Posted by: Eric Hansen
authentication, Duo Security, PAM, Server, SMS, VPN, Web
I’ve written about two-factor authentication methods before (namely using the Google Authenticator to log in to SSH). While that method was fine, there’s also a new product that’s come out over the year or so, and is also local to my home. It’s called Duo Security, and they have an authenticator system that takes it one step further than your every day method of secure authorization.
The first thing to point out is that their system doesn’t just work with servers and SSH. They’ve developed a means to use it for your website, and even VPN hardware (I’m not sure on software). This is pretty useful when it comes to being overly paranoid (or even suspecious) of unauthorized entries onto machines, but I should remind everyone that this authentication method should not be the ONLY implementation. Following the rules of disabling log in for uselss (mysql, for example) accounts, proper passwords, etc… should all still be followed, Duo Security only adds an extra step into the assurance policy.
Configuration is done from a control panel Duo Security gives you when you sign up for their service. This is also how you actually set up the service, and optionally add more users that are allowed to use it, which means that if you add more than one user, the machine(s) you implement this on has to be connected to the Internet. While installing the module(s) themselves require some man-work (simple compile and make install for the most part), and requires OpenSSH as well as cURL headers and libraries to be installed, it took me about a minute or so to compile and install each module (PAM and regular binary). But, after installing these, configuration is a one-time effort, even if you later decide to install the other module (configuration is based on an ini file).
I’m not going to go through the nitty details of getting this to work and options, as their website does have some pretty good documentation. However, I will say how I personally enjoy the option to also use this service for your website. While I think for the most part its pretty overboard currently with how the service is currently set up, it’s on a pretty good track to be a viable solution, especially to services such as OpenID and Mozilla’s copy-cat OpenID.
While this review has had a lot of good points, I should address a bad-ish experience I had with this solution. During the install process, when you’re setting up the initial user, they do call you from an 800 number, twice. This isn’t necessary if you have a smart phone (and optionally can receive texts), but if you’re like me and only use a smart phone to play games (yes, I see no reason for a smart phone when I have a laptop and PC by my side at all times), then it can be a little annoying. Also, on a personal level, I’m not too fond of the Android app, but that’s a different thing all together (too many QR codes mostly).
Lastly, the wonderful conversation of price. Now, unlike Google Authentication, this service isn’t exactly free, depending on how many users you want to to be able to use this. They do offer a free plan for up to 10 users, with the bare minimum of features, and it goes up to corporate where they offer you the whole shabang and even a free latte (I wish) as well. Now, while their website does say that their free service doesn’t have any support, I should address that they offer support, but don’t expect snap-at-the-finger responses if they’re swamped. Their online chat system is pretty useful though, and their support is quite helpful in assisting you in issues.
Pretty much, if you’re looking for a totally free authentication mechanism, this may not be the choice for you, depending on your needs and situation. But, if you’re looking for a realitvely-revolutionary new way to handle user authentication, it is definitely at least something to look further into.