Comments on Secure your SSH deployment with WiKID two-factor authentication
Secure your SSH deployment with WiKID two-factor authentication In this document we are going to demonstrate how to combine two-factor authentication from WiKID with an SSH gateway server with hosted private keys to create a highly secure, auditable and easy to use remote access solution. The WiKID Strong Authentication System is a commercial/open source two-factor authentication solution.
5 Comment(s)
Comments
This system checks for two of "something you know": your password to the WikID server (getting you a OTP) and your password to the SSH server.
For this to be true two-factor authentication, the server also needs to check for either "something you have" or "something you are".
If you use SSH keys then this is true 2 factor authentication
> If you use SSH keys then this is true 2 factor authentication
I'd call that something you know and something you know - not two factor authentication.
How is a ssh key something you know? I don't make it a habit to remember ssh keys. They are a file, which makes it something you have.
You missed part of the WiKID authentication process, perhaps because it was not really demonstrated here. The user enters a PIN (something they know) in the WiKID software token (something they have, well technically, possession of the private key embedded in the token). The PIN is encrypted and sent to the WiKID server behind the corporate firewall. If the PIN is correct, the account active and the encryption valid, an OTP is generated, encrypted and returned to the user to use as the password.
You can think of WiKID as being like PGP, but used to transmit authenticating information. It is 'stronger' than certs or keys, because the PIN is validated on the server rather than locally and integration is simple because every UI supports and username/password combo.
The addition of the OTP makes SSH more suitable in organizations facing compliance (PCI, etc).