[lsh123]

Just my $0.02:

OpenVPN has a built-in 2-factor authentication based on the X509 certificates: you need to have a valid certificate together with a valid password to connect to the VPN service. SMS/phone based authentication does not add another factor since it is also a "what you have" type of authentication (i.e. your laptop can be stolen in exactly the same time as your phone is stolen). Of course, X509 certificates work the best in the enterprise environment but that's the OpenVPN target market anyway.

[growse]

Given that it's possible to memorize a certificate, it definitively cannot be a 'something you have' factor. Something you have is more than just data. A client cert is nothing more than a fancy long password.

[teraflop]

The base64-encoded SSL certificate for *.ycombinator.com is 1,755 characters. Maybe there are a few savants in the world who are capable of memorizing that, but for the overwhelming majority of human beings, it's never going to happen.

[growse]

Point is, it's information. It's very easily copied. The whole point of 'something you have' is that it's not just data, but something more than that.

[zts]

By that argument, no physical tokens (secureid, yubikey, etc) add another factor - they also _could_ be stolen at the same time as your laptop is stolen.

[lsh123]

You are absolutely correct :) If you already have a certificate on your laptop, or SMS based authentication, then adding securid token will not change the security profile of the system. Yes, you might get extra security protection if you employ additional measures (e.g. store secureid token in the office safe at all times) but the attack vectors will still be the same.

There are different authentication factors: what you know (e.g. password), what you have (e.g. token), and who you are (e.g. iris scans). In general, adding multiple types of the same factor does not actually increase the security (e.g. having password + pin is no really better than just having a password). The actual multi-factor authentication should include different factors to protect against different attack vectors.

[bigiain]

There is, though, a difference between stealing my laptop, my phone, and my keyring. Sure, a targeted attack by a nation state aiming to get access to my multi-factor-auth services could grab all three at once, but the chance of an opportunistic theft acquiring any two or all three of those devices is _very_ much smaller than just the laptop.