Quote:
Originally Posted by jhollington
While I agree that a limit to administrative functions makes some sense in this case, I'm not sure that a separate OTP system provides any more benefit than the new 2FA model already does.
...
Other than isolating admin functions and providing a session timeout, I'm still a bit unclear on how you see the OTPs differing from the new 2FA system that's already in place. Granted, in the above scenario the user doesn't need to supply their "real" password, but as long as restricting administrative functions is addressed in a better way, the "real" password is largely irrelevant without the second factor (which of course is the point of 2FA).
|
Thank you for your (as usual) useful contribution to the discussion.
First, I am assuming that regular access, where possible, should be using U2F. I argue for OTP in the common case where those using computers on an ad hoc basis are unable to establish a session using U2F. The choices for such users are
- Use a weaker form of 2FA as their standard form of authentication.
- Be prevented from using computers on an ad hoc basis when U2F is unavailable.
- Having an alternative form of authentication when U2F cannot be used. My argument is that any such access should be time limited and providing as few rights as possible for what I assume to be occasional access when a secure computer is unavailable.
Once U2F (or a common method which is equally secure) becomes ubiquitous, I accept that there is no need for time and function limited, alternative less secure authentication methods. My own sense is that this is not going to be true any time soon. As a practical matter, it cannot even be assumed that you will be allowed access to the USB port on computers that are not your own (for some good security reasons).
I am open to the argument that limiting functionality is less important than time limiting of less secure sessions. However, I think both have merit.