EMR customers to secure access to PHI without issue.
For larger enterprise customers, we can indeed do local virtual appliances or private cloud hosting, although our out-of-band factors (phone call, SMS, push) always require external service.
We also take usability as seriously as we do security. Our UX designer is actually red/green colorblind himself, and notes the affordances offered by the button labels, positioning, and intensity in our mobile apps.
Thank you for your detailed feedback, we truly appreciate it!
What happens when your Internet link is down and you need to login to your internal servers?
If you use the SSH authorized_key method, then access from a KVM/console won’t be effected. If you use the PAM method you should ensure its in the “sshd” or “other” PAM stack so that it will not effect KVM/console login.
I had the same concern when testing. In particular, the idea of being dependent on internet access… but frankly, these days the servers I’m managing are serving the internet and if that link is down I’m hosed anyway. If I was still managing big backend database machines, where loosing internet access wasn’t production impacting, I’d opt for a solution that was locally served.
Duo’s most effective utilization is for distributed cloud based deployments where any fears of depending on “the cloud” aren’t limited only to my auth.
The duo_unix configuration also supports a “failmode” configuration to specify either fail-safe or fail-secure operation in the event of network outage.
Nightmare…
I was in a foreign country, walked out of the train station and got a text message: “welcome in …”. Before I could tread it, a scooter zipped by, grabbing my smart phone. Dang! Then it slowly dawned on me.
I had no money (it was in the phone), I had no passport, i had no return ticked, no dictionary, no map, no phone numbers, no addresses, no translator, no …
How smart is it to load all those essential and high-value things on a single device? How many reasons must a thief have to steal your phone?
Hey very cool web site!! Guy .. Excellent .. Amazing .. I’ll bookmark your web site and take the feeds also…I’m happy to find numerous useful info right here in the post, we want work out more techniques in this regard, thanks for sharing.