[eduVPN-deploy] Anyone using two-factor (2FA) support in Let's Connect! / eduVPN?
François Kooman
fkooman at tuxed.net
Thu Jun 20 13:52:30 CEST 2019
Hi,
During the general cleanup of the code, I was wondering whether or not
anyone is using the included 2FA (TOTP) support. I am considering
removing it.
Why remove it?
- It is not in the interest of the _user_ to enable 2FA for access to
VPNs, but of the organization deploying the VPN service, and thus should
be moved to the IdM, e.g. SAML, LDAP or RADIUS authentication.
- TOTP is does not protect against phishing, only WebAuthn has any
chance of protecting against that. Providing TOTP support MAY result in
admins placing unwarranted trust in the TOTP implementation in the VPN
service without understanding its limitations.
One could of course reason that having TOTP is better than having nothing.
I'm curious what you all think! Whether anyone is using the TOTP
implementation the VPN service, and what their ideas are about the
security of it...
Cheers,
François
More information about the eduVPN-deploy
mailing list