|
|
|
|
|
|
by bubblethink
2475 days ago
|
|
|
Your response is too long, so I'll address only a few points: >Perhaps if you tried working for a big company or a university and began to understand the scale of the things they deal with in regards to identity and access management I manage my lab's freeipa setup. It lets you manage TOTP tokens. I think it also allows yubikeys, but I haven't checked. It may not be as full-fledged as other offerings, but you can manage. The university pays several vendors for different sets of services (MS for AD, RedHat for servers, Duo for 2FA etc.) Right now, Duo may be preferred, but there is nothing stopping you from paying RH for a freeipa+totp solution. Vote with your wallet and all that. >This is not quite true. It is. The threat model is different. It's about replaying the 2FA token. That's the whole argument against TOTP/HOTP. > it would be the absence of a working push The phishing site can generate a working push. It just logs in to the real site at the same time with your first factor, which generates the push. |
|
|
Rude. Go ahead and run your small computer lab and pretend you're dealing with issues on the scale that companies with thousands or tens of thousands of employees do. They're absolutely choosing the cheaper option when going with a managed provider vs. your hacked-together TOTP solution.