Duo Alternatives?

O'Dowd, Josh Josh.O'Dowd at mso.umt.edu
Wed Nov 15 14:17:48 EST 2017 

Correction.  LinOTP as of v2.9.1, looks to have addressed the need to support push for iOS and Android solutions.  My apologies.

-Josh

From: users [mailto:users-bounces at shibboleth.net] On Behalf Of O'Dowd, Josh
Sent: Wednesday, November 15, 2017 12:11 PM
To: Shib Users <users at shibboleth.net>
Subject: RE: Duo Alternatives?

Thanks everyone for the feedback…

Concerning LinOTP, I was struggling to find any push notification support.  Last year NIST published a “jump ship” on SMS due to intercept/redirect risks.  We have an IT security officer who is not comfortable with SMS solutions.  That being said, we are definitely looking definitely need a mobile app 2nd factor(for shear popularity, esp. with students) which offers a push notification option, and a back channel for our campus IdP-MFA to authenticate the additional factor. That is why Duo is a nice solution for us.

I am simply searching for an apples to apples comparable solution to consider, in case we can make a better choice.

Thanks again.
-Josh


From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Greg Haverkamp
Sent: Wednesday, November 15, 2017 11:28 AM
To: Shib Users <users at shibboleth.net<mailto:users at shibboleth.net>>
Subject: Re: Duo Alternatives?



On Wed, Nov 15, 2017 at 10:16 AM, Michael O Holstein <michael.holstein at csuohio.edu<mailto:michael.holstein at csuohio.edu>> wrote:
2nd on LinOTP.
Caveat : AFIK there's no official (as in from-the-authors) commercial support to make your execs happy.

For LinOTP?  There's absolutely paid support from the authors.  And if one's willing to pay -- as we are -- you can use their "Smart Virtual Appliance" and get most all of the setup and HA as part of the package.  And for Windows, they license a Credential Provider that integrates with the server, which is what we use for our AD logins.

Greg



But LinOTP supports all sorts of stuff .. you can do generic HTOP (eg: Google/Microsoft Authentication with self-enroll or any other one) .. TTOP tokens (RSA like, a company called Feltian(*) makes them for ~$6/ea in 10 lot, way cheaper in higher qty, and offers a programmer so you can load you own keys) .. plus all sorts of SMS integration (use Twillio).

It's a tricky bastard to configure and you've got to work out load balancing on your own (and really question why you'd do this on-prem anyway .. just deploy with docker and let $IaaS_Provider do GSLB .. and then a pair of Sambas+OpenLDAP (if you need it) as BDCs in a separate VPC to handle the passwords.

As for backing the thing up, certainly do hot/hot on the MySQL or something similar .. and then call via the API a command to dump the table through a key supplied through the API-to-shell command, and stick the result on another volume which you then detach (because that is all sorts of sensitive).

If you have a VPN I suppose it makes sense to have a local one, you can frontend RADIUS as a protocol. FWIW you can also shim RADIUS into MSGINA if you want to do actual PCs with MFA also.

As a bonus, this will also backup your domain authentication bits and LDAP structure in a 2nd way that doesn't involve nearly as long of a restore-to-usable as the Microsoft way. Just bring up your replica locally and repoint DNS.

My $0.0000015 BTC anyway.

Michael Holstein CISSP
Mgr. Network & Data Security
Cleveland State University

(*) : http://www.ftsafe.com<http://www.ftsafe.com/product/onlineShop>
[https://ftsafe.com/files/upload/20161223/20161223175627585cf4cb46931.jpg]<http://www.ftsafe.com/product/onlineShop>

index | FEITIAN<http://www.ftsafe.com/product/onlineShop>
www.ftsafe.com<http://www.ftsafe.com>
A professional of security devices and solution provider includes software protection dongle,OTP,PKI ePass token, Smart Card, Smart card Reader and Mobile banking ...


________________________________
From: users <users-bounces at shibboleth.net<mailto:users-bounces at shibboleth.net>> on behalf of Rob Gorrell <rwgorrel at uncg.edu<mailto:rwgorrel at uncg.edu>>
Sent: Wednesday, November 15, 2017 12:13:56 PM
To: Shib Users
Subject: Re: Duo Alternatives?

SafeNet Authentication Service touted a Shibboleth Agent back when we were looking... IIRC, it was less than impressive looking.

-Rob

On Wed, Nov 15, 2017 at 12:04 PM, Greg Haverkamp <gahaverkamp at lbl.gov<mailto:gahaverkamp at lbl.gov>> wrote:
On Wed, Nov 15, 2017 at 8:48 AM, Manuel Haim <haim at hrz.uni-marburg.de<mailto:haim at hrz.uni-marburg.de>> wrote:
Hi Josh,

there seems to be a Shibboleth plugin for use with LinOTP:
https://github.com/cyber-simon/idp-auth-linotp

We're using LinOTP with Shibboleth with a heavily modified (essentially unrecognizable) fork of this module.  We've been doing so for around 6 months now.

If distractions would quit getting in the way, I'd have finished at least adding U2F support and "KeyIdentity" Push Token support to the Shibboleth module.  (I'm still hoping to have a first pass of that done this week, at least for U2F; the push tokens are a bit trickier.)

I haven't checked InCommon Duo pricing lately; we didn't qualify, and the market price for Duo was considerably higher.  That, and we needed MFA for Active Directory desktops, and Duo's solution was ill-suited to our requirements.  However, in general, Duo's solution is quite a bit slicker than LinOTP's.  In particular, the LinOTP enrollment apps are sufficiently poor that we decided from the start that we had to do our own.  And, of course, the push tokens for LinOTP aren't part of the open source distro.  (Technically, the token code itself is there.  What's not there are the push notification servers.)

I can't currently distribute my currently module, but I don't foresee it being an issue.  I just haven't bothered doing it until I get the last two pieces in.

However, we currently plan to implement Shibboleth multi-factor
authentication along with the LinOTP-fork "privacyIDEA" and Yubikey tokens.

Up to now, we already have an privacyIDEA-LDAP-Proxy running for some
secured applications. Instead of the password alone, the user has to
enter password + Yubikey token into the password field. The LDAP-Proxy
then forwards the password check to our regular LDAP servers, while the
token check is forwarded to the privacyIDEA server.

We have something similar for the LinOTP server.  (Not theirs, which is based on an OpenLDAP Perl backend and seemed to have concurrency issues in our testing.  We'd had one for our prior solution that we ported over.)

Greg


Kind regards,
Manuel

Philipps University Marburg, Germany



Am 15.11.2017 um 17:09 schrieb O'Dowd, Josh:
> I am doing due diligence for a likely Duo purchase, which I have demo’d
> on campus using the outstanding Shibboleth native support.  I am curious
> if there are any known legitimate alternatives to Duo as a 2^nd factor
> solution WITHOUT sacrificing Shibboleth IdP front-channel password
> authentication as the 1^st factor.
>
>
>
> We are not considering a custom built solution at this time.
>
>
>
> I truly appreciate any feedback from the Shibboleth community.
>
>
>
> Thank You!
>
>
>
> Josh O’Dowd
>
> Software Systems Engineer / Identity Access Management
>
> University of Montana
>
>
>
>
>
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net<mailto:users-unsubscribe at shibboleth.net>


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net<mailto:users-unsubscribe at shibboleth.net>



--
Robert W. Gorrell
IT Manager, Identity and Access Management
University of NC at Greensboro
336-334-5954<tel:(336)%20334-5954>
PGP Key ID B36DB0CA

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net<mailto:users-unsubscribe at shibboleth.net>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20171115/d6bdcd3a/attachment-0001.html>

More information about the users mailing list